[TAC] Fool Bot Honey Pot

[TAC] Fool Bot Honey Pot [Paid] 3.0.32

No permission to buy ($29.00)


Well-known member
This is included in Both
i) Free (Branded) Tac Anti Spam Collection
ii) Paid (unbranded) Tac Anti Spam Collection

tenants submitted a new resource:

FoolBotHoneyPot (version 1.0.1) - Stop bots from registering using hidden fields

FoolBotHoneyPot - Stop bots from registering using hidden fields

Works well to prevent spam in combination with another of my plugins: StopCountrySpam

Many Forum Spam Bots such as Xrumer, are incredibly intelligent. Not only can they solve many captcha images, but they can also solve common question / answers and logical problems

Often, regardless of how good the anti-bot mechanism of a particular forum software...

Read more about this resource...
What a suspect bot would currently see if hidden fields were tampered with:

There are many more hidden fields, this is just showing the email fields
Later, options to BAN on hidden field tampering will be added

You can see an example here: www.surreyforum.co.uk
On attempting to register, use firebug to display a hidden field and "tamper" with it
To Do List

i) The actual visible field names (and many invisible field names) are currently hard coded uuid names, these will eventually be updated to real uuids... each form will have there own set of uuid per install (random uuids will be created on installation) - Done v1.0.2
ii) The order of the fields will be randomised -Done v1.0.4
iii) Banning The bots: since these will build up (banning thousands of IP address and emails in XF is not nice to deal with), a 3rd party banning solution will be adopted Done, use StopBotters
iv) Logging: Logging of Registration prevention will be added -Done v1.0.5
v) Option to not log further entries for already logged email addresses Done v1.0.7
vi) Option to not log further entries for already logged usernames Done v1.0.7
vii) Option to not log further entries for already logged ip addresses Done v1.0.7
vii) Option to not log events Done v1.0.7
viii) Registration Timer Done v1.0.11
iix) Look at options for turning off CAPTCHA just for the registration page Done
To do /* Add cron job to clear up temp uuids */ Done

ix) Point and click bots, randomise visible field order, random sized spacers, random line height
x) Graphical stats for data

This add-on is fairly complete, it does exactly what it says on the tin. Stops 100% of spam bots elegantly without humans even noticing it! If you think of any enhancements, let me know.
Last edited:
After installing this, I would recommend testing that you can register an account

After that, to test what a robot would see:
1) Use chrome/Firefox with Firebug
2) Display one of the hidden fields on the registration form and fill it & then register
tenants updated FoolBotHoneyPot with a new update entry:

FoolBotHoneyPot v1.0.7

When you look at the logs, sometimes you get a big list of the same culprit attempting to register. This update allows you to :
  • Not have to log events (at all)
  • Not log events if the same username has already been logged by this plug-in
  • Not log events if the same email address has already been logged by this plug-in
  • Not log events if the same IP address has already been logged by this plug-in

Read the rest of this update entry...
I have installed and tested this add-on and it works great !
Before installing this add-on, a couple hundred spam-bots created more than 14000 spam-threads at my forum. :eek:

After installing this add-on, no single spam-bot have managed to spam my Forum anymore.

Great job tenants! (y)
PM me, essentially, yes.

1 license covers 1 forum, but if you have multiple forums and find that it is too expensive to cover many forums, we should be able to come to an agreement.
PM me, essentially, yes.

1 license covers 1 forum, but if you have multiple forums and find that it is too expensive to cover many forums, we should be able to come to an agreement.

No, that's fine, I accept owning multiple sites means multiple costs and don't wish to dilute add-on developers efforts ... (y)

TBH only two of my sites are busy enough at the moment to warrant this so I'll add it to my to-do list and hopefully get it installed in the coming weeks (there's never enough time is there? lol :D ).

