You are here

Home » API reference » BOTCHA Spam Prevention 7

README.txt in BOTCHA Spam Prevention 7

Same filename and directory in other branches
  1. 6.4 README.txt
  2. 6 README.txt
  3. 6.2 README.txt
  4. 6.3 README.txt
  5. 7.4 README.txt
  6. 7.2 README.txt
  7. 7.3 README.txt
BOTCHA Module
-------------
by Ilya Ivanchenko, iva2k@yahoo.com

Summary
-------

BOTCHA provides an unobtrusive anti-spam protection for website forms. There are 3 key advantages:

+ Unlike challege-response tests like CAPTCHA, human users are not burdened by solving any puzzles.

+ Unlike Mollom or Akismet, form data is not submitted to a 3rd party server for analysis.

+ Protection by BOTCHA is variable, adaptible, scalable, and virtually unlimited


In CAPTCHA, each user is burdened to prove he/she is human by solving a puzzle.
Initially CAPTCHA was very effective, but with time spambot algorithms were
developed to bypass CAPTCHA really well. Now CAPTCHA complexity is not enough
to deter spambots, but is too difficult to the real users who get frustrated
and often just leave the site when confronted with extra burden of CAPTCHA.

In BOTCHA, we don't abuse our human users - BOTCHA protection is completely
transparent to them and non-intrusive.

BOTCHA is useful for any form that has to be protected from spambots.

BOTCHA lets spambots to prove they are bots, and let real users zip by.

Note: BOTCHA does NOT attempt to block human entered spam.

How it works
------------

The approach of BOTCHA is to add various elements to forms that need protection from bots. These elements do not present new fields to users, so BOTCHA is completely transparent to humans. Both humans and bots submit those forms and BOTCHA performs heuristic analysis on each submitted form. Bots are usually programs/scripts that are relatively dumb, and most of the time they fail BOTCHA tests and human users don't.

Once BOTCHA proves the submission is by a bot, the form submission is blocked.

The more there are opportunities for the bot to slip and prove it is a bot, the better defense from spam we have. So we can combine multiple BOTCHA recipes as opposed to only one CAPTCHA per form. This gives huge advantage to BOTCHA.

Advantages
----------

There are many advantages of BOTCHA over CAPTCHA:

* BOTCHA does not bother normal human users
* BOTCHA tests are designed in such a way that normal users will never see them
* There is no limitation on number of tests BOTCHA can implement on each form, so it gets progressively stronger
* As bots get smarter, BOTCHA will be updated with new recipes to defeat them
* BOTCHA needs very little configuration

It is possible to use BOTCHA alone without CAPTCHA. Nevertheless, it is recommended to use BOTCHA together with CAPTCHA. BOTCHA does not interfere with CAPTCHA, and more lines of defense are always better.

What "BOTCHA" means?
--------------------

BOTCHA stands for "BOT Computerized Heuristic Analysis"

BOTCHA also means "Bombs On Target, Come Home Alive" (military, UrbanDictionary).
"BOTCHA is a feel-good cheer after bombing spambots to the ground."

BOTCHA also means "Double-dead meat" (Wikipedia), which is a health hazard.
"We feed BOTCHA to spambots and wait for them to get diarrhea and food poisoning."

Installation
------------

* Copy the module's directory to your sites/all/modules directory
* Activate the module

Usage
-----

Module starts working as soon as it is activated. There are reasonable default settings and no configuration is required, though it can be adjusted at any time on Administration > Configuration > People > BOTCHA page.

Module records its activity in the log and collects statistics which are shown on the 'Status report' page.

There are some default forms that BOTCHA protects out-of-the-box, including user/register, which is the most important line of defense. Current version by default protects all other forms that CAPTCHA is enabled for. CAPTCHA is not required since BOTCHA can be configured independently.

BOTCHA configuration page allows selecting which forms to protect. There is also an admin mode checkbox which adds links to forms for simple BOTCHA configuration.

Please note!: Using BOTCHA logging setting could cause at high levels putting vulnerable data into logs. We have some basic escaping (e.g., for password field) - but any other data could be found in raw format. Please be careful with logging level setting!

History
-------

I first developed fully-automated method to protect HTML forms open to un-authenticated users back in 2002, long before I started using Drupal. That method had proven very effective back then. Time went by, and I moved that website to Drupal, and installed CAPTCHA. Eventually the site started getting few dozen automated user registrations a day followed by few spam posts on each account. I tried strengthening Captcha settings, but the stream did not slow down while human users started to complain of the difficulty of Captcha challenges. Apparently Captcha is not deterring recent generation of spambot scripts. I turned back to the old method, and wrote a module for that. The stream stopped and I have zero spambot user registrations since. Now I want to share this module.

File

README.txt
View source 
  1. 

  2. BOTCHA Module

  3. -------------

  4. by Ilya Ivanchenko, iva2k@yahoo.com

  5. 

  6. Summary

  7. -------

  8. 

