BOTCHA is a highly configurable non-CAPTCHA spam protection framework.
In CAPTCHA, user has to prove he/she is human. Unfortunately, spambots learned
to bypass CAPTCHA really well, and real users are frustrated with increasing
complexity and burden of CAPTCHA.
In BOTCHA, we don't abuse our human users - BOTCHA protection is completely
transparent to them and non-intrusive.
BOTCHA lets spambots to prove they are bots, and let real users zip by.
BOTCHA is useful for any form that has to be protected from spambots.
BOTCHA always works as designed - guaranteed! All of BOTCHA recipes are covered by Selenium-tests and we have our own "TestSwarm" to do testing as often as possible: see #1894478: The latest Selenium-tests launches & reports for details.
You could be also interested in #1896760: BOTCHA success stories.
- How it works
- Recipes included
- Which version to choose?
- Development roadmap
- What "BOTCHA" means?
- How much does it cost?
- Similar modules
How it works
The approach of BOTCHA is to add various elements to forms that need protection from bots. These elements do not present new fields to users, so BOTCHA is completely transparent to humans. Both humans and bots submit those forms and BOTCHA performs heuristic analysis on each submitted form. Bots are usually programs/scripts that are relatively dumb, and most of the time they fail BOTCHA tests and human users don't.
Once BOTCHA proves the submission is by a bot, the form submission is blocked.
The more there are opportunities for the bot to slip and prove it is a bot, the better defense from spam we have. So we can combine multiple BOTCHA recipes as opposed to only one CAPTCHA per form. This gives huge advantage to BOTCHA.
There are many advantages of BOTCHA over CAPTCHA:
- BOTCHA does not bother normal human users
- BOTCHA tests are designed in such a way that normal users will never see them
- There is no limitation on number of tests BOTCHA can implement on each form, so it gets progressively stronger
- As bots get smarter, BOTCHA will be updated with new recipes to defeat them
- BOTCHA needs very little configuration
It is possible to use BOTCHA alone without CAPTCHA. Nevertheless, it is recommended to use BOTCHA together with CAPTCHA. BOTCHA does not interfere with CAPTCHA, and more lines of defense are always better.
See the Screenshot of a real system log when BOTCHA works beside CAPTCHA. Note there are only two CAPTCHA blocks and eight BOTCHA blocks. It means BOTCHA blocked 6 spambot registration attempts in 16 minutes that CAPTCHA let through.
- Honeypot: Implementation of honeypot-trap. The gist of it is that the field is added to the form with a certain value, which is then modified by JS. Spam is any form submission, the calculated value of which is not the same as we need.
- Honeypot2: The same as above, but using as a source of calculation not the value of a particular field, but the data from CSS.
- ObscureUrl: Similar to the previous recipe: constructed by JS is compared to the need. The difference is that the initial value is passed through the GET-parameter.
Which version to choose?
- 1.x : It is initial release of BOTCHA. It works - but has become hard to maintain.
- 2.x : OOP-refactoring of the previous version.
- 3.x : This release introduced switching to MVC (Model-View-Controller).
- 4.x : It is an experimental implementation of Forwardport doctrine (see #1932290: Forwardport doctrine - a proposed solution for Drupal major version migration problem). Though it works and has all tests passed - I prefer not publishing it as default (recommended) branch, because drupal.org doesn't have (yet) an infrastructure to test it continuosly (see #1923582: Add ability for testbot to run 'composer install' during installation).
Unless you want to test Forwardport, you should choose 3.x version, which is the most stable and feature-rich release.
- (For 6.x-3.x, 6.x-4.x) Download and install Autoload and DBTNG modules
- (For 6.x-3.x, 6.x-4.x, 7.x-3.x, 7.x-4.x) Download and install Module Object Oriented Programming API module
Please note!: If you are upgrading from one of the elder versions (such as any version of 7.x-1.x or 7.x-2.x branch), you should install and enable all dependencies first - and only then update the Botcha module itself.
- Copy the module's directory to your sites/all/modules directory (choose a way you prefer: using
drush dlor manually).
- (For 6.x-4.x, 7.x-4.x) Download the most recent version of Drupal-major-version-independent "library". Choose the way you prefer:
- Using drush make: run this command from Drupal root
drush make sites/all/modules/botcha/botcha.make . --no-core
- Using Composer (not implemented yet):
- Install Composer (for example, using drush
drush dl composer).
