[TAC] Fool Bot Honey Pot

[TAC] Fool Bot Honey Pot [Paid] 3.0.32

No permission to buy ($29.00)
Overview Updates (79) Reviews (28) History Discussion
I installed this today and it was doing GREAT...until 1 bot got through and posted a spam message

Here's the log info you requested:

No Bot Triggers Found FoolBotHoneyPot: Detected As Human - Registration Allowed
11 minutes ago
generated_by_username_attempt: wing ness
generated_by_email_attempt: wingness@dispostable.com
IP Address: 182.185.247.23:55908
User Agent: Mozilla/5.0 (Windows NT 6.2; rv:30.0) Gecko/20100101 Firefox/30.0
Time Taken To Register: 12 (seconds)
Basic Proxy Detection: Proxy Headers Found: $_SERVER[HTTP_X_FORWARDED_FOR]: 182.185.247.23
JavaScript Enabled: TRUE
Browser Plugins Detected: flash=13

Here's a screenshot of the spam message they posted:

ERl1Dke.png


I'm very new to this tool, so I would definitely appreciate some feedback as to how I can improve my settings to prevent this from happening again.

Thanks for the wonderful plugin.
 
@Bwana What makes you think this is a bot

12 seconds to register is quite fast (but paid human spammers will use semi automated tools and will always be the fastest humans to register due to the repetition of their job and finding short cuts for doing the same things over and over, it is not a humanly impossible speed). Be warned, paid human spammers do not always work alone, and will often come with a group of users.

Reasons that I suggest you are possibly looking at a paid forum spammer from this data (Human Spam):

JavaScript Engine & Detected Plugin
There a things recorded by FBHP that are not required to register, it is very unlikely a bot would even notice these

For instance, the plugins of the browser is detected (bots will not have plugins, browser bots a very rare, XRumer pretty much dominates most forum bot registrations, they do not use browsers or a js engine and will have no need to complete this)
Since this is not required, and it is detected using JavaScript, it would be very unlikely that a bot would
1) use a JavaScript engine
2) feel the need to fill "detected plugins" with a real plugin (such as flash 13), since some real users will have no plugins at all

That's a lot of effort to complete something that bots do not need to complete in order to register


Country of User
Paid posters, particularity copy paste posters, will often come from countries that will work for very small amounts of $

So if we also check their IP address
http://whatismyipaddress.com/ip/182.185.247.23
IP:182.185.247.23
Decimal:3065640727
Hostname:182.185.247.23
ISP: Pakistan Telecommuication company limited
Country: Pakistan
pk.png

State/Region: Punjab
City: Lahore

(Although they are using a proxy)
We notice they are possibly from a country where there is a higher than average % of paid posters
XRumer users (or automated spam bot users) are not usually from Pakistan

The majority of XRumer users will come from the following countries:
America
Europe
China
Ukraine
Russia

-- However, there are still some XRumer users from Pakistan (but it's more common to see paid posters from Pakistan).
I might start logging country information in my personal stats about bots to show this

They are using a disposal email address
Bots certainly never need to use disposable email addresses (humans do).
For things like XRumer, the automation tool its self can be used to automate against many email sites.
People who use automation software to register on forum will not be unfamiliar with using the same tools to register hundreds of thousands of email accounts.
The user in your data shows: wingness@dispostable.com
dispostable.com is a disposable email site.

I have never seen a bot use a disposable email, they use things like hotmail.com, gmail.com, yahoo.com, aol.com, outlook.com (just look at your fbhp logs for all your other spam bot users)


This is why I put so much information in the logs, I can almost certainly say that this is a human paid poster (other than videoing them registering, I can't really think of stronger evidence).


What You Can Do For Human Spam
This user has used automated tools in the past (such as scrapers to leach email addresses so they can spam email accounts), but in this case they do not register on forums/blogs with automation,
the above evidence points at human spam

What you can do:
1) Use the plugin StopHumanSpam: See Here
2) To stop disposable email accounts, use the plugin AnyAPI and turn on the API for disposable emails: See Here
3) If you are in the position of a country specific niche forum, you can use StopCountrySpam (and also block these sorts of proxies): See Here


This is not likely to be a bot spammer, FoolBotHoneyPot still currently prevents 100% of spam bots
-If a spam bot ever gets through FBHP, then it wont be one bot, but thousands of bots on many thousands of forums, which is why I always suggest using a secondary spam bot mechanism (such as CustomImgCaptcha), but at this point FBHP still stops 100% of spam bots.
 
