Anton_Bodryachkom
Active member
So this works with 1.4 version?
![[TAC] Fool Bot Honey Pot](/community/data/resource_icons/1/1085.jpg?1577367167){kind=icon}
[TAC] Fool Bot Honey Pot [Paid] 3.0.32
- Thread starter tenants
- Start date
Anton_Bodryachkom
Active member
Rodger .
Ridemonkey
Well-known member
I feel like a mod should mark this as unmaintained.
I got a noticeable uptick in spam bots - not out of control, but definitely there - when I switched to 1.4. But if @tenants doesn't want to maintain the functionality, which I completely understand, people buying it should probably get a pretty big notification that the functionality is going to stop if they adopt XF 1.4.
There's a big bold warning that it doesn't work with 1.4+, just pointing out that marking it unmaintained is a clearer indication that no future updates should be expected. @Brogan ?
I got a noticeable uptick in spam bots - not out of control, but definitely there - when I switched to 1.4. But if @tenants doesn't want to maintain the functionality, which I completely understand, people buying it should probably get a pretty big notification that the functionality is going to stop if they adopt XF 1.4.
There's a big bold warning that it doesn't work with 1.4+, just pointing out that marking it unmaintained is a clearer indication that no future updates should be expected. @Brogan ?
rainmotorsports
Well-known member
There has been a notable increase in human generated spam coming out of India and Pakistan which of course renders this, the stock xenforo 1.4 functionality and any captcha's useless to prevent. Check where that spam is coming from. Might want to try TPU's addon and set some rules. I haven't had any spam in the last 3 months. I really do miss the extra features of this addon though.
Anton_Bodryachkom
Active member
how about just blocking countries all together , unless ofcourse you have good traffic from those
tenants
Well-known member
The first page mentions:
[Use with XF < 1.4. Not compatible with XF 1.4 and above.. XF1.4 includes honey pots]
(This text has been present and in bold since the release of xf 1.4)
If you are using the core honey pots, make sure you update the hidden fields with unique strings. I haven't tried the core honeypots myself (haven't needed to), the core should work.... until targeted.
I'm not having any issues with fbhp alone (using an older xf), if one hidden field mechanisms gets bypassed by spambots, I would expect many hidden field mechanisms to start failing
... although fbhp does do a few things differently / additional to the core (but just more hoops, if the core applies all of these hoops, the bots with just jump through the extra ones with no additional effort)
Not to forget, there is also:
[Use with XF < 1.4. Not compatible with XF 1.4 and above.. XF1.4 includes honey pots]
(This text has been present and in bold since the release of xf 1.4)
If you are using the core honey pots, make sure you update the hidden fields with unique strings. I haven't tried the core honeypots myself (haven't needed to), the core should work.... until targeted.
I'm not having any issues with fbhp alone (using an older xf), if one hidden field mechanisms gets bypassed by spambots, I would expect many hidden field mechanisms to start failing
... although fbhp does do a few things differently / additional to the core (but just more hoops, if the core applies all of these hoops, the bots with just jump through the extra ones with no additional effort)
Not to forget, there is also:
- StopHumanSpam (Stops human creating links / sigs / banned content, it also check for "sneaky broken links")
- StopCountrySpam (to reduce spam from particular countries bot/human),
- CustomImgCaptcha (as a second wave fallback mechanism),
tenants
Well-known member
An interesting bit of data. Since many of my sites still use XF 1.3 with FoolBotHoneyPot, I get a lot of data back (and still no bot issues)
What I have seen however is how the botter community have now responded to the registration timer going into the core of xenforo
Before Jan 2015... the average registration time of bots was 2- 7 seconds
After Jan 2015... the average registration time has a much wider range (many outliers), but there is an undeniable response to the registration timer
Bots are now taking much longer to register (since many bot instances fire at once, it will have no impact on the bot users)
So... what happens when you put SOFT anti-spam mechanisms into a core product
... what happens when you give an entire population the same antibiotics
The system changes in such a away that the mechanisms becomes ineffective
Registration timing seems to have become vastly less effective (there are still some old bots around that rtime will catch, but they are becoming less and less)
Here are the average bot registration times from one of my sites still using FBHP, the same pattern has been seen across all of my other Xenforo sites... it happened just before the beginning of Jan 2015:
Xenforo put the registration time into the core in xenforo 1.1.4 in march 26th 2013 (call it Apr)
It took the botter community (mostly XRumner) until Jan 2015 to make this ineffective (20 Months)
... I suspect the response was 18 months, but took time to role out to the community
Xenforo put hidden fields into the core and other similar mechanisms to foolbothoneypot in xenforo 1.4 released Sept 2014 (9 months ago) .. based on this, honey pot fields probably have less that 12 months (I suspect sooner) until they are rendered ineffective
Putting soft mechanisms into the core of a product will render them ineffective. Using APIs, although APIs rarely catch 100% of bots, APIs are harder to target in the core of a product. Unfortunately, even APIs will become less effective (once the botter community start IP sharing, pooling the IP resources and using the public APIs to check for black listing... using the API against it's self), and with the introduction of IPV6, the pool of IP addresses has vastly expanded making APIs even less effective.
