Ending Scam Bots | RoStop

RoStop - Stopping Roblox Chat Bots! (BETA TEST)

I’m sure we’ve all seen the bots chatting scam links and other text in ROBLOX chat. Well, with RoStop, you can put an end to these bots:

An example of ROBLOX chat scam bots.

What is RoStop?
RoStop is a Captcha service designed to protect ROBLOX chat! When a user joins the game for the first time and tries to chat, RoStop will pop up prompting the user to verify. This verification process is similar to the ROBLOX sign-up captcha (Don’t worry though, it actually works and is solvable). RoStop also has other settings that can be configured by the developer, such as a required account age and time in-game.

image855×346 48.4 KB

image852×343 53.4 KB

image870×343 49.1 KB

Great! Can I use it in my games?
Of course! RoStop is completly free! I would greatly appreciate credit if possible.
First, make sure API services and datastores are enabled. The best way to use it is by creating a script in ServerScriptService, naming it “RoStopSetup”, and pasting the following code in:
local RoStopModule = require(6182832763)
RoStopModule.Initiate()

Doing this allows me to update RoStop with new images, new settings, and new verification methods. You can remove it at any time for any reason. If you would prefer using the module by itself (no updates), you can import it in your game yourself. I would recommend using your own images if you do this.

NOTE: RoStop may not work with modified chats that are custom designs.

Other Options:
In addition to using RoStop. You can also specify custom settings and configuration. Simply specify a table as an argument in the Initiate() function. Here are all of the current options along with the default values:

local RoStopModule = require(6182832763)
RoStopModule.Initiate({
	["ThemeColor"] = Color3.fromRGB(255, 112, 112), -- Theme color of the GUI.
	["UIPosition"] = UDim2.new(1,4,0,0), -- Position of the GUI relative to chat.
	["UIZIndex"] = 10, -- Z-Index of the GUI.
	["UseModalButton"] = true, -- Allow the mouse to move in 1st Person when the GUI is visible.

	["RequiredAccountAge"] = 0, -- How old the account playing has to be to chat (Days).
	["RequiredGameTime"] = 10, -- How many seconds the player has to be in the game before verifying/chatting. 
	["SkipAccountAge"] = "inf", -- Set a number of days old an account can be to skip all verification ("inf" to disable).
	
	["EnableRotateVerification"] = true, -- If the puzzle verification is enabled or only other options.
	["ExpireTime"] = 2628288, -- How long a verication lasts before having to retest (Seconds).
	["FirstPuzzleAmount"] = 3, -- How many questions the puzzle is.
	["NewAccountTimeframe"] = 30, -- Days classifying an account as "new".
	["FirstPuzzleAmountNewAccount"] = 4, -- Amount of questions a "new" account has to do.
	["RetryPuzzleAmount"] = 6, -- Amount of questions needed if the user fails previous puzzle.
	["AddMoreWithFailed"] = true, -- Add +1 item every failed puzzle.

	["RotateAmount"] = 15, -- Rotate amount per arrow press.
	
	["SaveData"] = true, -- Saves their verification so they don't have to redo every join.
	["HoldServers"] = true, -- Hold the server from shutting down to ensure the verification is saved.
	--NOTE: Data may not be saved in studio testing!
	
	["UsePresetImages"] = true, -- Use the constanly updated library of images.
	["CustomImages"] = { -- Add you're own images. Example Format:
		--		{"rbxassetid://IMAGE_ID",CORRECT_ROTATION_AMOUNT},
	}	
})

More settings and options are in the works!

Common Questions:

Q. Can I use this for free in my games?
A. Yes! Feel free to use it! Credit appreciated.

Q. Does it save player’s verification?
A. Yes! Make sure you have API services enabled. You can also turn this off using configuration.

Q. I don’t like using require() in scripts. Any other way to use it?
A. Feel free to use the module by itself. Just note that not using require() means your RoStop will not be updated with new features and images. DS won’t do anything to harm any games.

Q. Any games that currently use RoStop that I could try?
A. Yes, all DS games currently use RoStop. Links:

• Factory Fixers: https://www.roblox.com/games/5288164730/Factory-Fixers
• CUBE Simulator: https://www.roblox.com/games/4565635405/CUBE-Simulator

Q. Any way I can contact you with questions, problems, etc?
A. Sure. Here are my contacts:

• Email: robotenginegames@gmail.com
• Twitter: @Robot_Engine
• Discord: @Robot_Engine#1814
• This forum post.

