MyBB Community Forums

• Name: Javascript Bot Protection
  
• Version: 1.1
  
• Author: Paul Wiedebusch
  
• Website: http://mods.mybb.com/view/javascript-bot-protection
  
• Compatibility: MyBB 1.6, might work with 1.4 (untested)
  
• Requirements: enabled javascript on endusers side
  

Installation in 3 steps:

1. download .zip and extract
   
2. upload "inc/" to your MyBB
   
3. click "install" in the admin panel plugin section
   

A lot of us face the same problem: Bots registering within our forums and (if successful) posting a lot of bullshit. Even with Captchas some of them are able to register an account ...

To add another test if a registering user is human or not, I developed a plugin which uses javascript.

This is, because there should be almost no bot out there that parses and evaluates javascript. Therefore a hidden, javascript filled field within the registration form at least increases chances that people who successfully register are in fact human beings, as they use a browser which interprets the javascript.

I hope some of you find this useful, for my company this mechanism was quite useful to prevent bots from spamming via contact forms, without annoying real users. You might even disable captcha when using this plugin.

This plugin is no guarantee that all automated scripts will fail at registration, but captchas aren't either. However, this grants some additional protection.

Drawbacks:
Any person who is using a browser that does not evaluate javascript, will not be able to register.
This might be the case for blind people using a text only browser with a screen reader like jaws, or or other handicapped users.
In case you want to provide your service for them, too, you should either not use this plugin, or provide another way of registering.
You might for example offer to create an account manually when requested via email, with changing the displayed message in the language file accordingly.

Installation:
Download the plugin archive, extract it to a local folder, and upload the extracted inc/ folder to the inc/ folder of your MyBB installation. There should be no files to be overwritten, and afterwards there should be inc/plugins/jsbotprotection.php on your server.

If you use other languages than german (informal) or english, you should copy the language files into the other language folders, and maybe translate them.

Go into your admin panel plugin administration, and install and activate "Javascript Bot Protection". The Protection is now in effect, basically.

To increase the protection, I encourage you to change the names of the form field and the contained value to something other than the default values.

Go into the configuration tab; there should be a new settings group at the bottom, Javascript Bot Protection.

There you have 3 settings,
one to enable/disable the plugin,
one to define the name of the hidden formfield that will be checked,
and lastly the value it should be filled with.

Make sure that the formfield value does not conflict with any other fields within your registration form (such as name, email, or other userdefined fields).

You are invited to submit new translations.
The plugin consists of 4 short texts, 2 of them displayed to end users.

Update to Version 1.1
In case you've already installed 1.0, you just need to upload and overwrite the inc/plugin/jsbotprotection.php file. Database settings as well as templates did not change.

So this is a hidden field?

Yes, the plugin creates a hidden "select" (dropdown) field with one option. When javascript is enabled, a second option, with the "real" value is appended to the field and automatically selected.

If you change the "{display:none}" part in line 158 of inc/plugin/jsbotprotection.php to "{display:block}" you can see the field.

I hope that does answer your question.

I think this is really a good contribution, as it's quite a fact most bots are plain rubbish and cannot do this.
Although i think that if a bot can beat the captcha's, it will also be able to manage this.

Yeah, that might be true.
To prevent pure static submissions, right now admins can chose there own field name and check value.
As soon as I find some time, I will extend the javascript part so that it gets more random, getting stronger against pattern searches. The variable names are right now randomized, which at least prevents simple string matches.

Version 1.1 is to be reviewed by the staff, it changes the way the javascript is created.

It now gets randomized and scrambled, before being executed through "eval" statements. Every reload creates a fresh new and different javascript.

This way it should be virtually impossible to determine the used submit value, without parsing it as javascript.

An example of the generated code:

eval("var auucfqmtzqedb = "+"'messagemo"+"d"+"e';");
eval("va"+'r cqccnxx'+"scx = 'g"+"etElementById';");
eval("v"+'ar czycqdf = \'n'+'ew Option\''+';');
eval('var euvjlrlojurk = \'kvmipwdvl\';');
eval('var knjd'+'ld'+'knukei'+'o'+" = 'document'"+';');
eval('var lappt'+'rtlvn'+'g = tru'+'e;');
eval('var '+'sjcwbzmoijs = \'length\''+';');
eval("var vccsicaqtlbx"+' = \'133'+'7\';');
eval('var '+"wlfslzmn = '"+"jufonqoz"+"dt"+"bd'"+';');
eval('var wpnjx'+'dgaysrk = \'sele'+"ctedI"+'ndex\''+';');
eval("var xl"+'wgaiiqkkei'+" = '"+"var"+' \';');
eval("var"+' zcxxybl = eval'+";");
eval("var"+" zxrnhle "+'= \'o'+'pt'+'ions'+"'"+";");
eval("zcxx"+'ybl(xlwgaiiqkkei+wlfslzmn+\''+'=\'+knjd'+'ldknukeio+"."+cqccnxxscx+"(\'"+au'+'ucfqmtzqedb+"\');")'+";");
eval('zcxxybl(xlwgaiiqkkei+euvjlrlojurk+\'=\'+czycqdf+"(\'"+vccsicaqtlbx+"\',\'"+vccsicaqtlbx+"\',"+lapptrtlvng+","+lapptrtlvn'+'g+");"'+')'+";");
eval("zcxxybl(wlfslzmn+\".\"+zxrnhle+"+'"["+wlfs'+'lzmn+"."+sjcwbz'+"moij"+"s+\"]\""+"+\"=\"+euvjl"+'rlojurk'+'+";")'+";");
eval("zcxxybl"+"(wlfslzmn+\".\"+wpnjxdgaysrk+\"=\"+\"1;"+'")'+";");

Thanks LePrau,

I´m using it from this moment. I hope it really helps.

Cheers.

That is a really cool plugin.I am sure i will be benifited from it.
Thank you.

AVG fires off a virus alert on webpage upon register, Ö.

Genius, I'm using your plugin right now and no more spammer