[and now to sound really geeky]
... The rise of the bots will be our own doing and come from a direction we hadn't realized (not necessarily research into strong AI). We will start using tools to mimic human activity in vast numbers, getting around all barriers that "detect" us as human. Although at first it wont be the black hat's intention, eventually our favorite sites will be rendered useless. The traffic of the internet will be vastly populated by automation (spam/security/scrappers or other), social network sites and internet software that communities and business become reliant on will be rendered ineffective. The same battle we see with spam and anti-spam gives rise to new tools that benefits one side much more than it does the other. This pattern will continue and over time we will have handed over so many tools, we can only be inferior. Rise of the bots... well... it's certainly not happening tomorrow, but's it's direction may not come from research that many suspect, but rather human greed.
What I have seen however is how the botter community have now responded to the registration timer going into the core of xenforo
Before Jan 2015... the average registration time of bots was 2- 7 seconds
After Jan 2015... the average registration time has a much wider range (many outliers), but there is an undeniable response to the registration timer
Bots are now taking much longer to register (since many bot instances fire at once, it will have no impact on the bot users)
So... what happens when you put SOFT anti-spam mechanisms into a core product
... what happens when you give an entire population the same antibiotics
The system changes in such a away that the mechanisms becomes ineffective
Registration timing seems to have become vastly less effective (there are still some old bots around that rtime will catch, but they are becoming less and less)
Here are the average bot registration times from one of my sites still using FBHP, the same pattern has been seen across all of my other Xenforo sites... it happened just before the beginning of Jan 2015:
Xenforo put the registration time into the core in xenforo 1.1.4 in march 26th 2013 (call it Apr)
It took the botter community (mostly XRumner) until Jan 2015 to make this ineffective (20 Months)
... I suspect the response was 18 months, but took time to role out to the community
Xenforo put hidden fields into the core and other similar mechanisms to foolbothoneypot in xenforo 1.4 released Sept 2014 (9 months ago) .. based on this, honey pot fields probably have less that 12 months (I suspect sooner) until they are rendered ineffective
Putting soft mechanisms into the core of a product will render them ineffective. Using APIs, although APIs rarely catch 100% of bots, APIs are harder to target in the core of a product. Unfortunately, even APIs will become less effective (once the botter community start IP sharing, pooling the IP resources and using the public APIs to check for black listing... using the API against it's self), and with the introduction of IPV6, the pool of IP addresses has vastly expanded making APIs even less effective.
[and now to sound really geeky]
... The rise of the bots will be our own doing and come from a direction we hadn't realized (not necessarily research into strong AI). We will start using tools to mimic human activity in vast numbers, getting around all barriers that "detect" us as human. Although at first it wont be the black hat's intention, eventually our favorite sites will be rendered useless. The traffic of the internet will be vastly populated by automation (spam/security/scrappers or other), social network sites and internet software that communities and business become reliant on will be rendered ineffective. The same battle we see with spam and anti-spam gives rise to new tools that benefits one side much more than it does the other. This pattern will continue and over time we will have handed over so many tools, we can only be inferior. Rise of the bots... well... it's certainly not happening tomorrow, but's it's direction may not come from research that many suspect, but rather human greed.
Last edited:
Floyd R Turbo
Well-known member
Great insight. Good argument for keeping powerful tools out of the core.
TPerry
Well-known member
But...But...But.... we know EVERYTHING (even the kitchen sink) needs to be in the core.
tenants
Well-known member
Bot progress is unavoidable, weather we put things into the core or not. But putting certain anti-spam things into a core product does accelerate the speed to which the mechanism is broken. This is why SOFT mechanisms (mechanisms where you can think of a way to jump through hoops with our current technology to bypass) should be avoided. Hard mechanisms (APIs) are far more applicable, but even APIs will become SOFT mechanisms as time progresses.