Last edited:
@Bwana

Since they are using a disposable email (one of the strongest pieces of evidence that suggest they are human, spam bots will never need to use disposable and disposable email are very easy to block, see AnyAPI) you can check their inbox

http://www.dispostable.com/inbox/wingness/

They are registering on a lot of forums quite quickly, but quick as in 1 or 2 every few minutes, and there are even gaps of 10 - 20 minutes for some sites (a spam bot does not feel then need to take breaks)
With spam bots you might see 1000's in the same second, this is not what we see with this inbox

The time stamp pattern in their email inbox also suggest a repetitive human job (possibly using short cuts, semi automation tools, and multiple tabs to register on similar sites quickly)
Think of someone in a tele-sales job, sometimes they might get through 4 or 5 phone calls in a few minutes, but they will get stuck with some people or even need a coffee creak after a hard conversation
A bot does not need this, a bot does not need to do one site and then the next in sequential order (the will do many all at the same time), and it will never need a break

Kyle Reese: Listen, and understand. That terminator is out there. It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not stop, ever, until you are dead.
Click to expand...
- Well, XRumer users aren't out to kill you (although you might want to kill them), but I thought I would throw that quote in there ;)
 
Last edited:
I thought it was a bot because it was completed in 12 seconds, but you've since corrected me saying they're using automated tools. I was using CustomImgCaptcha, but I decided to install AnyApi after this incident occurred.

I'll go ahead and get a Block Disposable Email API key and set that up as well. Again, great job on the addon, it's catching a lot of bots and saving me a lot of headache.

Thanks for your help!

P.S. I'm still evaluating whether I need StopHumanSpam and StopCountrySpam for a forum of my size.
 
semi automated

I use to create things (back in the day) to make submission to directory listings faster and easier for myself, such a JavaScript injection to input certain fields on directories, or even open multiple frames of several sites at the same time (and then fill them as a human).

You can use keyboard shortcuts and managers to also semi-automate fields

Of course, I don't do that any more, and since went on to get a corporate job in automation (and hence, I'm aware of the ways to make automation very hard)

Anyway, the emphasis here is on the word semi... fully fledged automated registration tools will often be a bot (and as such, caught by FBHP).
Semi automation tools are not bots, but tools that help the user register. These tools will often be used by paid posters, since paid posters have a very monotonous job and will use any short cuts they can get their hands on.
 
tenants said:
@kontrabass Do you know what cdru is?
It looks like part of their email.

I suspect they have tested your registration page by looking at the source (with firebug / other) then filled one of the fields.
Only filling one field also suggests this (password managers usually populate combinations username/pass/ and sometimes email address)

Even when using password managers, fbhp will avoid detecting you as a bot.

They are using FireFox and have JavaScript enabled, so it can't be any of the hidden fields managers usually populate (password/email/username), since we reset these with javasctipt on form submission.

It's a later hidden field (dob/gender/timezone), no managers should alter these. Email them and ask them what happened (I'm expecting coyness from altering hidden fields).

Although, it could still be a genuine issue of a manager altering dob/gender/timezone, but auto populating it with the first part of the email seems strange (it would have raised a warning via the core validation anyway)

If they reply and have used a manager, can you let me know which one so that I can test it (I've tested a few and had no issues, the hidden fields just get reset)
Click to expand...

So, no response from the above user to my questions. Oh well. But I've got another one for ya.

Code: 
Hidden Fields Modifed, FoolBotHoneyPot: Detected As A Bot - Registration Blocked
Today at 6:40 AM
generated by username attempt: Avar
generated by email attempt: *validemailremovedforprivacy*@gmail.com
IP Address: 68.xxx.174.115:51745
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Time Taken To Register: 39 (seconds)
Basic Proxy Detection: No Proxy Detected
JavaScript Enabled: TRUE
Browser Plugins Detected: flash=14,quicktime=7
Altered Hidden Fields
e762a53c11e94f41fe => *validemailremovedforprivacy*@gmail.com
985ed53c11e950025d => Wagner

Registration Errors
fbhp => foolbothoneypot_sorry_youve_been_detected_as_an_automated_program

He insists he's not a bot ;)

Edit: Here's his response: "Was using Chrome and yes, I used Dashlane to fill in some of the fields."
 
Last edited:
Getting this on my server (and have seen it previously as well)

