[TAC] Fool Bot Honey Pot [Paid] 3.0.32

[DaiAku]

Hi @tenants ,

Just got the following DB error:

Server Error Log
Error Info
ErrorException: Undefined index: HTTP_USER_AGENT - library/Tac/FoolBotHoneyPot/ControllerPublic/Register.php:711
Generated By: Unknown Account, Today at 2:43 AM
Stack Trace
#0 /home/pgweb/public_html/forums/library/Tac/FoolBotHoneyPot/ControllerPublic/Register.php(711): XenForo_Application::handlePhpError(8, 'Undefined index...', '/home/pgweb/pub...', 711, Array)
#1 /home/pgweb/public_html/forums/library/UserEss/ControllerPublic/Register.php(68): Tac_FoolBotHoneyPot_ControllerPublic_Register->actionRegister()
#2 /home/pgweb/public_html/forums/library/Tac/CustomImgCaptcha/ControllerPublic/Register.php(51): UserEss_ControllerPublic_Register->actionRegister()
#3 /home/pgweb/public_html/forums/library/XenForo/FrontController.php(347): Tac_CustomImgCaptcha_ControllerPublic_Register->actionRegister()
#4 /home/pgweb/public_html/forums/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#5 /home/pgweb/public_html/forums/index.php(13): XenForo_FrontController->run()
#6 {main}
Request State
array(3) {
  ["url"] => string(60) "http://precursorgames.com/forums/index.php?register/register"
  ["_GET"] => array(1) {
    ["register/register"] => string(0) ""
  }
  ["_POST"] => array(36) {
    ["username"] => string(4) "ZCXH"
    ["1471b5358b281221aa"] => string(0) ""
    ["396c35358b28123992"] => string(0) ""
    ["a6a7e5358b28123ae6"] => string(0) ""
    ["895485358b28122cf9"] => string(0) ""
    ["87a455358b28122451"] => string(0) ""
    ["443d15358b28123c3d"] => string(0) ""
    ["babcc5358b28122afb"] => string(0) ""
    ["email"] => string(23) "rolawosavuv@hotmail.com"
    ["f0aa35358b2812299e"] => string(23) "rolawosavuv@hotmail.com"
    ["199cf5358b281228f4"] => string(0) ""
    ["6b2235358b28121d02"] => string(0) ""
    ["2cd475358b28123b8f"] => string(0) ""
    ["6f28f5358b28123397"] => string(0) ""
    ["060105358b28123a3b"] => string(0) ""
    ["932c25358b2812319b"] => string(0) ""
    ["493c75358b2812424a"] => string(0) ""
    ["9bdd55358b281236e8"] => string(0) ""
    ["password"] => string(8) "********"
    ["password_confirm"] => string(8) "********"
    ["dob_month"] => string(1) "9"
    ["dob_day"] => string(2) "24"
    ["dob_year"] => string(4) "1977"
    ["624c95358b28122c50"] => string(0) ""
    ["e0af35358b281224fa"] => string(0) ""
    ["b01d95358b28123049"] => string(0) ""
    ["gender"] => string(6) "female"
    ["a70265358b281213a7"] => string(0) ""
    ["timezone"] => string(14) "Pacific/Midway"
    ["d60995358b28121455"] => string(14) "Pacific/Midway"
    ["95abd5358b281226f6"] => string(14) "Pacific/Midway"
    ["b787b5358b28123fa3"] => string(14) "Pacific/Midway"
    ["76dbe5358b28121fa9"] => string(14) "Pacific/Midway"
    ["agree"] => string(1) "1"
    ["_xfToken"] => string(8) "********"
    ["reg_key"] => string(32) "933c77c029ea7ece3f45db48b963c717"
  }
}

Version 2.3.06

 

[tenants]

Wow, the bot/user had no user agent (I think that's rare)

Should be an easy fix

 

[DaiAku]

Wow, the bot/user had no user agent (I think that's rare)

Should be an easy fix

Awesome thanks!

 

[Liam W]

You've fixed it now, but _preDispatch being public would've broken loads of addons...

Including some of mine

 

[Ren3gade10]

If i purchase this Foolbothoneypot alone, will it have a branding? I only need foolbothoneypot, but I dont want any brandings at the bottom of my site...

 

[whynot]

If i purchase this Foolbothoneypot alone, will it have a branding? I only need foolbothoneypot, but I dont want any brandings at the bottom of my site...

i) Free (Branded) Tac Anti Spam Collection
ii) Paid (unbranded) Tac Anti Spam Collection

 

[tenants]

If i purchase this Foolbothoneypot alone, will it have a branding? I only need foolbothoneypot, but I dont want any brandings at the bottom of my site...

Nope, the paid version of FoolBotHoneyPot is unbranded

 

[pjkenned]

Awesome add-on. Just as a FYI had the few spam bots with ~5 registrations and multiple posts per hit last night. First time since purchasing/ installing FoolBotHoneyPot.

