You are here

README.txt in BOTCHA Spam Prevention 6.2

BOTCHA Module
-------------
by Ilya Ivanchenko, iva2k@yahoo.com

Summary
-------

BOTCHA provides an unobtrusive anti-spam protection for website forms. There are 3 key advantages:

+ Unlike challege-response tests like CAPTCHA, human users are not burdened by solving any puzzles.

+ Unlike Mollom or Akismet, form data is not submitted to a 3rd party server for analysis.

+ Protection by BOTCHA is variable, adaptible, scalable, and virtually unlimited


In CAPTCHA, each user is burdened to prove he/she is human by solving a puzzle.
Initially CAPTCHA was very effective, but with time spambot algorithms were
developed to bypass CAPTCHA really well. Now CAPTCHA complexity is not enough
to deter spambots, but is too difficult to the real users who get frustrated
and often just leave the site when confronted with extra burden of CAPTCHA.

In BOTCHA, we don't abuse our human users - BOTCHA protection is completely
transparent to them and non-intrusive.

BOTCHA is useful for any form that has to be protected from spambots.

BOTCHA lets spambots to prove they are bots, and let real users zip by.

Note: BOTCHA does NOT attempt to block human entered spam.

How it works
------------

The approach of BOTCHA is to add various elements to forms that need protection from bots. These elements do not present new fields to users, so BOTCHA is completely transparent to humans. Both humans and bots submit those forms and BOTCHA performs heuristic analysis on each submitted form. Bots are usually programs/scripts that are relatively dumb, and most of the time they fail BOTCHA tests and human users don't.

Once BOTCHA proves the submission is by a bot, the form submission is blocked.

The more there are opportunities for the bot to slip and prove it is a bot, the better defense from spam we have. So we can combine multiple BOTCHA recipes as opposed to only one CAPTCHA per form. This gives huge advantage to BOTCHA.

Advantages
----------

There are many advantages of BOTCHA over CAPTCHA:

* BOTCHA does not bother normal human users
* BOTCHA tests are designed in such a way that normal users will never see them
* There is no limitation on number of tests BOTCHA can implement on each form, so it gets progressively stronger
* As bots get smarter, BOTCHA will be updated with new recipes to defeat them
* BOTCHA needs very little configuration

It is possible to use BOTCHA alone without CAPTCHA. Nevertheless, it is recommended to use BOTCHA together with CAPTCHA. BOTCHA does not interfere with CAPTCHA, and more lines of defense are always better.

What "BOTCHA" means?
--------------------

BOTCHA stands for "BOT Computerized Heuristic Analysis"

BOTCHA also means "Bombs On Target, Come Home Alive" (military, UrbanDictionary).
"BOTCHA is a feel-good cheer after bombing spambots to the ground."

BOTCHA also means "Double-dead meat" (Wikipedia), which is a health hazard.
"We feed BOTCHA to spambots and wait for them to get diarrhea and food poisoning."

Installation
------------

* Copy the module's directory to your sites/all/modules directory
* Activate the module

Usage
-----

Module starts working as soon as it is activated. There are reasonable default settings and no configuration is required, though it can be adjusted at any time on Administer > User management > BOTCHA page.

Module records its activity in the log and collects statistics which are shown on the 'Status report' page.

There are some default forms that BOTCHA protects out-of-the-box, including user/register, which is the most important line of defense. Current version by default protects all other forms that CAPTCHA is enabled for. CAPTCHA is not required since BOTCHA can be configured independently.

BOTCHA configuration page allows selecting which forms to protect. There is also an admin mode checkbox which adds links to forms for simple BOTCHA configuration.

Hidden settings
---------------

Hidden settings are variables that you can define by adding them to the $conf
array in your settings.php file.

Name:        botcha_enabled_<form_id>
Default:     FALSE
Description: Set to TRUE for enabling BOTCHA protection for the concrete form.
Example:     variable_set('botcha_enabled_user_register_form', 1)

History
-------

I first developed fully-automated method to protect HTML forms open to un-authenticated users back in 2002, long before I started using Drupal. That method had proven very effective back then. Time went by, and I moved that website to Drupal, and installed CAPTCHA. Eventually the site started getting few dozen automated user registrations a day followed by few spam posts on each account. I tried strengthening Captcha settings, but the stream did not slow down while human users started to complain of the difficulty of Captcha challenges. Apparently Captcha is not deterring recent generation of spambot scripts. I turned back to the old method, and wrote a module for that. The stream stopped and I have zero spambot user registrations since. Now I want to share this module.