We should be careful and responsible (the antibiotic approach), if we are to avoid accelerating bots beyond a means that we can keep up with
We should be careful and responsible (the antibiotic approach), if we are to avoid accelerating bots beyond a means that we can keep up with
Mouth
Well-known member
I've not noticed any increase in spam, or spam registrations, on my community since having to unfortunately abandon FBHP because it wasn't updated to be compatible with current XF.
Floyd R Turbo
Well-known member
tenants
Well-known member
No, as mentioned the honey pots (any honey pots) are still working and probably have about 10 months to go (if we take the registration timer as a standard example of how long soft mechanisms are globally solved once added to the core)
- If you turn off your honey pots, Captchas and APIs, and just rely on your registration timer, I think you would certainly notice a difference (but you would have had to have done this before Dec 2015 for a fair comparison)
What the data shows above is not "more spam", but the affect of adding the registration timer to the core
Before End of Dec 2015 bots tooks 2-7 secs to register (for many years)
After End of Dec 2015 bots average in the range of 20-70 secs
I'm getting my Crystal Ball out and using this data to predict roughly how long we have until the honey pots get solved, both core and FBHP (although it's a very rough guess based on very little quantity of data)
I'm predicting some time around Feb 2016 (9 months time), the honey pots will no longer be effective.
I suspect it will be simple honey pots first (display:none), then more complex ones (those hidden with z:index,where z index shifts, shrunk to invisibility, faded out, or hidden off of the side of the page will take a little more thought to solve but not much)
Once a mechanism is solved, it's often just as easy to solve it globally (and certainly more rewarding) as it is by targeting one type of site, so the energy put in to varying a solved system often does not pay off. That said, FBHP did have various ways of hiding fields (so, I might think about releasing it again as soon as I detect the core honey pots are broke ....)
Although I don't really want to sell a mechanism that I know is on the verge of being obsolete (angry users), I would rather the core tried to solve the issue (or took the wrath), so I will contemplate, and probably think about releasing with a very obvious disclaimer.
I have already seen that many spam bots (for quite some time) have the ability to ignore field names (and look for nearest neighbor labels) to predict the type of field, so the targeting of fbhp has kind of already started (still, 9 months until honey pots are really solved by xrumer / other popular spam bots should be a good ball park figure, give or take a couple of months)
- That's not to say other mechanisms will all fail, we still have some good APIs in the core, and many plugin anti-spam techniques... though these will all start to slowly be solved , so it's something interactive sites will not be able to ignore soon (manually accepting user with a vast number of bots is also unlikely to be an acceptable solution). I think they are many years off of IP resource sharing, so most the APIs should stick around for a while (some will be rendered very ineffective by honey pot detection in about 9 months)
Believe it or not customImgCaptcha should stick around for a while, as long as users update their images every now and then (and still make it very easy for humans), It's as unique as it possibly can be, hard to target and a current AI issue. The image question in CIC can be so varied, AI would have to come much further to solve all unique image questions, where the question and problem are both embed in the image, just don't make the answers easy to brute force (yes/no/1/2/3/4/red/green/blue/mysitename ..etc). Other js Captcha mechanisms will need to keep updating (and they do) to keep on top of things.
Last edited:
TheLaw
Well-known member
The only thing that will help deal with spamming is serious punishment... perhaps a caning by every affected admin, lol. 
But seriously, a problem I'm having with many of these spam detectors that even use blackhole lists is that the IP Addresses are reused. I regularly have legitimate posters register with IP addresses that are blacklisted on several black holes. India and Pakistan are cheap and so they have people trying to program in questions, etc. and continue with their spam. I'm not sure which of the alternatives listed to use. I've noticed that registration on your site does take a while with a noticeable delay. Not sure if it's spam plugins or just distance and latency. Something to think about. Great looking plugin.
But seriously, a problem I'm having with many of these spam detectors that even use blackhole lists is that the IP Addresses are reused. I regularly have legitimate posters register with IP addresses that are blacklisted on several black holes. India and Pakistan are cheap and so they have people trying to program in questions, etc. and continue with their spam. I'm not sure which of the alternatives listed to use. I've noticed that registration on your site does take a while with a noticeable delay. Not sure if it's spam plugins or just distance and latency. Something to think about. Great looking plugin.
KevinEssence
Active member
Does this stop the spam bots that go onto my forums at night and spam "muscle links" "pills" ect.?
It would. However, it is unmaintained (even abandoned) and stopped working with XF 1.4 (if I remember correctly). Does not work with recent XenForo versions.
Floyd R Turbo
Well-known member
Just to be clear, this was part of: https://xenforo.com/community/threads/resource-housekeeping.112680/