[TAC] Fool Bot Honey Pot

[TAC] Fool Bot Honey Pot [Paid] 3.0.32

No permission to buy ($29.00)
Overview Updates (79) Reviews (28) History Discussion
Yep, the link was removed for testing :)

It's up again now, I've let the bots test it for a little while

What you should notice now, is that most bots wont be logged in the fbhp logs more than once (unless they wait 48 hours before a re-attempt), since most bots that try to brute force/hammer/re-attempt will be picked up by the cache and redirected/401
 
The registration page is a small part of the area brute force bots keep re-attempting

The most significant area is the forum home, they pick up the login cookie (and scrape all the html), POST via the forum home then attempt to register (this can have a large bandwidth affect for bots that try tens of thousands of times, I noticed 4 gig was from a ukraine spam bot hitting the home page), so I might add an option to also redirect for the rest of the forum if cached known bot ip (cached for 48hrs and has attempted to register + detected as a bot multiple times, has no js, etc). This will have a larger affect on bots that try to brute force, and will reduce server resources more significantly.

It will also only affect bot ips that are in the cache within the last 48hrs and not affect logged in users (+ spiders/other), I will however add this as a tickbox option, since not everyone will want this
 
Last edited:
tenants said:
It will also only affect bot ips that are in the cache within the last 48hrs and not affect logged in users (bots/other), I will however add this as a tickbox option, since not everyone will want this
Click to expand...

Is this new update likely to come in the next few days? I only ask because I was just about to update 8 sites with the latest version, but if you're going to tweak it in the next few days and release another update, I'll hold off. (y)
 
Yes, I'm just testing it now. I should add it today or tomorrow

I think personally, I will save myself about 7 gig a month on one of my very small sites, so it's worth doing for me. I just want to make sure there are no issues (so I'm letting the bots test a few options on a few different sites)

This method is much better than the stopBotResource methods, since there is no need for an api call, and the bots have definitely been detected as a bot on your forum within the last x hours (its a completely 0 api calls and 0 query method (as long as you don't redirect the bots to a page on your site))

You get a similar IP block when you try to automate / scrape results from Google, but the block only lasts a mater of 10 - 15 minutes (so, you can reduce the forum bot cache to an hour if you want, but if someone is trying to bot-register your forum, it's very unlikely that someone on the same network will want to register / access your forum... if it is likely, the option is there to turn it off)

However, I've been in the situation where our entire work network could not use Google due to someone's automation, so I might change the option to set the cache to minutes rather than hours.
 
Last edited:
I'm just going to add my Awstats before for one particular forum (if nothing more than for a personal record of a before/after this update)

I'm not redirecting to a page, but leaving the redirect as blank (so the low query and low byte 401 page will be hit by spam bots that keep brute forcing and using server resources)

This is a tiny forum, and uk local (and as such only a cheap shared host.. so we cant afford to have bots hitting it as much as some other servers I use)

For the month of March 2014 (this update was added at midday March 31st, so I will compare this to next months results)

upload_2014-3-31_12-44-25.webp
You can see that UK has a better hits:bandwith ratio, since these are mostly humans, and humans that go from page to page, often revisit the same page, and often cache images / scripts. Usually spam bots do not

Using this ratio as a marker, human visitors in this circumstance seem to have a ~ 1:2 ratio of hits : pages (dark-blue: light-blue) ... So we can see almost all of Ukrainian is non human (possible spam bots), most of US is also non human (but not as high a %) So graphically we can easily identify bot data when the dark blue line is close to the light blue line (and we can do the same for the green bandwidth line)

Of that 10gig for March less than 1 gig was used by humans from the correct country (as mentioned this is a small local uk forum)

If we look closer, the Ukrainian downloaded data was all pretty much due to one IP:

upload_2014-3-31_12-48-30.webp

If we then check the stopForumSpam database, we conclude that this was in fact a spam bot:
http://www.stopforumspam.com/ipcheck/91.200.13.96
http://www.projecthoneypot.org/ip_91.200.13.96


A little bit more info about this bot, it has hit the forum home page many times (not just the registration page).

With the current update I've just added, what we should see next month is the bandwidth go down significantly (particularly for the Ukraine/China/Russia/US, since this is a local forum not relevant to those countries)

The hits might stay similar (possibly also lower, since the spam-bot wont always be able to pass from page to page when hitting a 401), but the noticeable difference should be in the bandwidth of data. The 401 page is significantly less bytes than a forum page (and far less query heavy: 0 queries)
 
Last edited:
tenants updated FoolBotHoneyPot Bot Killer: Spam Combat with a new update entry:

Entire Core Forum Benefits From Preventing Server Usage of Brute Force Spam Bots

Added an option so that the entire core forum can benefit from a reduced server usage from spam bots that attempt to hit your site many times (these spam bots ips are cached locally for x minutes, they are only cached if they have attempted to register, altered many hidden fields and done this within seconds and also have no javascript! so there is no doubt these are spam bots)
Click to expand...

Download available here: http://www.surreyforum.co.uk/thread...th-a-custom-registration-page.1621/#post-2400

Read the rest of this update entry...
 
Last edited:
Not as often, usually once I think I've completely done all the minor tweaks I need to (which never seem to end), or after a major xf release (if needed). But if there are no priority bug fixes, I wont update the packs for a while (It doesn't make sense to keep releasing the packs)

Talking of which, if the home page is set to xenzine-articles / simple-portal / ewr-portal, then these could also benefit from known spam bots not leaching/scraping the data... So I will add another update soon to cover these.
 
Last edited:
tenants said:
Talking of which, if the home page is set to xenzine-articles / simple-portal / ewr-portal, then these could also benefit from known spam bots not leaching/scraping the data... So I will add another update soon to cover these.
Click to expand...
And [bd] Widget Framework when using it as your homepage too please.
 
Added widget frame work to 2.3.04, these are now all the areas that can take advantage of know-spam-bot server resource reduction:
  • XenForo_ControllerPublic_Register
  • XenForo_ControllerPublic_Thread
  • XenForo_ControllerPublic_Login
  • XenForo_ControllerPublic_Forum
  • XenForo_ControllerPublic_Index
  • XenZine_ControllerPublic_Article
  • EWRporta_ControllerPublic_Portal
  • EWRporta_ControllerPublic_Articles
  • SimplePortal_ControllerPublic_LandingPage
  • WidgetFramework_ControllerPublic_WidgetPage
  • WidgetPortal_ControllerPublic_Portal
If you can think of any others, let me know and I will add them before re-releasing
 
Contact Us is a good idea,

A few of those are aren't areas spam bots usually touch

Spam bots generally only go to the front page (and look for relevant threads they can reply to)
So anything that can be set as a portal page is a good candidate, can showcase/sportsbook be set as a portal?
 
You must log in or register to reply here.
Top Bottom