[TAC] Fool Bot Honey Pot

[TAC] Fool Bot Honey Pot [Paid] 3.0.32

No permission to buy ($29.00)
Overview Updates (79) Reviews (28) History Discussion
Will be looking at this plugin and hoping to reactivate and update over the next couple of months (have some new ideas)

For now, still only works with <1.4 ...
Will hopefully get it working with latest xf version with new covert methods, but I wont be able to talk too much about them, other than they are very effective with all Xrummer versions (even latest) and other bots
 
It's kind of timely, I expected the core honey pots to have been targeted by now, but they've held up much better than expected .. which is good for forums
 
I've been talking to xrummers dev/support (all be it, talking to the enemy) and this month (I expect that really means next month) they are doing an update that significantly bypasses all engines and CMS's.

They have looked at hidden fields in the past, but I think they'll now look at it seriously. This is speculation, but I've been reading between the lines, and want to keep ahead of their game.

Having said that, they also told me that Xrummer currently automates the latest version of core xenforo (which it doesn't), unless its modded. so we'll have to wait and see. I'm hoping to roll the update out as soon as xrummer release the version with the honeypot update, or sooner if it doesn't happen within the next few months.

It's taken xrummer over a year to start looking at this (I guessed 10 months, seems they are slower than I thought)

I have a few new tricks, but while the xenforo core maintains its effectiveness in anti-spam they're not needed
 
Last edited:
@tenants Big thanks for keeping your eye on this.

I definitely got more spam registrations after moving from the FBHP plugin to the core honeypots. I don't have numbers, it's just something I watched happen. However, it's manageable so I'm not too worked up over it.

Hopefully you can help XF stay ahead of the spammers.
 
Okay, I'm getting to grips with what they've done with the core honey pots
They have implemented quite a lot that was in this original FoolBotHoneyPot add-on, they have also missed some important things out... the POST to registration page should really go to a unique url (users never saw this), this has been missed out completely, but they do use a regKey (which has issues)



There code is cleaner (they are far cleaner code writers than I). They have implemented many of the things I had done, but while the code is clean the implementation of ideas is weak, and I understand how Xrummer are now looking to target this.

For instance,

1) The regKey that they use is not truly unique it's just md5(uniqid('xf', true)); if we know the exact millisecond or the time range... we know the expected regKey, and with automation that sort of trial and error is child's play. They could/should use something that is unique to that particular forum but not exposed, for instance the forum purchase id (if it was gettable by code)

2) The front end hidden methods are weak (they use very few methods to hide, 1 in fact, and use the same method all over). display: none; over and over . Previously I used 3 other methods that are much harder to detect that they're hidden. I will add these back in, since display:none is so easy to bypass (z index takes some logic in their automation, as do off screen items, far more tricky to target)

3) They use this methods at the same css node level using the same css style name, that makes it super easy to target (they should be using inline uuid style names to make it hard to target)

4) There is a massive issue with how they implement ordering of fields, sometimes none are even present due to the use of <xen:if is="mt_rand(0, 2) == 1"> to "randomise the order"... if 21 million bots attempt the honey pots, there will be 1 millions that do not even get tested against a honey pot... that's poor thinking this through.

5) Haven't figured out their logging yet, but I don't think there is a session cache or global cache for attempts, so infinite bot attempts without even needing to change session or IP address. That makes things easy for bot developers

6) No htaccess update, so bots endup taking a fair amount of db usage and kb resources due to large number of attempts

Ignoring these issues, it is still all very easy to by pass. Good clean code, poor implementation of ideas, I wish they had consulted with me at least once, they could have done a much better job and pushed back targeting for quite some time.

Also, as far as I can see, they have done nothing to help people that use username/password loger plugins ... So there is no point in me using my original methods from previous version (since the core won't allow them any more anyway).

XenForo dev are amazing developers, I've learnt so much by extending on their well written MVC code and brilliant designs, but they're not experts of Automation, they can't be experts of all areas I guess.

Just some first thoughts after looking a little deeper at what they've done with honeypots

A lot to do, a lot to improve before I even think about adding the new magic ingredients.
 
Last edited:
Okay, I now have a working version of this that work with the latest XF. I'm currently looking at the entire TAC pack and making sure everything works hand in had before uploading it. I'll give everything a version number of 3_x_yz just so it's easy to see it's the latest version.