Code: 
ErrorException: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead - library/Tac/FoolBotHoneyPot/Model/Log.php:354
Generated By: Unknown Account, 8 minutes ago
Stack Trace
#0 [internal function]: XenForo_Application::handlePhpError(8192, 'preg_replace():...', '/home/nginx/dom...', 354, Array)
#1 /home/nginx/domains/z22se.co.uk/public/library/Tac/FoolBotHoneyPot/Model/Log.php(354): preg_replace('#(\\\\x[0-9A-F]{2...', 'chr(hexdec('\\1'...', 'Possibly Forged...')
#2 /home/nginx/domains/z22se.co.uk/public/library/Tac/FoolBotHoneyPot/ControllerPublic/Register.php(643): Tac_FoolBotHoneyPot_Model_Log->logBot(Object(XenForo_Options), false, false, '\xC0\xBBs\x92', Array, Array, 'BreemnDef', 'vaci.llate.n.x....', 5, 0, false, true, true, Array, false)
#3 /home/nginx/domains/z22se.co.uk/public/library/UserEss/ControllerPublic/Register.php(68): Tac_FoolBotHoneyPot_ControllerPublic_Register->actionRegister()
#4 /home/nginx/domains/z22se.co.uk/public/library/Tac/DeDos/ControllerPublic/Register.php(51): UserEss_ControllerPublic_Register->actionRegister()
#5 /home/nginx/domains/z22se.co.uk/public/library/XenForo/FrontController.php(347): Tac_DeDos_ControllerPublic_Register->actionRegister()
#6 /home/nginx/domains/z22se.co.uk/public/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#7 /home/nginx/domains/z22se.co.uk/public/index.php(13): XenForo_FrontController->run()
#8 {main}
Request State
array(3) {
  ["url"] => string(75) "https://z22se.co.uk/register/register?4f11053cea25fd0ab6=0dda453cea25fd035f"
  ["_GET"] => array(2) {
    ["/register/register"] => string(0) ""
    ["4f11053cea25fd0ab6"] => string(18) "0dda453cea25fd035f"
  }
  ["_POST"] => array(49) {
    ["username"] => string(9) "BreemnDef"
    ["e3b4853cea25fd09cb"] => string(12) "Bob aldridge"
    ["e3c1853cea25fcf891"] => string(14) "Terry Hamilton"
    ["9ad8553cea25fd0324"] => string(6) "Mitesh"
    ["dfd2e53cea25fd08e0"] => string(11) "Mike Mazzeo"
    ["99be253cea25fcf9f1"] => string(11) "Ahmad Ghani"
    ["9536053cea25fcf559"] => string(4) "Bart"
    ["05e5353cea25fd05aa"] => string(13) "Josh Westwood"
    ["01d9553cea25fd0534"] => string(9) "BreemnDef"
    ["8369753cea25fd065a"] => string(0) ""
    ["9bf3b53cea25fcfd9d"] => string(0) ""
    ["bfd2353cea25fcfdd8"] => string(0) ""
    ["email"] => string(29) "vaci.llate.n.x.rljk@gmail.com"
    ["abf4553cea25fd040f"] => string(0) ""
    ["f91db53cea25fcfb8d"] => string(0) ""
    ["288a153cea25fd086b"] => string(0) ""
    ["b3ab953cea25fcf60a"] => string(0) ""
    ["af87653cea25fcfb17"] => string(0) ""
    ["password"] => string(8) "********"
    ["password_confirm"] => string(8) "********"
    ["2dcde53cea25fd03d4"] => string(9) "92Dk2cidP"
    ["d1c6e53cea25fcf97c"] => string(9) "92Dk2cidP"
    ["77cc953cea25fd0a40"] => string(9) "92Dk2cidP"
    ["4c19453cea25fd091b"] => string(9) "92Dk2cidP"
    ["97f2753cea25fcfbc8"] => string(9) "92Dk2cidP"
    ["20e6b53cea25fcfec3"] => string(9) "92Dk2cidP"
    ["1c2f253cea25fd02e9"] => string(9) "92Dk2cidP"
    ["00e9d53cea25fcf8cc"] => string(9) "92Dk2cidP"
    ["dob_month"] => string(1) "6"
    ["dob_day"] => string(2) "21"
    ["dob_year"] => string(4) "1985"
    ["gender"] => string(0) ""
    ["6432e53cea25fcf907"] => string(0) ""
    ["e592f53cea25fcf3f6"] => string(0) ""
    ["5843153cea25fd07f5"] => string(0) ""
    ["a980a53cea25fd08a5"] => string(0) ""
    ["custom_fields"] => array(1) {
      ["drives"] => string(3) "102"
    }
    ["custom_fields_shown"] => array(1) {
      [0] => string(6) "drives"
    }
    ["d3c4e53cea25fcfefe"] => string(12) "Asia/Irkutsk"
    ["timezone"] => string(12) "Asia/Yakutsk"
    ["d19f353cea25fcfc03"] => string(15) "America/Halifax"
    ["f760d53cea25fd0399"] => string(14) "America/Cuiaba"
    ["7a91a53cea25fcf941"] => string(13) "Asia/Damascus"
    ["public_uuid"] => string(25) "a2f97537492953cea25fde0be"
    ["custom_img_captcha_response_field"] => string(0) ""
    ["agree"] => string(1) "1"
    ["submit"] => string(7) "Sign up"
    ["_xfToken"] => string(8) "********"
    ["reg_key"] => string(32) "39e0f05124560c7daa4d00363cd5bd3e"
  }
}

Running
Code: 
PHP 5.5.14 (cli) (built: Jul 12 2014 14:22:24)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
    with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2014, by Zend Technologies
 
XF 1.4 Beta when using Foolbot Honey pot is now duplicating the name field on the reg form:
upload_2014-8-6_16-20-52.webp
 
You must log in or register to reply here.

Similar threads

Yugensoft
Add-on Offer: Sale of IP Rights of All Addons
Replies
10
Views
2K
ssj2_ssbm
ssj2_ssbm
Brent W
  • Suggestion Suggestion
Implemented Spam Suggestion Feature
Replies
10
Views
2K
Jeremy
Jeremy
Brent W
  • Suggestion Suggestion
Duplicate Stop Bot Spam Via Altering Registration Fields
Replies
2
Views
2K
tenants
tenants
tenants
Add-on Free Bot Registration Prevention
Replies
0
Views
1K
tenants
tenants
Mouth
  • Question Question
XF 1.1 Column xf_user.is_staff missing - upgrading 1.1 to 1.2
Replies
3
Views
2K
Chris D
Chris D
Top Bottom