  9. BOTCHA provides an unobtrusive anti-spam protection for website forms. There are 3 key advantages:

  10. 

  11. + Unlike challege-response tests like CAPTCHA, human users are not burdened by solving any puzzles.

  12. 

  13. + Unlike Mollom or Akismet, form data is not submitted to a 3rd party server for analysis.

  14. 

  15. + Protection by BOTCHA is variable, adaptible, scalable, and virtually unlimited

  16. 

  17. 

  18. In CAPTCHA, each user is burdened to prove he/she is human by solving a puzzle.

  19. Initially CAPTCHA was very effective, but with time spambot algorithms were

  20. developed to bypass CAPTCHA really well. Now CAPTCHA complexity is not enough

  21. to deter spambots, but is too difficult to the real users who get frustrated

  22. and often just leave the site when confronted with extra burden of CAPTCHA.

  23. 

  24. In BOTCHA, we don't abuse our human users - BOTCHA protection is completely

  25. transparent to them and non-intrusive.

  26. 

  27. BOTCHA is useful for any form that has to be protected from spambots.

  28. 

  29. BOTCHA lets spambots to prove they are bots, and let real users zip by.

  30. 

  31. Note: BOTCHA does NOT attempt to block human entered spam.

  32. 

  33. How it works

  34. ------------

  35. 

  36. The approach of BOTCHA is to add various elements to forms that need protection from bots. These elements do not present new fields to users, so BOTCHA is completely transparent to humans. Both humans and bots submit those forms and BOTCHA performs heuristic analysis on each submitted form. Bots are usually programs/scripts that are relatively dumb, and most of the time they fail BOTCHA tests and human users don't.

  37. 

  38. Once BOTCHA proves the submission is by a bot, the form submission is blocked.

  39. 

  40. The more there are opportunities for the bot to slip and prove it is a bot, the better defense from spam we have. So we can combine multiple BOTCHA recipes as opposed to only one CAPTCHA per form. This gives huge advantage to BOTCHA.

  41. 

  42. Advantages

  43. ----------

  44. 

  45. There are many advantages of BOTCHA over CAPTCHA:

  46. 

  47. * BOTCHA does not bother normal human users

  48. * BOTCHA tests are designed in such a way that normal users will never see them

  49. * There is no limitation on number of tests BOTCHA can implement on each form, so it gets progressively stronger

  50. * As bots get smarter, BOTCHA will be updated with new recipes to defeat them

  51. * BOTCHA needs very little configuration

  52. 

  53. It is possible to use BOTCHA alone without CAPTCHA. Nevertheless, it is recommended to use BOTCHA together with CAPTCHA. BOTCHA does not interfere with CAPTCHA, and more lines of defense are always better.

  54. 

  55. What "BOTCHA" means?

  56. --------------------

  57. 

  58. BOTCHA stands for "BOT Computerized Heuristic Analysis"

  59. 

  60. BOTCHA also means "Bombs On Target, Come Home Alive" (military, UrbanDictionary).

  61. "BOTCHA is a feel-good cheer after bombing spambots to the ground."

  62. 

  63. BOTCHA also means "Double-dead meat" (Wikipedia), which is a health hazard.

  64. "We feed BOTCHA to spambots and wait for them to get diarrhea and food poisoning."

  65. 

  66. Installation

  67. ------------

  68. 

  69. * Copy the module's directory to your sites/all/modules directory

  70. * Activate the module

  71. 

  72. Usage

  73. -----

  74. 

  75. Module starts working as soon as it is activated. There are reasonable default settings and no configuration is required, though it can be adjusted at any time on Administration > Configuration > People > BOTCHA page.

  76. 

  77. Module records its activity in the log and collects statistics which are shown on the 'Status report' page.

  78. 

  79. There are some default forms that BOTCHA protects out-of-the-box, including user/register, which is the most important line of defense. Current version by default protects all other forms that CAPTCHA is enabled for. CAPTCHA is not required since BOTCHA can be configured independently.

  80. 

  81. BOTCHA configuration page allows selecting which forms to protect. There is also an admin mode checkbox which adds links to forms for simple BOTCHA configuration.

  82. 

  83. Please note!: Using BOTCHA logging setting could cause at high levels putting vulnerable data into logs. We have some basic escaping (e.g., for password field) - but any other data could be found in raw format. Please be careful with logging level setting!

  84. 

  85. History

  86. -------

  87. 

  88. I first developed fully-automated method to protect HTML forms open to un-authenticated users back in 2002, long before I started using Drupal. That method had proven very effective back then. Time went by, and I moved that website to Drupal, and installed CAPTCHA. Eventually the site started getting few dozen automated user registrations a day followed by few spam posts on each account. I tried strengthening Captcha settings, but the stream did not slow down while human users started to complain of the difficulty of Captcha challenges. Apparently Captcha is not deterring recent generation of spambot scripts. I turned back to the old method, and wrote a module for that. The stream stopped and I have zero spambot user registrations since. Now I want to share this module.

  89. 

  90.