anti-fraud
Multi-layered anti-fraud and bot detection system for registration flows. Use when implementing: (1) Registration form security, (2) Bot detection and shadow banning, (3) Behavioral analysis (keystroke, mouse tracking), (4) Risk scoring systems, (5) Honeypot field implementation, (6) Disposable email detection, or any fraud prevention for user registration
install
source · Clone the upstream repo
git clone https://github.com/Art-of-Technology/anti-fraud-skill
Claude Code · Install into ~/.claude/skills/
git clone --depth=1 https://github.com/Art-of-Technology/anti-fraud-skill ~/.claude/skills/art-of-technology-anti-fraud-skill-anti-fraud
manifest:
SKILL.mdsource content
Anti-Fraud & Bot Detection System
A three-layer defense system for registration forms that detects bots while minimizing false positives for legitimate users.
Architecture Overview
Layer 1: SERVER-SIDE (tamper-proof) ├── Encrypted timestamp token verification ├── Device fingerprint matching └── Minimum fill time enforcement (3s) Layer 2: MANIPULATION DETECTION (server comparison) ├── Client vs Server timing mismatch ├── Keystroke/input inconsistency └── Impossible value detection Layer 3: CLIENT SIGNALS (informational) ├── Honeypot fields ├── Behavioral analysis └── Content analysis
Key Principle: Never trust client-side data alone.
Quick Implementation
1. Form Token Endpoint
// /api/auth/form-token // Generate AES-256-GCM encrypted token with timestamp const token = encrypt({ timestamp: Date.now(), fingerprint, nonce });
2. Behavior Tracking Hook
interface BehaviorSignals { totalFillTimeMs: number; fieldTimings: Record<string, number>; inputMethods: Record<string, 'typed' | 'pasted' | 'autofilled' | 'mixed'>; keystrokes: KeystrokeData[]; keystrokeVariance: number; mouseMovements: MouseMovement[]; hasMouseActivity: boolean; focusSequence: string[]; tabKeyUsed: boolean; backspaceCount: number; }
3. Honeypot Fields
Add hidden fields (CSS hidden, aria-hidden, tabIndex=-1):
,website
,phone2
,addresscompany
Any content in honeypot → Instant shadow ban
Risk Scoring
Shadow Ban Triggers (ANY = ban)
| Trigger | Condition |
|---|---|
| Server timing | Fill time < 3 seconds |
| Token | Invalid or missing |
| Manipulation | High confidence detection |
| Score | >= 80 points |
| Honeypot | Any field filled |
| Disposable domain |
Signal Weights
See
references/signal-weights.mdCritical (+100):
HONEYPOT_FILLEDDISPOSABLE_EMAILHigh (+25-40):
INSTANT_SUBMITALL_FIELDS_PASTEDBOT_PASSWORD_PATTERNNO_MOUSE_MOVEMENTPositive (-5 to -40):
PASSWORD_MANAGER_LIKELYKEYBOARD_ONLY_USERNATURAL_TYPING_RHYTHMShadow Ban Response
if (shouldShadowBan) { await delay(1000 + Math.random() * 2000); // Appear legitimate return Response.json({ message: 'Registration successful' }, { status: 200 }); // No account created, no backend call }
False Positive Prevention
Password Manager Detection (-40 points)
const isPasswordManager = allFieldsAutofilledOrPasted && keystrokeCount < 5 && fillTime >= 1000 && fillTime < 15000;
Keyboard-Only User Detection (-15 points)
const isKeyboardOnly = tabKeyUsed && focusSequence.length >= 2 && !hasMouseActivity && totalFieldTime > 1000;
File Structure
src/ ├── lib/anti-fraud/ │ ├── index.ts │ ├── types.ts │ ├── constants.ts │ ├── risk-scoring.ts │ ├── server-token.ts │ ├── manipulation-detector.ts │ └── validators/ │ ├── email-validator.ts │ ├── name-validator.ts │ └── password-validator.ts ├── hooks/use-behavior-tracking.ts ├── components/anti-fraud/honeypot-fields.tsx └── app/api/auth/ ├── form-token/route.ts └── register/route.ts
Resources
- Signal weights & thresholds: See
references/signal-weights.md - Validators (email, name, password): See
references/validators.md - XML patterns & detection: See
references/detection-patterns.md
Environment
AUTH_SECRET=your-secret-key-for-token-encryption
Logging
All decisions logged with
[ANTI_FRAUD][ANTI_FRAUD] { timestamp, emailDomain, serverFillTimeMs, summary: 'Risk: 25/100 (low) - allow' }