File

README.txt
View source
  1. BOTCHA Module
  2. -------------
  3. by Ilya Ivanchenko, iva2k@yahoo.com
  4. Summary
  5. -------
  6. BOTCHA provides an unobtrusive anti-spam protection for website forms. There are 3 key advantages:
  7. + Unlike challege-response tests like CAPTCHA, human users are not burdened by solving any puzzles.
  8. + Unlike Mollom or Akismet, form data is not submitted to a 3rd party server for analysis.
  9. + Protection by BOTCHA is variable, adaptible, scalable, and virtually unlimited
  10. In CAPTCHA, each user is burdened to prove he/she is human by solving a puzzle.
  11. Initially CAPTCHA was very effective, but with time spambot algorithms were
  12. developed to bypass CAPTCHA really well. Now CAPTCHA complexity is not enough
  13. to deter spambots, but is too difficult to the real users who get frustrated
  14. and often just leave the site when confronted with extra burden of CAPTCHA.
  15. In BOTCHA, we don't abuse our human users - BOTCHA protection is completely
  16. transparent to them and non-intrusive.
  17. BOTCHA is useful for any form that has to be protected from spambots.
  18. BOTCHA lets spambots to prove they are bots, and let real users zip by.
  19. Note: BOTCHA does NOT attempt to block human entered spam.
  20. How it works
  21. ------------
  22. The approach of BOTCHA is to add various elements to forms that need protection from bots. These elements do not present new fields to users, so BOTCHA is completely transparent to humans. Both humans and bots submit those forms and BOTCHA performs heuristic analysis on each submitted form. Bots are usually programs/scripts that are relatively dumb, and most of the time they fail BOTCHA tests and human users don't.
  23. Once BOTCHA proves the submission is by a bot, the form submission is blocked.
  24. The more there are opportunities for the bot to slip and prove it is a bot, the better defense from spam we have. So we can combine multiple BOTCHA recipes as opposed to only one CAPTCHA per form. This gives huge advantage to BOTCHA.
  25. Advantages
  26. ----------
  27. There are many advantages of BOTCHA over CAPTCHA:
  28. * BOTCHA does not bother normal human users
  29. * BOTCHA tests are designed in such a way that normal users will never see them
  30. * There is no limitation on number of tests BOTCHA can implement on each form, so it gets progressively stronger
  31. * As bots get smarter, BOTCHA will be updated with new recipes to defeat them
  32. * BOTCHA needs very little configuration
  33. It is possible to use BOTCHA alone without CAPTCHA. Nevertheless, it is recommended to use BOTCHA together with CAPTCHA. BOTCHA does not interfere with CAPTCHA, and more lines of defense are always better.
  34. What "BOTCHA" means?
  35. --------------------
  36. BOTCHA stands for "BOT Computerized Heuristic Analysis"
  37. BOTCHA also means "Bombs On Target, Come Home Alive" (military, UrbanDictionary).
  38. "BOTCHA is a feel-good cheer after bombing spambots to the ground."
  39. BOTCHA also means "Double-dead meat" (Wikipedia), which is a health hazard.
  40. "We feed BOTCHA to spambots and wait for them to get diarrhea and food poisoning."
  41. Installation
  42. ------------
  43. * Copy the module's directory to your sites/all/modules directory
  44. * Activate the module
  45. Usage
  46. -----
  47. Module starts working as soon as it is activated. There are reasonable default settings and no configuration is required, though it can be adjusted at any time on Administer > User management > BOTCHA page.
  48. Module records its activity in the log and collects statistics which are shown on the 'Status report' page.
  49. There are some default forms that BOTCHA protects out-of-the-box, including user/register, which is the most important line of defense. Current version by default protects all other forms that CAPTCHA is enabled for. CAPTCHA is not required since BOTCHA can be configured independently.
  50. BOTCHA configuration page allows selecting which forms to protect. There is also an admin mode checkbox which adds links to forms for simple BOTCHA configuration.
  51. Hidden settings
  52. ---------------
  53. Hidden settings are variables that you can define by adding them to the $conf
  54. array in your settings.php file.
  55. Name: botcha_enabled_
  56. Default: FALSE
  57. Description: Set to TRUE for enabling BOTCHA protection for the concrete form.
  58. Example: variable_set('botcha_enabled_user_register_form', 1)
  59. History
  60. -------
  61. I first developed fully-automated method to protect HTML forms open to un-authenticated users back in 2002, long before I started using Drupal. That method had proven very effective back then. Time went by, and I moved that website to Drupal, and installed CAPTCHA. Eventually the site started getting few dozen automated user registrations a day followed by few spam posts on each account. I tried strengthening Captcha settings, but the stream did not slow down while human users started to complain of the difficulty of Captcha challenges. Apparently Captcha is not deterring recent generation of spambot scripts. I turned back to the old method, and wrote a module for that. The stream stopped and I have zero spambot user registrations since. Now I want to share this module.