Just because it is allowed, it doesn't mean that it got in (for instance, it may have not completed the registration form)
Also, if it is not detected as a bot, I can't log the captcha process.
If it is bot detected, I can log the captcha process.
Once it has triggered enough flags, only then can I lock it out of the system, for instance:
Code:
($isBot != false || $isBotSec1 != false || $isBotSec2 != false || $isBotSec3 != false) && (count($isBot) > 6 || $timeTakeToRegister < 25 ))
||
(($isBotSec1 != false || $isBotSec2 != false || $isBotSec3 != false) && ($isBot || !$javascript_enabled))
- I might lock this down further once we have more info about the new bots.
So they have to trigger one of the new bot detection mechanisms and (either 6 hidden fields, less that 25 secs or no javascript)
The combination of these really tells me its a bot, so I can lock it out of the system
- I do not ever want to lock out real human users, so I have to be very sure... this was far easier in the past
The First Bot
So the first bot you mentioned, is a js enabled bot
at first it got caught by fghp honeypots:
FBHP Classical Honeypots: 5
... but, it is js enabled, bypassed the core honeypots, and bypassed the registration timer, and gets passed APIs
.. These bots to me are the most fascinating, they are part of the new wave of bots.... but I sniff them and learn from them (you need to send me the finger print)
We never new these bots existed, not for certain, not until I started logging them. Now we have proof, bots exists that are js enbabled, bypass the reg timer, bypass apis and bypass core honepots
- This should worry you. and rightly so
It has also got passed
Detected as Non Browser Bot
Detected as Browser Bot
Detected as Semi Automation
But the finger print will tell us more, if you send me the finger print of that 1st bot, we can lock it out for everyone by adding its information to one of these:
Detected as Non Browser Bot
Detected as Browser Bot
Detected as Semi Automation
You understand, I can not lock bots out even if I catch them, I have to be sure..... with the logging information and fingerprint, I can be sure
I do not ever want to hit false positives, especially false positives that prevent the user from contacting you.
At the moment, if ever there is a false positive (there wont be), the user can still get to the contact form and let you know, and you can then let me know, this is how we can be certain that we never run into false positives (that re-attempting password manager user was a good example of that, if I had locked them out, they would not have been able to turn their password manager off and reattempt).
The Second Bot
Firstly, what proof do you have that it really is a second bot
Botters have thousands of IP addresses at their disposal, infinite emails and usernames (that they spin)
see ip address at 2:37, and spun usernames at 2:13
But lets for argument sake, say it is a second bot (it's strategy seems to suggest it is)
It's first few strategies are fairly good strategies, it's not getting picked up by core or my honeypots, its bypassing the reg timer, avoids apis is js enabled and is looking at the form for responses
- I guess you could call it a smart bot
Its testing the system, playing with it, touching the fields and trying to figure out from the responses where it should place its values
It's not a stupid bot that just splats the values anywhere, it also seems to be cautious (and rightly so, since If I catch it, it gets locked out).
If you click on each of those logs, you might find that it is still triggering errors, like (has not completed the username)
- if no errors, then what it is failing on is the captcha, which I have no way of recording for bots that don't get detected.
Eventually, from trial and error, it does get picked up by one of my honeypots
-Both of these bots I can learn from, both of these bots are highly interesting to me, please send the fingerprints to me for both, we can then lock them out in the future.
if you have bots that bypass these
Detected as Non Browser Bot: FALSE
Detected as Browser Bot: FALSE
Detected as Semi Automation: FALSE
Always send the finger prints to me, i have methods of improving way beyond ever before, but I do need these fingerprint logs
There are many bots in the wild, the most prolific ones are GSA and Xrumer, but there are a vast number of headless browsers, selenium and custom made bots
Different bots have different strategies, This is why you are seeing different things happen with different bots (it is not a fault of the logging process, various bots just do different things)
...I am investigating them all.
![[TAC] Fool Bot Honey Pot](/community/data/resource_icons/1/1085.jpg?1577367167){kind=icon}
