Topic: FaucetBOX.com Discussion - page 46. (Read 237001 times)

My faucet is new and I get a handful, sometimes even none, payouts per day. These 700 where only in 1.5 days. The ref address was discussed in another thread here on the forums as suspicious as well.

But you are right, on a normal working mature faucet, what is suspicious and what is real? But I think faucet owners probably notice patterns which are odd. For me it was that all addresses had an auto payout limit of 0.5 bitcoins. 700 addresses with the same ref address and 0.5 auto payout address is a pattern.... ;-)

Anyway, it was a good lessons as well. I added proxy checks, IP checks, updates my ban lists, etc. So it was not a waste of time. In the mean time I learned some of the FIB coding as well.

I'm just wondering, do faucet owners "babysit" their faucets? Is it a constant watch and fight against bots/scammers? I probably know the answer seeing so much 'double your btc' and the likes.

700 is a lot, but where to draw the line?

Some faucets are listed on popular rotators/faucet lists. Where to draw the line between suspicious and real?

What stops the scammer/bot from changing his ref address as soon as he sees that you blocked him?

Finally figured it out but I sure hope the script will be changed to include this in the future.

For a few days I noticed a high amount of payouts on my faucet from a specific ref address. Currently there are 700+ addresses related to this ref address. Each address has an auto payout of 0.5 bitcoin (via address checker). Obviously, I did ban the ref address but this only rejects ref payouts to that address. I did some private modding on the script so all sessions that include that ref address are no longer paying out. That is all that are processed with the /?r=ADDRESS url or even the addresses for which the ref address was registered.

I'm pretty new to the whole faucet concept and the FIB script. Not sure if the developer is reading this, if so, please include the above checks (optionally or not) in your next script version. If you know that a ref address is used by a scammer/bot then most likely addresses that are using the ref address are also from a scammer/bot.

Hope it all makes sense. If not then feel free to ask of course.

What kind of custom theme you are looking for?
You can make quite unique looking faucet with the tools in your admin panel already but if that isn't enough I think you should just pay someone few bucks to create cool looking theme for you.

Hi there,
i planned to create another faucet site but i need faucet theme. where i can get free custom theme for faucetbox.

We already do random ids for the address field, it doesn't work. That's because most bots are using browser-based extensions, so it doesn't matter what id a honeypot have and how random it's position is, because bot can just directly "ask" browser if the input is visible or not.

There's really nothing more you can do in Faucet in a BOX that can't be bypassed by a bot. All it takes is 5 minutes to update the bot to handle things like random position, random names and 10 minutes to bypass things like checking mouse movement and keyboard inputs.

Diversity and - as you said - thinking outside the box is the only protection until CAPTCHA providers get better.

And the problem with bots isn't that high if you don't submit your faucet to our list. Looks like most bots are lazy and only crawl https://faucetbox.com/list when looking for victims...

cheap hosting -> default 5.3, now works! Thank You!

The disclaimer would allow people to make a decision about whether or not they want to risk their bitcoins. Since we know that the faucetinabox script is under heavy bot pressure, it is the right thing to do. I do realize that this is open source and that you have to think outside of that box when you design something to be hardened. This project is php driven. All input fields can have a randomly generated id with only the server side knowing which IDs are valid and which are honeypots. Randomly moving the fields will also help.

Set $display_errors = true; in your config.php file. Does it show any errors now? Also make sure you're using PHP 5.4 or newer.

No, bot can identify this automatically, just like a human can. I don't know if you noticed it, but the name of a address field in Faucet in a BOX is randomized. That means that bots already have to analyze the page and guess which field is the address input. If they can do that already, then it's no issue at all for them to also identify a honeypot and ignore it.

Just a simple question - if the newly installed faucet just showing a blank page, usual cpanel hosting.

By putting some random visible field  and changing it daily with different questions. Instead of honeypot Some what like captcha. Can this reduce bots or not. Along side actual captcha.

I think bot maker will have to edit bot each time to claim

Which is a problem every open source script faces. There is no real fix for this.