Here are two examples:
No Bot Triggers Found FoolBotHoneyPot: Detected As Human - Registration Allowed
Today at 1:04 AM
generated_by_username_attempt: JamesRawn
generated_by_email_attempt: jamesrawn59@yahoo.com
IP Address: 122.173.33.185:18121
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0
Time Taken To Register: 21 (seconds)
Basic Proxy Detection: Possibly Forged IP Address, ReverseDNSIP (ABTS-North-Dynamic-185.33.173.122.airtelbroadband.in) != ipAddress (122.173.33.185)
JavaScript Enabled: TRUE
Browser Plugins Detected: flash=13,java=10

No Bot Triggers Found FoolBotHoneyPot: Detected As Human - Registration Allowed
Yesterday at 11:53 PM
generated_by_username_attempt: PeterZuckberg
generated_by_email_attempt: peterzuckberg@gmail.com
IP Address: 122.173.123.191:11331
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0
Time Taken To Register: 23 (seconds)
Basic Proxy Detection: Possibly Forged IP Address, ReverseDNSIP (ABTS-North-Dynamic-191.123.173.122.airtelbroadband.in) != ipAddress (122.173.123.191)
JavaScript Enabled: TRUE
Browser Plugins Detected: flash=13,java=10

 

[tenants]

What suggests they are spam bots and not human paid posters, did they post lots of posts within a very short time frame, if so, how many and within what time frame, or anything else that might give the bot away?

It seems unlikely that a bot user would fake flash/java/javasctipt (unless the bot was browser based / using a script engine). These are only logged, and not used to stop bots (so they would have no need to fake these)

I'm guessing, if you email them, you might even be able to talk to them (paid posters sometimes respond). Asking them that they provide quality content... etc etc, if you do get a response, it's far less likely they are botting (botters usually dispose email addresses)

I am making some updates to catch some browser based bots, but I dont think it is needed here (browser based bots are rare, far more rare than xrumer, but I think what you have is human paid posters)

From the IP range, the IP seems to come from India, and it's not uncommon to have paid posts from India (but paid poster can be from any country)
http://www.ip2location.com/122.173.33.185

-- At the moment, these look more like paid posters

 

[pjkenned]

Totally may be. They are filling out the registration form including the random Q&A question in 21-23 seconds, then updating their profile page with information in under 5 seconds, then posting a few seconds later. This is faster than I can do it and I do not have a half way around the world latency hit.

You are totally right that they may be human and used multiple IP's in the same local block.

 

[tenants]

I'm not sure either way yet (the plugins detected strongly suggest they are using a browser at least)

IPs in the same block suggests one of two things

They are using an IP server / have bought a block of IP addresses to use (this is not uncommon for botting)
Or
They are locally close & using the same ISP / same human (we can see they are using the same ISP and if you google that ISP you'll see it's been used by quite a few human spammers, but could still be used by botters too)


Paid posting is quite repetitive, many paid posters probably use a few browsers tools to semi automate...

Completing your QA in a few seconds is not as likely (but the other fields are probably copy pasted using shortcuts / quick keys)

Back in the day, 'somebody I knew' used to use JavaScript injection to semi automate posting to directories (there is no point any more, and modern browsers no longer allow js injection via URL for security reasons), but if you're doing a repetitive job, you find quick ways of doing things (short cuts / copy paste, browser plugin semi-automation).

I had someone do a similar thing on one of my forums (sign up change their homepage and post within 30 seconds), I emailed them and they were indeed a paid poster.


Semi Automation is not a thing I want to block (think of many users using password managers), I actually do a few things to make sure I never catch these types of users. The types of automation that I am preventing is full automation (the tool user does't even need to visit your site). Semi Automation / paid posting service isn't something that can/should be caught with FBHP (StopHumanSpam might help). We only want to stop bots we are sure are bots with FBHP (which we can currently do more reliably than any API).

 

[tenants]

tenants updated FoolBotHoneyPot Bot Killer: Spam Combat with a new update entry:

Further Customisations Options and Spam Bot Resource Reduction

• Added options to turn off the CAPTCHA for registration (but keep it for all other areas)
• Added options to hide the timezone option (reducing the number of fields on the registration page)
• Added RecentActivity and Members to the areas protected by the cache (since these seem to be significant areas also hit and spam bots)
• Also now update the cache time on bot re-attempts (so the ip doesn't suddenly become un-cached even though the bot is continuously hitting the forum)
• Added dynamic spacers for rare bots that attempt to auto-fill based on know form positions (I believe it's unlikely most forums will experience these)
• Added stats, this also works with AnyApi (this option is more for myself to show the strengths of various APIs)
• Added a dynamic url, so forms get submitted to register/register&xxxxx=yyyyy instead of just register/register (both the param and values are uuids). Bots will often just submit directly to register/register.
• Added option to make the registration process 2 step (This stops some bots, but primarily allows more customisation for admins)

Read the rest of this update entry...