Credits:

• RoStop by @Robot_Engine.
• Player muting script by @likeajumpingpro (Old mute by @ScriptedDrag0n).
• Icons and images by Freepic from Flaticon.

Final Notes:
We would love your feedback! Please let us know of any questions, comments, or suggestions! We also would love to see other versions made for games. Let’s work together to stop bots!

I there a way to make it useable in LockFirstPerson?

Not currently, as it’s intended for chat. But don’t worry i’m working on updates and different versions to allow for game-wide protection. Also feel free to tinker with the code!

You can solve the problem with a much easier method than this? Just fire a remote event / some code on the client when the player joins and after that enable the ability for the chat service modules to replicate messages to other players. They’re just emulating the roblox client and so it has barebones functionality. They would not dare launch an entire client that is going to use 1000mb of memory.

This just hinders actual players.

I’m thinking into the future. If it was as easy as that bots wouldn’t exist. Plenty of developers already use simple methods such as waiting until the play button is hit. If all developers did this then bots would evolve to get around it. RoStop ensures that games who use it are protected. It also barely hinders players as it saves (unless the developer switches it off).

I think you have a big misunderstanding of what the bots actually are. They are NOT actual clients. They dont see almost anything a normal client does. They’re just emulating the client enough to send a simple network request to post their chat message. IIRC they don’t even fire the .Chatted event with the method they’re using.

A simple script that fires when a player joins is enough for anyone who uses lots of bots because it is too expensive to account for.

(Also you can try checking lots of other things like the player’s display size, whether their character ever laods, etc., there are so many ways you can easily prevent bots form joining because they are not even trying to replicate the tons of information that an actual player has)

Because of all the limitations that bots have, a simple button that says ‘click here’ would be just as good.

Like @Robot_Engine stated if it was that easy then Roblox wouldn’t have a botting problem.

Roblox does not care. They really do not. Not until it becomes easy and accessible for everyone to start abusing things. They still use funcaptcha and it is easy to bypass. Arkose even exposed an xss vulnerability on the site

A lot of problems with roblox starts with their laziness to solve the sites problems.

For the longest time you could put a breakpoint on the join.ashx request and change your display name ingame to literally anything. It was even reported on the h1 site, but was never fixed until it became popular to do it.

I wasn’t referring to Roblox it self, I was referring to Roblox developers and games in general. Of course Roblox doesn’t really do anything lol.

If you’re talking about the developers then it IS that easy to stop the bots (the stuff I talked about in my posts). It is just that for some reason this information has not been spread around. It just takes simple checks.

I think you’re underestimating bots and bot developers. They will go to great lengths get a quick buck. Even if that did mean they suddenly had to emulate clients. They will try and find a way.

This is my last statement on the matter.

I decided to take time and now to look at your code. There are a few glaring issues.

1] Chatted won’t get fired by these bots. (At least the ones that would join me would not invoke Chatted)
2] You’re trying to prevent them from chatting from the lua side but all they have to do to chat is do an internal network call without even touching the chat gui.

Thank you! I’ll add more secure ways of preventing bots in the next update.

What code would fix this issue?

Are you preventing users below that age from chatting entirely, or allowing users above that age to bypass the Captcha system? I think the latter would be less of a burden on real players while still blocking most of the bots.

Ultimately I think a custom chat filter would be simpler, but this Captcha technique might be more effective with less maintenance required against any bots that actually bother to bypass custom chat filters.

Why not just filter the links out? It’d be way easier for someone to just do it instead of just doing weird captchas.

It currently makes users under the required age do more puzzles (Which can be specified). In the next update I’m adding a second option to allow users over an age or playtime to bypass verification.

This is what I do currently, but like I said, it’s only a matter of time before the bots bypass this. google(dot)com is an obvious example of a URL filter bypass, but there are too many ways to block them all.

Their are over 2 thousand different dot address types and more being added. It’s simply impossible to stop all links.

I may add an extra feature that allows developers to add blocked text/links.

Hi, this is an awesome system and is very intuitive. However, I came across a bug that can bypass the system (sort of)

Maybe this video will speak for itself:

Also, instead of restricting this Captcha system to only the chatbox, maybe have it so that you have to do the puzzle before accessing the entire game (possibly the GUI covers the whole screen)?

Thank you! I’m working in a game-wide version as many devs only want to block the chat (So I didn’t want to impose it game-wide). I’m also most likely going to change the mute system. I will probably manually check on every client if a player is verified and if not delete the UI element physically as Roblox’s system sucks.