the idea of stopping more spambots although blacklists (also stop some human spammers from registering/posting) and the NRU group (after the fact) does a pretty good job of that too.
I think that while it would help at first, if you have directions about waiting for timers and deleting text, that the bots will eventually be programmed to do just that like they're programmed to break bad/easy questions and captcha. Making a bot skip hidden fields should be trivial too, even if they don't do that yet.
Long term, the only really good solution is RBLs...
Another anti-spam MOD, in the meantime, won't hurt anything though...
I find the black list, (RBLs), also blocks legit people for most black list use a IP ban and username ban, which, overall, sucks. Most IP's are dynamic so though one day they may be under one IP, then next, under a different, and eventually someone legit may have that IP that was blocks and guess what, they can't get on your site. I have also seen them start using proxy, so that could also cause some issues there. That's why I did with the Honeypot not to do any banning or blocking by username or IP, it just catches a failed response and stops them in the tracks. I watched a youtube video of someone that was showing what their bot program can do so they could generate more sales of the program, and that's when I saw that it was registering on sites in matter of seconds. It registered on 10,000 sites and made a post on each in 15 min. and that was with sites using captcha systems like re-captcha and other various ones out there.
Most bots what I have researched do skip hidden fields, that are using CSS to hide them. But most of them out there don't use JS so if you hide it with JS, then they will be visible to the bots. Granted, there are some that already considered that and make workarounds for that, that is why I put in 3 checks.
The timer and the text removal field are the two that I have noticed stops the most. I do know eventually, if it becomes mainstream way to blocking their software, then they will build in a system that will bypass it, but for now, what I have seen, it is not being used or being part of the bot system. Overall, it will be an endless battle between bot program developers and web developers.
Overall, the best way I can say how this system work is as follows, You fail any one of the 3 checks, it will bring you to the next page but instead of letting you continue, it will display a message saying you were blocks, and what for. It also writes your info to the DB where it records the username, real name, IP, email, that you tried using, as well as records the date and time, caught by, and what the reason was for. So if you did it to fast, it will say you were caught by the "Wait Script" and the reason would be "Submitted in 4 sec.". That is just an example.
All that info is visible in the ACP of the site so admins can see if there was a bot attack, and they want to proceed further, then they have the info that is needed to submit to a blacklist, or add them to their own blacklist.
Lumpy Burgertushie wrote:nice work. I didn't know anyone was still using NUKE.
just so you'll know. each of those things you mention that your script does has already been worked out for phpbb3 and is available to users as a MOD.
however, the main thing that is working these days is a simple question and answer available in the default setup.
you just have to make it a good question that can not be guessed or one that has not been added to the BOT's lists of questions and answers.
if you can find the answer in google then it is no good. if it is a yes/no it is not good, if it is any kind of math problem it is no good, etc.
The most effective questions are something specific to the site or the subject of the site.
There are still allot out there that use nuke, but we only support Raven and Evo for those two have taken security to be a main factor in their CMS where the standard phpnuke has not. Though we do get the occasional phpnuke user, we try our hardest to get them to upgrade mostly for security reasons.
I don't follow what goes on here so I did not know if they were already in mods or not. I just was contacted by someone to see if I can port what I developed for the nuke community to phpbb3. But with me never actually using this system, it would take some time just to figure out how it works. The last phpbb I used was php v.2.0.21 if I remember right. Now that I know that there is already a bunch of stuff over here already, is there a specific link to a thread that contains a list of the mods?
I know about that question one, but, I have seen that cause more issue with legit people then not. The trick with that for the web owner to come up with a question that is not confusing or difficult for a human to answer correctly, but also on the other hand be something that can't be looked up. Problem with that is there may be actual humans that can't answer it or may have trouble answering it. Though the concept is sound, I have seen bots eventually get past them which would require you to create a new question, and sometimes, that's the trickier thing to do.
I also was looking at that a little bit, when you go to use that, can you also have that with one of the captcha systems also. It looked to me during the brief few seconds of looking over it, that it was one or the other. If that is the case, why not having several layers of protection than just one. I may be wrong on this so nobody bit my head off is I mis viewed this, like I said, I only looked at if for about 30 seconds. But at first glance, it, to me by default was one or the other, which sort-of defeats what your trying to do, which is stop bots.
Single layer security to me is poor practice, and having several layers is practical. I know on my main site, I have about 6 layers of protection from bots and hackers, (Not including the standard stuff with the CMS), most not visible to users, but work on the back end.