Ending Scam Bots | RoStop

Although that sounds great, it kinda defeats the whole purpose of the service/captcha to prevent these scam bots in the first place.

Something like a captcha is unnecessary for bots that are not that advanced.

The developer can configure the captcha. And in the following updates, developers will be able to track player behavior and only prompt a captcha when necessary. Also, bot developers will continue to innovate their systems. Most bots currently don’t even load much of the client and instead only fire the necessary events to post chat messages.

Assuming that attackers are only emulating the barebore clients is a poor assumption to make. What happens when the attackers start using the entire client? IIRC these barebones bots we have seen are also capable of executing lua and emulating physics. There have also been examples of full client bots, as it is pretty trivial to bypass the single client restriction that Roblox places on your machine. This solution that OP has made seems to be worthwhile to me at least.

it takes too much memory to use the entire client. also this entire concept sucks beause if they start emulating the entire client they might as well just use the actual client and then they can just create an autoexecute script on join to solve this captcha…?

i said barebones for a reason. I don’t think they even need to solve the luau challenge to send chat messages.

these are actual roblox clients! of course there are people who have actually done lots of work to emulate lots of things the roblox client can do, but i believe you’re referencing something else because you took time to mention “single client restriction”

If they don’t load much of the client, why make an advanced captcha system? I see this as overkill.

That’s very good and useful! well done.

It’s not what they do now - it’s what they can do. Bot developers will do whatever possible to earn money. They might end up running the client eventually or find ways around normal methods. These people aren’t dumb making the bots, they got around the login captcha and will do whatever needed to get around games. We have to take action now by protecting games the best possible.

It’s decently hard to emulate a roblox client, at least for beginners. It takes a lot of time to figure out how to exactly copy everything without being kicked for malicious activity. The bot developers would have to account for VPS & other resources (like uptime) to make money. VPS’ (decent) cost a bunch of money and when the developer can’t figure out how to do something, they’re forced to either upgrade their program or use the actual Roblox launcher which would need more CPU, Ram, and possibly GPU. If you make a system, that is updated regularly, I assure you, no bot developer will have time to keep figuring things out on the emulation.

Captchas are annoying. Roblox’s signups have significantly decreased because little kids can’t solve the captchas. If someone can make a bypass to the best captcha provider based on security (funcaptcha), they can definitely make one to this. Machine learning has evolved so much that they can easily solve the captcha in less than half a second.

If you just make something simple, like a certain checkpoint in the game before you can talk (like completing the tutorial), or something that would be hard to emulate, it will be the best option.

Regardless if you were to use this, which is a well made creation but not in terms of security, get ready to start making heaps of images as the bot can simply check and save the imageId.

good work though

I think you mean the signup captcha. It’s pretty easy to do with 2Captcha or just by making a solver with neural networks. Bots don’t need to login, as they already have their authentication cookie (.ROBLOSECURITY) from signup.

We should leave that up to Roblox, as they have a ton more resources than us and can prevent this issue without annoying the end user.

Update 1!

We have rolled out a new update to all people using the module! This update adds some new features and fixes some core bugs!

New Features:

• SkipAccountAge - Set an account age (days) of which an account can fully bypass verification.
• UIPosition - Set the position of the GUI.
• UIZIndex - Set the Z-Index of the GUI.
• UseModalButton - Allow the GUI to be used in 1st person while visible.

Bug Fixes:

• Changed method to RegisterProcessCommandsFunction meaning no more mute module and no more console errors!
• Fixed GUI glitch allowing verification bypass.
• Cleaned up some code.

PLEASE feel free to contact me with ideas and bugs:

• Email: robotenginegames@gmail.com
• Twitter: @Robot_Engine
• Discord: @Robot_Engine#1814
• This forum post.

Thank you to everyone using RoStop to protect your game from bots!

I started using this and it is amazing!
For speculative devs:
It does NOT do any of the following:

• Create lag
• become annoying
• hack your game with backdoors
  It does:
• Delete spam messages
• Stay easy enough to not be annoying
  All in all:
  5/5 stars.

This is pretty bad UX and really annoying for players.

We had bots targeting our front-game, Animations: Mocap, with similar bots. Our solution was simple, but it worked. We just have a ChatModule that silently blocks messages that match filters with domain names, key words, etc. used by these scam messages.

It is a cat and mouse game but the scammers usually take a week or so until they catch on.

The module isn’t meant for every single player to have to do. It’s meant for an account age to be specified for skipping it. For example, require verification if the account age is under 15 days old. The system also saves, and a puzzle amount can be set. You might only need 1 question, not 3. The system is in BETA, and being improved.

they removed the possibility of requiring a off-sale module due to server side exploiters using it to load the server side without the owner being able to view there code.

That’s a giant security flaw, most bots compromise accounts off dodgy websites (like “free” Robux generator sites, free Premium, etc). Meaning by the time they’ve logged onto your game your code checking their accountage will be pointless. (I am aware it is an option but it shouldn’t be an option if it’s that incredibly flawed).

Asides, a lot of this code is messy and you are using bad practices like spawn. A better solution for spawn would be to use coroutine.wrap as spawns have a built in wait & can possibly take a large amount of time to actually do its job.

You are also indexing a lot of different GuiObjects which is unnecessary when you can use a more elegant solution like Roact.

Most scam bots covering Roblox actually are not old accounts. I suggest you look up the names of scam bots on the Roblox website and view when they where created, most being only a handful of days old. I also don’t know where you got spawn() being a bad piece of code because of a tiny yield. I looked it up and found no evidence of any performance issues.

It’s a bit overblown, they think anything that uses the 30hz pipe as bad and should be avoid at all costs. in reality this is only a problem when a game heavily uses the pipeline and its functionality cant afford to have a small delay.

You can find more information on why spawn is bad

And this topic expands on coroutines vs spawn and thats its not entirely black and white

Still not a good assumption to make that newer accounts are bots, Roblox has surpassed the 2 billion accounts mark a long time ago and it is safe to assume that there are at least 10s of millions of old bot accounts. New accounts are of course created for botting purposes but there are millions upon millions of old bot accounts that can be leveraged as well.

Adding on most bots survive ban waves easily and all if not most bots are verified. I’ve seen a ton of chat scambots created in 2019