Page 1 of 11

[2.0.20] ConfusaBOT ACP

Posted: Fri May 12, 2006 6:25 am
by Extensions Robot
MOD Name: ConfusaBOT ACP
Author: espicom
MOD Description: Change "agreed" and "coppa" variables to confuse bots, with an Admin Control Panel interface


MOD Version: 1.0.0

Download File: ConfusaBOT_ACP_v100a.zip
mods overview page: View
File Size: 11303 Bytes

Support for this MOD needs to be asked within this topic. The phpBB Teams are not responsible or required to give anyone support for this MOD. By installing this MOD, the phpBB Support Team or phpBB MODifications Team may not be able to provide support.

This MOD has only been tested by the phpBB MOD Team with the phpBB version in the topic title. It may not work in any other versions of phpBB.

Posted: Sun Jun 04, 2006 7:29 pm
by webmacster87
MOD Validated/Released

Notes:
Changes the names of a few variables on the registration to confuse register bots.
Image

Posted: Sun Jun 04, 2006 8:17 pm
by kber
hello , thanks
demo?

Posted: Mon Jun 05, 2006 12:13 am
by chris3471
Demo would be nice. So what does this do? Does it just change the names to some other names but still in plain text or does it encode the names?

Posted: Mon Jun 05, 2006 3:08 pm
by espicom
Note: The effectiveness of this MOD for blocking spam registrations has fallen drastically since it was created. Spam bots now routinely scan the registration page for changed variables, and even fill in MOD-related ones found (usually with nonsense values). I do not recommend installing this MOD anymore.

However, it does make a good example of how to add things to your templates, and to the admin control panel, if I do say so myself....

PHPBB uses a standard set of variable names for registration. Among them are "agreed" and "coppa", to signify that you've read and agree to the board's terms of use, AND that you're 13 or older. Since these variables are all known to BOT writers, they can construct an HTTP POST request that appears identical to a user-created one.

This MOD changes two of these variables, so that such pre-constructed registrations will not work. What they are changed to is controlled through your admin control panel (ACP) so that you can change them regularly:

Image

It does not "encode" anything. The HTML variables are always going to be readable from the source. It is not a 100% wall against spam registrations, because some of the BOTs are smart enough to fetch your registration agreement page to get these variables and use them, although most (so far) do not bother, or do not completely utilize this capability. The result does not affect regular users, since their browsers will use the correct variables. It only affects attempts to bypass the normal registration process.

When combined with other MODs, such as the "Instant Ban" MOD, more attempts to register are blocked than without it. My systems log what BOTs send for registrations; over the past 18 months, about 80% of these attempts would have been blocked by this MOD on its own, but its success has been tapering off. Over the past two months, it would only be about 60%.

Posted: Tue Jun 06, 2006 8:07 am
by RATT
wondered how long it would be before you finally made a mod for this..Nice one Jeff..Tx.

Posted: Tue Jun 06, 2006 1:04 pm
by espicom
Thanks, Ratt. It was more a motivational thing... and the realization that support for doing this change didn't belong over in the support forum. Making a formal MOD seem to be the only honorable way out... :wink:

Posted: Wed Jun 07, 2006 12:59 pm
by imrich
I have two questions:

1) Why doesn't the 'visual confirmation' stop the bots? I thought the whole point of the visual confirmation was to keep the bots from doing things like this. Are they getting smart enough to read the bitmap images now?

2)
Is it just me, or another of my mods? I have user email account activation/confirmation on. If someone starts the registration process, they do everthing EXCEPT the final step of clicking on the account activation step in the email. But then try to log in using the new account which they created, They get a blank screen! This is the html code which they are sent:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY></BODY></HTML>

They receive this no matter if they use their password or not.

Shouldn't they recieve some sort of error message?

Posted: Wed Jun 07, 2006 1:06 pm
by espicom
These are issues unrelated to this MOD, but...

Visual Confirmation does block about 80% or more of the bot attempts. I have no way of giving you data for anything except my boards, but fewer than 1 in 10 attempts to register even bother with sending the confirmation code, and the onese that do have a history that suggests that a person is involved in at least part of the registration process.

Blank pages for unconfirmed people is a bug in v2.0.20 of PHPBB, and there is a fix for it in the Support Forum.

Posted: Wed Jun 07, 2006 1:11 pm
by imrich
espicom wrote: These are issues unrelated to this MOD, but...

Visual Confirmation does block about 80% or more of the bot attempts. I have no way of giving you data for anything except my boards, but fewer than 1 in 10 attempts to register even bother with sending the confirmation code, and the onese that do have a history that suggests that a person is involved in at least part of the registration process.

Hmm.. thanks! I didn't realize that people would sit and work with a bot. Amazing what people will do with their time!
espicom wrote: Blank pages for unconfirmed people is a bug in v2.0.20 of PHPBB, and there is a fix for it in the Support Forum.


Thanks, In testing your mod, I just found this bug and was just starting to look into it. I found the bug in login.php and will now search for the fix, this will save me a lot of time.

Thanks again and thanks for sharing your mod.

Posted: Wed Jun 07, 2006 1:24 pm
by espicom
There are several strategies for adding human power to bots. Some people are willing to solve these puzzles for USD$2/hour, because that's a lot of money where they are located.

Another strategy is to put up a site that is "desirable" for gullable people, such as a "free porn" site, and tell them they need to solve a CAPTCHA to get in. When they have a sucker on the line, they can have the bot "join" whatever service has the CAPTCHA, and then present the image to the sucker. They then forward the results back to where the CAPTCHA came from. Tell the sucker they "missed" a few times, and you can join multiple CAPTCHA-protected services in a session.

This is why some CAPTCHAs are moving to having the site domain encoded into them, as well, as a watermark, in the hope that some of the suckers realize that a CAPTCHA for "world-of-cheese-puff-houses.org" shouldn't be appearing on their screen for entry into "hotest-tarts.xxx"!

Posted: Thu Jun 08, 2006 3:34 am
by iNfLuX
i just installed 2.0.21 and tried to install this mod.... just got this error from EM...
Critical Error

FIND FAILED: In file [templates/subSilver/admin/board_config_body.tpl] could not find:

<td class="row1">{L_AUTOLOGIN_TIME}

MOD script line #246 :: FAQ :: Report


i searched my board_config_body.tpl and can find no reference to the {L_AUTOLOGIN_TIME} variable....

Posted: Thu Jun 08, 2006 5:45 am
by RATT
This is the full string

Code: Select all

	<tr>
		<td class="row1">{L_AUTOLOGIN_TIME} <br /><span class="gensmall">{L_AUTOLOGIN_TIME_EXPLAIN}</span></td>
		<td class="row2"><input class="post" type="text" size="3" maxlength="4" name="max_autologin_time" value="{AUTOLOGIN_TIME}" /></td>
	</tr>
Sometimes easymod wont find the string, you may have to do it manually which i find is the safest ;)

Posted: Thu Jun 08, 2006 1:09 pm
by iNfLuX
^^^ yeah, which is what i started doing... but i searched my board_config_body.tpl and can find no reference to the {L_AUTOLOGIN_TIME} variable....

Posted: Thu Jun 08, 2006 1:10 pm
by iNfLuX
edit.