bugs

as some as you might have seen, someone is auto building level 1 bots, dont know the reason why some one would do that.

Have notified ender about it on FB and he will have a look at it tomorrow.

My opinion, just delete all, or atleast make em level 2 so we have enough nan's to level on when creating a new bot

Also raised it with Ender, can only assume it's some sort of trial, but it's been running far too long.

I have a weird recollection of this same thing happening before bots2 died by that hacker, it was like they were looking for overflow or DDoS vulnerabilities.

i wasent online when bots2 died, but i remember there were a lot logged at the same time and everything was changed in same colour?

I agree, this does not look good. Theres 15 of them on now, not the earlier number of 5. If ender knows about this I wonder why he isn't doing something. I'm starting to worry...

How can you see this?

Thanks for bringing this to my attention. I looked into it and found that a spammer has been creating a steady stream of bots (I counted 735) since late February. These bots have all remained at level 1 and all (with only 2 exceptions) had links in the profiles to random spammer websites (many were Russian, FWIW). It was only noticed in the past week or so because the rate of bot creation increased significantly from 3/28-3/31 (it went up to over a hundred per day, peaking at 350+ on 3/29). My gut tells me this wasn't a targetted attack - maybe this script was somehow smart enough to figure out that it had to change the radio button on the registration page to "yes" in order to successfully register.

Anyway, that's the explanation of what happened. I've now done the following to address this:

• I cleared the profiles of all these bots. I didn't delete them, mainly because I don't have a simple way of doing this. If I naively just delete them from the "bots" database table, there'd still be a bunch of dangling database references (maybe - there might not actually be in any since I don't think the bots did anything other than change working settings). In any case, it doesn't really matter and shouldn't impact the game negatively for them to still exist. I can always clear them out later if needed.

• The human check for registration is now a simple math problem. Like the previous mechanism, this would be trivial for a targetted script to get around, but I'm working under the assumption that it's only going to be random spammer scripts that creep around random websites that try (which has mostly held true over the past ~6 years).

• Bots that are level 1 or have existed for under 24 hours can no longer perform the following actions: changing workshop settings, forum posting, and bmail sending. This shouldn't affect any real/legit players, but it should stop spam bots that somehow get past registration. It should also make targetted spam attacks significantly more annoying to execute.

Hopefully all that is enough to thwart it. I'll keep an eye on things, and of course please reply here if you see any more spam bots.

This shouldn't affect any real/legit players

Actually, this makes it more difficult to prep bots for future leveling by limiting trophies available at level 1. I'm not positive on the total available points from level 1, but this severely limits it. Sometimes I do workshop settings, forum post etc to get points to buy the tier 3 xp or speed buff, that way I can buy the other on the following day (or whatever day I decide to level/build it). Staying level 1 of course has the benefit of ensuring your ratio is NaN until you're active on it.

I've been building several tournament bots as of late so this actually affects me quite a bit :P Perhaps verifying your email, or filling a captcha could lift this limitation, or something along those lines.

Yeah thats sucks, i got and still create 1lvl bots just for future levelling. You need to find some other way to solve it

Thank you for fixing this issue ender and for doing it in an expert and very secure way. I believe it is very important to keep spammers such as this out and to implement means to do just that. Who knows what bad things could occur if something like this is left unchecked. It could lead to even worse situations.

I don't see any problems at all and I can easily adjust some of the things I once did as far as level 1 bots go. Very good and well thought out fix. Again, thank you. :)

Bots that are level 1 or have existed for under 24 hours

I guess you can do all you wanna do (getting trophies for leveling etc) at lvl 1 the day after its creation. So, you need to wait one day or maybe none if you have created the bots ages ago as I did with my "future" tourney bots :P

It says level 1 or existed under 24 hours, as opposed to "and". In other words, if it meets just one of the two criteria, the restriction will be applied. That means the bot would need to be both above level one and have existed for 24 hours to apply workshop settings.

Alright, clearly I need to study logic :P

You could also just use the level 1 300% buff like normal people do.

As for the spam, meh, bastard makes me do math problems now. I don't see why this even needed to be addressed. It's not like the server can't handle it and more bots makes it look like the game is more active.

Way to overreact Ender :/

It looks like what you said is the way it works anyway, Esv. The way it was worded still makes what I said true, but I think Ender may have worded it oddly in this topic. I hopped on an old level 1 and was still able to change settings. Then I created a new bot to see what the message would be, and it read;

Changing settings is not yet available for your bot. You can do this when you either (a) get to level 2 or (b) 24 hours has passed since your bot was created.

Damn you and your inconsistent wording Ender! Seeing as my assumption was wrong, it's easier to work around than I initially thought. It's unlikely I'll remember to buy buffs ahead of time, so right when I build them is still most convenient. Would still be nice to see a more elegant solution, or some kind of workaround for legitimate players. Either way I suppose I'll live though.

And Zal, not every build (especially tourny/workshopped builds that level on 10 int) can be completed with just aura of eternity. Even without workshopping bots, AoE still only brings you just over level 100 in most cases.

I agree it probably wasn't a huge deal, but it's better to alleviate it before it could potentially become malicious. Right now those bots are just wasting storage space, and we've been up that creek before.

I didn't realize that creating level 1 bots and prepping them for later use by grabbing easy trophies related to workshop settings was a common use case. In the interest of not impacting (or impacting as little as possible) "real" use cases, I've changed the "24 hours" portion of the new limitation to "10 minutes". I examined the history of the 735 spam bots and none of them were online for more than a few minutes. Again, this is easy to thwart if a spammer is tailoring their script for bots4, but I suspect this is highly unlikely to happen and expect it's much more likely we'll see random drive-by spam attempts, which this should successfully thwart.

Regarding "and" vs. "or" - yeah, my bad. I should have said "and". The code I wrote for this is fortunately much less ambiguous. The limitation applies to bots that are both level 1 AND have existed for less than 10 minutes. You can get out of the limitation by getting to level 2 OR waiting 10 minutes. I would have lost this lawsuit.

Thanks for the hotfix Ed, much appreciated. Now I need to find where to claim my settlement.

Since you get so much bullshit for not being around, you should get credits for a reasonably quick and fair solution to this =)

thanks

Forum posting is not yet available for your bot. You can do this when you either (a) get to level 2 or (b) 10 minutes has passed since your bot was created.