Bot Protection

The sub-pages to this page are just vague ideas of things we could do to improve security. They are probably mostly misguided!

The main problem seems to be that because there are tens of thousands of faucets out there using just a few scripts, it's easy for bot writers to make and sell scripts that will work on a large number of faucets.

No captcha system will stop these bots. It stands to reason that if they can beat Google consistently then there is little point in using any of them really. All can be beaten. The trick is to do something unique, so that the bot makers don't bother breaking it.

2 possible (and not mutually exclusive) ways to harden it:

  1. make the script itself more bot-proof
  2. prevent direct access to the script and put our security measures in WorPress

Anything implemented in WordPress site seems to be able to be bypassed because the faucet plugins for WP only really embed an existing widespread script into a WP page, and most bots seem to attack the script directly. I've seen attacks on our own faucet where no page views were being generated and yet hundreds of faucet claims were happening.

Tried using PHP to check http_referer header, only allow from the shortlink url or / - this worked for a while then the scumbags started forging the referer header. E.g. trying to access http://roflfaucet.com/claim directly will send you to / instead, unless your referer is / or btc.ms (the shortlink service which pays us).

We need something (maybe in the .htaccess file) to prevent direct access to the faucet script, so that they are forced to access it from the wordpress interface, but relying on the http referer is no good. Could use a password protected page, or a password protected section of a page (using e.g. content protector plug-in) but this will only work if access is restricted to WP only.

The present range of wordpress faucet plug-ins use already existing faucets scripts, which have a 'page' of their own, which botters can access directly and bypass any restrictions we put in using wordpress. What we need is a script that only has an interface in the wordpress page itself, or that we can deny access to from anywhere except the WP page.

It's not so much a matter of dreaming up a new kind of antibot or captcha, it's more about forcing the bots to go through the wordpress site, load the ads and go through the shortlink service to generate revenue. And then, any that get through, we don't let them know that they were detected.

For any bot that can still bypass our measures, a nice touch would be that instead of refusing to let the botter claim, putting up error messages etc, it just quietly sends the botter to the success page, "x satoshi was sent to you on faucethub" but does not actually pay them.