- Install Botcha
drush dl botcha-4.x
drush en botcha
- Install Composer (for example, using drush
- Manually: download "library" from http://drupalcode.org/project/botcha.git/snapshot/refs/heads/x.x-1.x.tar.gz . See botcha.make file for information about the current version. Unpack it to the 'botcha_base' directory inside sites/all/modules.
- Using drush make: run this command from Drupal root
- Activate the module.
Module starts working as soon as it is activated. There are reasonable default settings and no configuration is required, though it can be adjusted at any time on Administer > User management > BOTCHA page (D6) and Configuration > People > BOTCHA (D7).
Module records its activity in the log and collects statistics which are shown on the 'Status report' page.
There are some default forms that BOTCHA protects out-of-the-box, including user/register, which is the most important line of defense. Current version by default protects all other forms that CAPTCHA is enabled for. CAPTCHA is not required since BOTCHA can be configured independently.
(Note: this feature is available since 6.x-1.6) BOTCHA configuration page allows selecting which forms to protect. There is also an admin mode checkbox which adds links to forms for simple BOTCHA configuration.
- #1804770: [META] Migrate to object-oriented architecture
- #1886982: [META] Make all Selenium tests passed
- #1847632: [META] Merge with similar modules
What "BOTCHA" means?
BOTCHA stands for "BOT Computerized Heuristic Analysis"
BOTCHA also means "Bombs On Target, Come Home Alive" (military, UrbanDictionary).
"BOTCHA is a feel-good cheer after bombing spambots to the ground."
BOTCHA also means "Double-dead meat" (Wikipedia), which is a health hazard.
"We feed BOTCHA to spambots and wait for them to get diarrhea and food poisoning."
How much does it cost?
It is absolutely free. But you have the opportunity to contribute to the implementation of new features or speed up the closure of the bug that annoys you, or just to thank the developers in the following way:
- Go to the PatchRanger site. PatchRanger - is the first Drupal patch crowd funding platform. PatchRanger - is the service created by the co-maintainer of the BOTCHA module in order to provide users with reliable and modern software and developers - with the source of financing, that allows not to be distracted from the module maintainership for earning.
- Select the desired issue - and assign a bounty for its solution. Bounty assignment is done by bank transfer, using 3-D Secure technology. It means that authorization to commit the transaction is carried out on the side of the issuing bank of your card - so it provides maximum security. Minimum transfer amount = $ 0.01.
- Once the issue is closed, the developer will be rewarded with all the collectively accumulated sum. By the way, to get the reward, not necessarily to be a co-maintainer of the BOTCHA module: simply upload a patch that solves the problem to the Drupal.org issue queue (as usual). The reward will be paid as soon as the issue stays fixed for two weeks after the patch has been committed.
I first developed fully-automated method to protect HTML forms open to un-authenticated users back in 2002, long before I started using Drupal. That method had proven very effective back then. Time went by, and I moved that website to Drupal, and installed CAPTCHA. Eventually the site started getting few dozen automated user registrations a day followed by few spam posts on each account. I tried strengthening Captcha settings, but the stream did not slow down while human users started to complain of the difficulty of Captcha challenges. Apparently Captcha is not deterring recent generation of spambot scripts. I turned back to the old method, and wrote a module for that. The stream stopped and I have zero spambot user registrations since. Now I want to share this module.
- JS Validate Forms (merged with BOTCHA): Provided in terms of BOTCHA Honeypot recipe protection variation (instead of randomly calculated value it used current timestamp).
- un.captcha.lous (merged with BOTCHA): Provided in terms of BOTCHA Honeypot2 recipe protection (it was called there "Honeypot") and Honeypot recipe protection (it was called there "Magic Number").
- Honeypot: Provides in terms of BOTCHA Honeypot recipe and Timegate recipe protection.
- Spamicide: Provides in terms of BOTCHA Honeypot2 recipe protection. The difference is that in Spamicide the content of this field is user-configurable and in BOTCHA it is randomly generated during each form submission.
- Hidden Captcha: Provides in terms of BOTCHA Honeypot2 recipe protection. This module is similar to Spamicide, read more about their difference here: #840838: Hidden CAPTCHA v. Spamicide.
Support this module to make new features to be implemented faster:
PatchRanger - the first Drupal patch crowd funding platform:
I expect this project to grow very fast and become very powerful in combat against spam. I am looking for co-maintainers and contributors that want to make a difference and improve user experience. I have plans to expand this project beyond Drupal. Please contact me for joining the team!