Hey everyone, I’ve noticied that this thread has gotten a some attention again so I’ll respond to some replies.
This script isn’t dependant on the Chat Gui, so if bots use Chat:Chat() (which they most likely are), the Captcha will be prompted to them regardless, and their chat messages wont go through until they solve the Captcha (assuming the developer uses a ChatModule to invoke this script).
The reason this script isn’t using a blacklist for words is because it would be impossible to filter every single scam word. That’s what the old version of this script did, and it wasn’t very useful.
I’d also like to clarify that you shouldn’t totally depend on this script to keep bots out of your game. If this gains enough popularity, bots will start to be programmed to overcome this obstacle. This is simply just a roadblock to make bots struggle to scam players in smaller games.
Unfortunately, there are still some bugs in the script and I haven’t had any time recently to fix them. On top of that, v2 isn’t possible to solve if you can’t differenciate/identify colors, renderring it impossible to some groups such as those with colorblindness. Other people have made better suggestions such as text-based challenges, so I’m giving this up to the public domain. Feel free to do anything you want with the code and assets, no creditting required. Use this as your license: Creative Commons — CC0 1.0 Universal
I have requested this topic to be locked because it is a very old thread that is continuously brought to the front page of the Devforum every time it is interacted with.
Somehow no one on this thread has yet mentioned that no bots run Lua code or see UI. This does absolutely nothing to stop bots, period. It doesn’t matter if the bot is quickly thrown together.
Bots fire the remote event for chatting directly, they do not touch any Lua code in your game. This does nothing to stop bots, no matter how many times you prompt it.
Lots of people here are suggesting bots work out where to click on the screen when sending messages, this is not the case. Bots do not simulate clicks on the screen, they fire remotes directly.
ChatService is handled Server-side; this script alone provides no protection against firing remotes, however the developer could handle the chat message from a server-side script. For example:
A bot fires a remote to send a chat message
Using a ModuleScript in ChatService, the developer stops the message from being sent to the rest of the clients (handled server-side)
Send Captcha to the bot for it to solve
If solved, prevent the client from being asked to solve a Captcha again
Obviously this won’t stop every bot (especially the bots that are coded to specifically bypass this script) but it makes it much harder for a bot to send a scam message than just firing a remote.
You point out that bots with exploits can pass V1, however bots with exploits could also pass V2 with zero effort (just use a line or two of code to find which box matches whatever colour is labelled in the request. Not too hard to just string match and “if gui.button.color == green” or code to that extent)
I kinda see no point to using V2 over V1, because bots will either not have exploits and not pass either of them, or they will have exploits and can pass both of them several times over before you could blink.
I love the concept though however. It looks very professional, would be easy for any user to finish and would definitely stop 99% of bots. (Heck, I daresay 100% of bots even, since next to no bots have exploits or are designed to pass this)