I'm not sure my cheif spam-killing moderator will appreciate it though - I think he rather enjoys pulling the trigger on our little "friends". :ROFLMAO:
Ah, yes... not many bots will get through this (currently 0% on my forums)

It's also worth having a secondary defence. This plug-in works well with CustomImgCaptcha (FBHP lets you know which CAPTCHA images have been beaten by bots and how many humans found the CAPTCHA too hard)... That's a big advantage over any other Image CAPTCHA mechanism

The moderator may still have the odd Human spammer that gets through (although, I use StopCountrySpam which has also stopped 100% of them so far, but I realise this isn't an option for everyone)
Wow ... within 10 mins. of installing I've got 5 pages of blocked registration attempts. :eek:

Nips off to investigate the IP address that's hammering the registration form!!! (y)
The options are there to turn off the logs / reduce the amount of logging information
By default, it doesn't log multiple attempts from the same IP address... otherwise you would be getting a lot more (but you can turn this on if you like)

However, from the logs, if you click each entry, you can almost see straight away that they are bots, since they will often fill lots of hidden fields with random strings:

    s:8:"username";s:7:"jywcnhl";  // hidden honey pot
    s:5:"email";s:27:"levijohnston917@yahoo.co.uk"; // hidden honey pot
    s:8:"timezone"; s:11:"Asia/Almaty"; // hidden honey pot
    s:8:"password";s:10:********"; // hidden honey pot
    s:16:"password_confirm";s:10:"********"; // hidden honey pot
    s:18:"367c2507056130cc0f";s:14:"Ramon Gonzales"; // hidden honey pot
    s:18:"9bd30507056130a4d9";s:10:"Ajasonde12"; // hidden honey pot
    s:18:"97c68507056131fc84";s:10:"Ajasonde12"; // hidden honey pot
    s:18:"57ed050705613094fe";s:15:"Randall Nedescu"; // hidden honey pot
    s:18:"46bab507056130f2ed";s:10:"Ajasonde12"; // hidden honey pot
    s:18:"0218b5070561310e6e";s:10:"Ajasonde12"; // hidden honey pot
    s:18:"2af465070561319724";s:12:"Im a Spammer";  //<< omg!  this bot really put that
    s:18:"02b2550705613148ff";s:10:"Ajasonde12"; // hidden honey pot
    s:18:"4907e507056130fece";s:10:"Ajasonde12"; // hidden honey pot

Why would a human need to fill so many hidden fields with the text "Ajasonde12" ?
[PS I don't feel particularly bad about exposing bot passwords, even if they use this account on many fourms]

Note: they do not always fill out all the honey pots, sometimes they just target XF and fill out what they expect to see (they would then obviously also fail on a custom catpcha test, since this field would not be expected to be there). What they often do is fill out the cunning honey pots named "username/email/.. etc", they do not know that the real fields are named with uuids

You can also google the username / ip address and email address... and most of the time (but not always) these are old circulating bots picked up by stopforumspam etc...

The great thing is, this doesn't just catch bots that are already known (which will be implemented in XF 1.2) but it catches bots that are not known yet, so this will continue to be useful for a while.

Registration Blocked: User blocked from registering
Today at 10:22 AM
generated by username attempt: jywcnhl
generated by email attempt: levijohnston917@yahoo.co.uk
IP Address:

I still highly recommend using this with the free resource CustomImgCaptcha, they work pretty well hand in hand. I've had bots that at least atempt the custom CAPTCHA, but none that pass them yet (I also havent had any humans that fail the CAPTCHA, apart from when clickfinity put no anwser for "spoon" ^^ <tuts>)

This works well on its own, but it's nice to see real stats for CATPCHA for human fails and what CAPTCHAs bots can pass, this makes it very easy to "prune" CAPTCHA images
Interestingly I've had a couple of people get in touch via the site contact form claiming they cannot register because they have been blocked as bots; does the add-on sometimes produce false positives?

If so, which setting do I need to turn off to stop this happening - I really don't want to put genuine new members off. (y)

Shaun :D
It shouldn't do, can you have a look at the logs and send me (PM) the details.. (star out if passwords are present)

It will only stop people from registering if hidden fields have been changed, and present a contact message if this has been detected (so they can contact you as mentioned).

The only reason I can think of, is they the hidden fields have been auto-populated (which also shouldn't happen, since their values are set, and have a param autocomplete="off")

If you can send me the logs of the hidden fields that were completed by these users, I can look into it (it might be that I have missed one, but didn't find any during testing)

For now, while I look into it, ask just those users to register with an alternative browser (it's fairly likely any auto-complete has come from a the browser)

It would be useful to know which browser they used, so I can test the fix
Top Bottom