I still have a lot more functionality to add to this addon, but it's all a bit hush hush
 
tenants said:
I've been talking to xrummers dev/support (all be it, talking to the enemy) and this month (I expect that really means next month) they are doing an update that significantly bypasses all engines and CMS's.

They have looked at hidden fields in the past, but I think they'll now look at it seriously. This is speculation, but I've been reading between the lines, and want to keep ahead of their game.
Click to expand...

as predicted, next version, xrumer 16.0 see:

http://www.botmasterlabs.net/event/2017-01-03/1/ (see IntelliForm)
and
+ improved bypass of antibot-protections by analyzing HTML source code.
+ improved bypass of antibot-protections of ?honeypot? type
Click to expand...
http://theseobay.com/about-xrumer/2745-new-xrumer-16-xevil-ocr-out.html

@tenants you're so damned smart, how did you know they were going to target honeypots in their next version before that had even released it
Tenants: Because I'm so damned smart

I'm wondering how the core honeypots are doing, it will take a few months for this to trickle in, it takes a while for people to start using the latest xrumer version
I suspect the core honeypots of xenforo will be rendered fairly ineffective (it's a shame, it was a good mechanism that should never have gone in the core), but I did warn this would happen when honeypots are put in the core:

Quite
a
few
times
if
I
remember
correctly

All foolbothoneypot methods are now a secret ingredient, yes they will work even if the core honeypots fail, I have a few tricks that are not widely used, one that is my own very original idea and is as close to 100% efficient as the original honeypots (before they were targeted). But there is no way I am mentioning these methods, they now remain secret so that the core has no choice to make this mistake again.

For future development, not all ideas added to fbhp will be honeypots in the classical sense (hidden fields), but many other types of +ve and -ve honeypots

I'm interested to see what happens to the core honey pots in about 3 months from now (or possibly sooner) as botters start adopting the latest xrumer version
 
Last edited:
I'm starting to see bots that bypass core honeypots already

This bot passed every single field correctly and got caught by one foolbothoneypot field

That means it got the email, password, passwordconfirm, dob, gender correct, and didn't touch any core honeypots
The only thing it got wrong was username, and it would have gotten that right if it was a core hp (since they are all the same types of honeypots)

- you can see, obviously it still got caught by apis and captcha, but it's telling
It looks browser based (since js is enabled), I wonder if that was xrumers IntelliForm solution (which they say avoids JS-protections,), or some other bot?

I'm not seeing many of these, but they're starting!


upload_2017-2-1_4-43-18.webp


another one:

upload_2017-2-1_5-3-41.webp


Both exactly 72 seconds
 
Last edited:
I haven't bothered to check the logs recently to see if what we assume to be human spammers (which of course cant get fooled by honeypots and no captcha would be effective against) might actually be machine spam. Generally the TPU addon which really helps fine tune the SFS settings has been the only real defense against them and perhaps more recent and advanced machine spam without this addon being updated.
 
Javascript methods are now starting to be bypassed, as is the timer, as are core honeypots (see above logs), these types of bots are infrequent at the moment, but the js detection was mentioned in xrumers latest release (people are only starting to pick up the latest xrumer, it will take a few months for it to go wild)

Antipspam things you can customise for your own forum are always good (if TPU country detection can be used, then that's good)
API's continue to be non bypassable at the moment, I know how they might do something about this, but not for a long while (However, APIs always let through a small percent), but I can''t encourage API's enough
Go for non common captcha, or ones you can customise

Things are starting to look interesting, the next few months more so, it's becoming a challenge again, the war on pesky bots, round 3!

I think soon you wont need to check your logs, you'll see a significant change by volume
 
I've just been testing secret ingredient 1 at xenzine.com (xeforo version 1.5.12)

Seems to be working well against the old bots, I'm still waiting for one of the xrumers newest versions of bots, well have to see how it does
Then newest version of xrumer should still get stuck by the classical added honeypots from fbhp, but they'll get past xenforos core honeypots, the reg timer and js detection

upload_2017-2-2_0-55-20.webp


I will add this new fbhp version soon
 
I cant wait. While the scoring system from TPU works well and outside of the SFS API we have a narrow scope of parameters that easily detects the spammers. Once xrumer updates proliferate it's probably going to be a mess for us. 1.3 + FBHP saw almost no spammers at all and 1.4 was good too. We saw human generated spam from India and Pakistan and felt comfortable blocking the 4 total ISP's that were involved. But as it gets widespread many sites don't have the luxury of blocking an ISP or even worse a country.
 