 

[tenants]

• Added RecentActivity and Members to the areas protected by the cache (since these seem to be significant areas also hit and spam bots)

I added the recentActivity (at the beginning of this month) after recently reviewing my server stats and noticing spam bots where still hitting certain areas (In particular, a few spam bot IPs from Ukraine). The cache had protected some areas, but it seemed certain bots were hitting the recentActivity area very hard (1 bot was taking up about 1 to 2 gig a day), they now don't take up anything significant (kilio-bytes rather than gigs, and 0 queries)

Previously, these spam bots leached quite a lot (hitting hard with a lot of quires and data)

It's not quite at the end of the month yet, but you can see there is already an enormous difference for this small shared server this month:



You can see that the spam bots are hitting the 401 Unauthorized (previous months, the hits value was 0):



It seems they don't keep hammering quite as often once they hit the 401 Unauthorized, this is also a low byte page (compared to the gigs these spam bots were causing before) and low query (0 queries each hammer attempt, instead of 15 - 25 ish, or there about)

 

[tenants]

I've also added a stats page, on this page you can see the average time a bot takes to register and watch the trend over time, and also compare the human : spam bot registration ratio.

The real reason I added this area, is so that I can compare different APIs and see how effective they are. StopBotters seems to be far stronger than all of them, but different APIs do have different advantages (StopForumSpam catches even human spammers, on the flip side it's human reported and human managed and from my experience, it's not uncommon to get false positives, this hasn't been an issue seen with StopBotters)



To see these stats, the APIs must be used via AnyApi, if you don't care about looking at API stats you can ignore this and just use the core API methods (if you feel you need to)

On a typical day (May 15th 2014) for a particular forum, assuming the Bot Count from FBHP is 100% correct, the efficiency of stopping bots for the APIs were:

StopBotters: 98%
StopForumSpam: 90%
FSpamList: 80%
ProjectHoneyPot Http:BL: 71%

No API is 100% effective every day (StopBotters is some days, but not every day) and the efficiency fluctuates from day to day (unless we had a bigger bot sample size), but the API trend seems to stay fairly similar.

I run StopBotters (And continue to run it free with much gratefulness towards @Slavik for providing his hosting services FREE!).
These results aren't biased, if you turn AnyAPI on and record the stats of a few API's, you should see similar results (as long as your API keys are correct )
If StopBotters isn't picking any up, you might have to update your key (send me a private message and let me know). StopBotters can pick up bots even if FBHP should ever fail (however, FBHP mechanisms currently stop 100% of bots, so there is little need for it at the moment)

 

[TPerry]

@tenants... just updated to the latest version and when I go to install/upgrade the .xml I get this

Server Error

Mysqli prepare error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3

Zend_Db_Statement_Mysqli->_prepare() in Zend/Db/Statement.php at line 115
Zend_Db_Statement->__construct() in Zend/Db/Adapter/Mysqli.php at line 381
Zend_Db_Adapter_Mysqli->prepare() in Zend/Db/Adapter/Abstract.php at line 478
Zend_Db_Adapter_Abstract->query() in Tac/FoolBotHoneyPot/Model/Stats.php at line 515
Tac_FoolBotHoneyPot_Model_Stats->buildStatsDataFromLogs() in Tac/FoolBotHoneyPot/Install.php at line 146
Tac_FoolBotHoneyPot_Install::installCode()
call_user_func() in XenForo/Model/AddOn.php at line 215
XenForo_Model_AddOn->installAddOnXml() in XenForo/Model/AddOn.php at line 169
XenForo_Model_AddOn->installAddOnXmlFromFile() in AddOnInstaller/ControllerAdmin/AddOn.php at line 32
AddOnInstaller_ControllerAdmin_AddOn->actionInstallUpgrade() in XenForo/FrontController.php at line 347
XenForo_FrontController->dispatch() in XenForo/FrontController.php at line 134
XenForo_FrontController->run() in /var/www/twd/admin.php at line 13

Using Percona 5.6.

 

[tenants]

Hmm, not an easy SQL error to debug:

right syntax to use near ''

I wonder, did you have any data in your logs when you upgraded. Was this an upgrade or uninstall -> reinstall ?

 

[TPerry]

Hmm, not an easy SQL error to debug:

right syntax to use near ''

I wonder, did you have nay data in your logs when you upgraded. Was this an upgrade or uninstall -> reinstall ?

Upgrade. Give me a second to delete the log file from the ACP and try again.

 

[TPerry]

Deleted the logs (and replaced the files with the old version since the upgrade had not completed and now I get this.


Am about to uninstall it and try a fresh install.

EDIT:
Copied it to wrong location so disregard that... but even copying the files back over after deleting the log still doesn't work. Next step, uninstall.

 

[tenants]

Okay, I've seen something that could have potentially have caused that, I've now wrapped one of the values in quotes (not sure why I didn't see this error on 3 other forums)


added a new version: FoolBotHoneyPot_v2_4_01.zip (let me know if this fixes it, since I can't reproduce it)

I've also fixed the $_SERVER index value issues mentioned previously by @DaiAku

 

[TPerry]

@tenants, looks like that fixed it. Thanks for the quick response!