Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Any idea how spambots is circmventing BotStop?

This discussion is related to the BotStop addon.
whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

I've been using and recommending this plugin for a good while, but since yesterday a spambot has found a way around it.

I'm using Vanilla 2.1, with BotStop adapted to use Peregrine's mod for Registration approval.

I've signed up as a new user, and the form is behaving just as it should, including the humanity check.

Can any clever code types figure a way to beef this up, as it had been absolutely effective up until now?

Cheers if you can.

Spam?

Tagged:

Comments

  • hgtonighthgtonight ∞ · New Moderator

    It seems your spam bots have found this plugin and added the default questions to its kb.

    Change your questions and answers via the available config options/settings and see if that helps.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    whu606UnderDog
  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    The way Botstop and any other captcha work is by using a bit of human psychology and some math . Also has hidden fields. I researched this while creating a custom home made captcha. The way bots seem to work is they find input fields and instantly try to fill them. And they send but don't check if it sent it. They fill and send even if they fail the captcha , so in this case the captcha would not allow it.

    However this or any other captcha will not stop determined people. :(

    If it got through, chances are it was a determined person spammer.

    UnderDog
  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    @hgtonight

    Thanks. I'll have a go at that.

    @vrijvlinder

    Well, unless this 'determined person spammer' was able to type incredibly quickly, and submit personal applications simultaneously from a variety of IP addresses, I think it is safe to say it is a spambot causing the trouble.

    Part of the reason for flagging this here is that I know lots of other people have been using this plugin, and so may well find themselves targetted at some point.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Yes it is also possible I guess. I use a hard question by internet standards, if they don't know already they would need to google it.

    Have not gotten any spam since the use of this plug with just basic captcha on top of the bot stop.

    In fact I put a mock captcha and botstop on a contact form and don't get spam from that either. Here is some good insight about the captchas.

    http://stackoverflow.com/questions/8472/practical-non-image-based-captcha-approaches

  • @whu606

    are you using the addition method or the question? Also are the multiple spambots from the same ip address? Also can you look in your access log to see if they applied mutliple times but failed.

    If you can provide more details how they are circumventing (by brute force multiple times) or reading the display. It might provide some insights on a better design.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • peregrineperegrine MVP
    edited June 2013

    You could try the ban applicant plugin and see if that works for you for the pesky spammers.

    or you could block applicant registration (for specific ip address) for a period of time after a certain number of tries (if they are using brute force registration),

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • peregrineperegrine MVP
    edited June 2013

    @whu606

    Another plan of attack would be set them to confirm email role with botstop. make confiirm e-mail role with same permissions for posting as a guest. Then delete applicants who haven't confirmed within a week with a modified cleanser (I could do that cleanser mod gratis, if you want to do that). That deletes any applicant who hasn't confirmed via e-mail in a week. Of course you would need to specify that "You will have to reapply if you don't confirm your e-mail in one week".

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    I almost think that registration approval causes more spam bots because they are attracted to any form you put out there. And the approval they need to fill out more fields. I think they act as form hounds and just fill them out ... the ban applicant sounds like a good idea for those insistent

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited June 2013

    here is a good piece of info about dumb submitter bots to shed some light as to how they work and possible ways to beat them ...

    http://www.kirsle.net/doc/submitter.html

    here is a great alternative to botstop, a simple check box

    http://uxmovement.com/forms/captchas-vs-spambots-why-the-checkbox-captcha-wins/

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited June 2013

    I just added the check box botstop to my contact plugin , and it works and it is easy to add !!!
    This what I did in the default.php of my contact plugin to add a check box check

    if($Sender->Form->IsPostBack() != False){
                $Validation = new Gdn_Validation();
                $Validation->ApplyRule('YourName', 'Required', 'You must enter your name.');
                $Validation->ApplyRule('YourEmail', 'Email', 'You must enter your e-mail (will not be published).');
                $Validation->ApplyRule('Message', 'Required',"You must include a Message");
                $Validation->ApplyRule('Checkbox', 'Required',"You must check the box");
    