  • Like
Reactions: Xon
Just added this to a site, and getting the following error:

Code: 
XenForo_Exception: Invalid data writer 'Tac_CustomImgCaptcha_DataWriter_StopBotters' specified - library/XenForo/DataWriter.php:2055
Generated By: Unknown Account, 2 minutes ago
Stack Trace
#0 /home/woodbart/public_html/library/Tac/FoolBotHoneyPot/Model/StopBotters.php(47): XenForo_DataWriter::create('Tac_CustomImgCa...')
#1 /home/woodbart/public_html/library/Tac/FoolBotHoneyPot/Model/StopBotters.php(21): Tac_FoolBotHoneyPot_Model_StopBotters->localStopBottersSubmit(false)
#2 /home/woodbart/public_html/library/Tac/FoolBotHoneyPot/ControllerPublic/Register.php(261): Tac_FoolBotHoneyPot_Model_StopBotters->stopBottersErrors('FBHPUser', 'nate', 'nshultis@att.ne...', '2da6a50bf884414...', '1', '1', 0)
#3 /home/woodbart/public_html/library/XenForo/FrontController.php(351): Tac_FoolBotHoneyPot_ControllerPublic_Register->actionRegister()
#4 /home/woodbart/public_html/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#5 /home/woodbart/public_html/index.php(13): XenForo_FrontController->run()
#6 {main}
Request State
array(3) {
  ["url"] => string(39) "http://woodbarter.com/register/register"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(20) {
    ["b798b90620c598bb2aea1ec3dcb94d62"] => string(0) ""
    ["username"] => string(0) ""
    ["c6f1af8cac07501261e89178ab771368"] => string(4) "nate"
    ["d17a34835714e877a603c9aac3fc0aa5"] => string(0) ""
    ["00931f927a5b59879958548158cee294"] => string(16) "nshultis@att.net"
    ["0cf3a9dfd770f38fb6b777f79be77845"] => string(0) ""
    ["cf3d62e408b392622ffa4de0a3e5d5b4"] => string(32) "baed6f1e830552568277c53f9c3fd550"
    ["f58172916d58f0dde633fa3e0c7b931a"] => string(0) ""
    ["dob_month"] => string(2) "11"
    ["dob_day"] => string(2) "11"
    ["dob_year"] => string(4) "1976"
    ["location"] => string(2) "nc"
    ["f69694efeb639ff67369baeca5b54a74"] => array(1) {
      ["first_name"] => string(4) "nate"
    }
    ["custom_fields_shown"] => array(1) {
      [0] => string(10) "first_name"
    }
    ["786b88475e59532528585af0abf21ac6"] => string(16) "America/New_York"
    ["captcha_question_answer"] => string(9) "table saw"
    ["captcha_question_hash"] => string(40) "e2e48d63c55646eede582a9b6d344bae304be579"
    ["agree"] => string(1) "1"
    ["_xfToken"] => string(8) "********"
    ["reg_key"] => string(32) "334fc4dd2689c3af78759756b26b6031"
  }
}

CustomImgCaptcha isn't installed, only FBHP
 
You must log in or register to reply here.

Similar threads

Yugensoft
Add-on Offer: Sale of IP Rights of All Addons
Replies
10
Views
2K
ssj2_ssbm
ssj2_ssbm
Brent W
  • Suggestion Suggestion
Implemented Spam Suggestion Feature
Replies
10
Views
2K
Jeremy
Jeremy
Brent W
  • Suggestion Suggestion
Duplicate Stop Bot Spam Via Altering Registration Fields
Replies
2
Views
2K
tenants
tenants
tenants
Add-on Free Bot Registration Prevention
Replies
0
Views
1K
tenants
tenants
Mouth
  • Question Question
XF 1.1 Column xf_user.is_staff missing - upgrading 1.1 to 1.2
Replies
3
Views
2K
Chris D
Chris D
Top Bottom