So what would happen if they added this? People would maybe move to another open source faucet script, where (if enough of a transition happened) the exact same thing would happen with that script. Would the blame then be pushed on that script/service?
The best way to minimize this would be for micro-transaction services to stop offering faucet scripts and force everyone to code their own. There would be significantly less faucets, but next to no bots for any that aren't the highest paying. However, this would stop anyone who didn't have knowledge in coding or the money to hire someone that did from making a faucet. Would this be a good thing?

1 - Perhaps, though any then bot creator could look at the page, find the element that looked out of place and bam, there's the honeypot. Granted, more could be done to prevent this and make it very difficult for bots, but there will always be some sort of identifiable feature that bots could use to get around this.
2 - Let me show you why this would do nothing:
Okay, so now the honeypot is selected no matter where on the page it is. Want to deselect it and show that you're not a bot? Change the true to false. A bot looks like a human requests wise, but it doesn't have to act like one.

Xapo Faucets have no problem with bots  !!!

For the time being, I'd recommend changing your rewards to 1 satoshi, if you have not already. It will take you a while to implement the changes that will be necessary to mitigate the bots, a single checkbox won't really suffice. I've got a crying baby in arms right now but I'll share what I've done to minimize the damage in a PM when I can.

Hey guys! I hate my first post to be a post for help, but I keep getting hit by bots. They've taken half of my faucets coins, andI keep banning IP's and BTC addresses. I was wondering if anyone could make me an extra checkbox that says that they are human. Something pre-made bots wouldn't be able to do.

Not at all, I'm trying to preserve interest in running faucets. Faucetbox should have a giant disclaimer on their FaucetInABox site stating that there is an almost guaranteed likelihood that all of the operators bitcoins will be lost to bots before they can earn any revenue, if they use that script.

Yes, I've looked at the code. The problem is that if I can look at the code, so can anyone with the intention of writing a bot. If you're going to have a honeypot input field(s) and publish the code, it should at minimum allow the operator to easily modify them without knowing PHP (in the admin section) and move them around the page randomly. You shouldn't be able to search index.php for "honeypot" and call it a day. There are many security improvements that should be made and ones that could be suggested to the potential faucet operator, that aren't. If you're going to have a 'professional' service, you should offer a professional product.

I've been running a faucet for over two years, I know what drives bots makers to make bots. Again, the point of my post was to draw attention to the fact that this script should no longer be offered without a huge, glaring warning that it's base deployment is under enormous bot pressure and that no-one should use it as-is. Faucetbox has not done this because they seem to be more interested in the short term 2.5% gain, than putting faucet operators in business for the long term.

For any potential faucet operators reading this, my professional (25+ years in IT) opinion is that until faucetbox improves security or offers a bot warranty, this script should not be used without massive modification and at that point you are much safer just writing your own site.

Greetings, this is going to pique Kazuldur, websites are being denounced in Adsense have little content, navigation etc.

It isn't, providing you know PHP, HTML, CSS and SQL. If you don't know all of those, it will be somewhat more difficult.

Have you looked at the code, or are you basing this opinion off of one checkbox you saw in this thread? If you look at other faucet scripts available to download and use, I believe FaucetBox easily has the best security of them all.

How would the people at FaucetBox know that bots were attacking your faucet? Requests to the FaucetBox API look the same, regardless of whether the person triggering the request is a bot or not.
Also, there are threads on the forum for you to help with identifying bot IPs, such as this one.

IPs aren't a good way of identifying users or bots, as it is extremely easy to change an IP. Trying to block bots through IPs would be like playing wack-a-mole in a 100 acre field.

Looks to me like you're looking for a scapegoat.

As said before, it is very easy to bot a lot of sites when every single site is the same in the way it operates. It is one of the downsides of scripts such as FaucetInABox. It did not happen to a faucet you coded personally as, unless your rewards are insanely high, it would not be worth a bot maker's time to create a bot for your site. Compare this to FaucetInABox, where there are hundreds of sites running the exact same script, it would be absolutely worth a bot creator's time to create something for it. It's common sense.