    $FormValues = $Sender->Form->FormValues();
                $Validation->Validate($FormValues);
                $Sender->Form->SetValidationResults($Validation->Results());
                if($Sender->Form->ErrorCount() == 0){
                    $Name = GetIncomingValue('Form/YourName');
                    $Subject = sprintf('Contact by %s %s', $Name, date('j M Y H:i'));
                    $Email->Subject($Subject);
                    $Email->To( C('Garden.Email.SupportAddress', ''));
                    $Email->From(GetIncomingValue('Form/YourEmail'), $Name);
                    $Email->Message(GetIncomingValue('Form/Message'));
                    $Option=GetIncomingValue('Form/Checkbox');
    
    

    then added the check box to the form like so after the other fields in the contact.php

    < li >< ?php echo $this->Form->Label('Not a Bot').$this->Form->Radio('Checkbox')?>< /li >
    
    

    you can see it here

    http://www.vrijvlinder.com/forum/contact

    I tested it and it works, it will not send if the box is not checked. If it is checked it will send.

    Adrian
  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    @peregrine

    Thanks. Yes, I'm currently using the random addition set of questions.

    The applications are coming from a variety of IP addresses, some of which are the same. I'm guessing it is using a brute force method of attack.

    I'm away for a day or so, so will check the access logs when I get back.

    @vrijvlinder

    Thanks for that, I'll have a look at that when I get back.

    UnderDog
  • Spammers are also getting around my BotSpot plugin (I use it with the Registration method using Peregrine's modifications)... They also get through if I use the Captcha on it's own or alongside the BotSpot.

    I've noticed that if you type any number from 2-19 in the BotSpot answer box, then press send, the question will change but your answer stays the same and remains in the box. Therefore, it's then possible to keep pressing "send" until the right question appears for the answer you put, and then the form succeeds! (i.e. type "4" as your answer, then keep pressing send until "one and three" or "two and two" becomes the question!) Is this what bots can do? Is there any way of automatically clearing the answer box every time the question is answered incorrectly (and would that help?)

    Also, how exactly would I go about changing the BotStop question, so that instead of a maths problem, it says something like:

    Question: What is the capital of England?

    Answer: london, London or LONDON.

    If the bots figure it out, I can just change the question again. Is that a better way to go does anyone think?

    Thanks in advance!

  • x00x00 MVP
    edited July 2013

    Botstop, isn't a very strong or advanced, form of protection, TBH. I use a similar technique that combines Captcha with a question, where there is a random selection such as a using foreign alphabet.

    After that you might consider an SMS confirmation service. It depends how easy you want to be able to join.

    None of these are absolute protection to manual spam.

    grep is your friend.

    UnderDog
  • @x00 said:
    Botstop, isn't a very strong or advanced, form of protection, TBH. I use a similar technique that combines Captcha with a question, where there is a random selection.

    Please, tell me more! Exactly what have you done and how have you done it?! Thanks :-)

    UnderDog
  • I created a pluign that works in the simualr way to botsop in that it replaces registration form regardless of if it is approval, etc, and put reCAPTCHA, and also a takes a character from an obscure numeral system, and asks you what number that is in Roman numerals.

    grep is your friend.

    UnderDoghgtonight
  • StumpyJoeStumpyJoe
    edited July 2013

    @hgtonight said:
    Change your questions and answers via the available config options/settings and see if that helps.

    I ALSO have recently had a spambot circumvent BotStop, and I tried changing the question, but it seems the settings in the Dashboard don't affect the actual plugin?

    First I tried changing to a question with a word answer (not a number/# answer), and when I tried registering, the BotStop questions was "How much is two and one?" Thinking that it HAD to be a math question, I went back into the dashboard and changed the question to "How much is three and three?", saved, and when I signed out and tried registering the question was "How much is five and eight?"

    So I guess it's just randomly picking numbers, in which case what is the point of the settings in the Dashboard?

    edit: I just remembered I modified the plugin for the approval registration, if that helps.

  • I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    UnderDogAdrian
  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    In case anyone finds themselves in a similar situation, I can recommend @peregrine's plugin which you can find here:

    http://vanillaforums.org/addon/registrationrestrictlogger-plugin

    Used in conjunction with BotStop, it has so far blocked all spam attempts.

    UnderDogAdrian
Sign In or Register to comment.