anti-fraud
"Multi-layered anti-fraud and bot detection system for registration flows. Use when implementing: (1) Registration form security, (2) Bot detection and shadow banning, (3) Behavioral analysis (keystroke, mouse tracking), (4) Risk scoring systems, (5) Honeypot field implementation, (6) Disposable email detection, or any fraud prevention for user registration"
Install
npx skillscat add art-of-technology/anti-fraud-skill Install via the SkillsCat registry.
Anti-Fraud & Bot Detection System
A three-layer defense system for registration forms that detects bots while minimizing false positives for legitimate users.
Architecture Overview
Layer 1: SERVER-SIDE (tamper-proof)
├── Encrypted timestamp token verification
├── Device fingerprint matching
└── Minimum fill time enforcement (3s)
Layer 2: MANIPULATION DETECTION (server comparison)
├── Client vs Server timing mismatch
├── Keystroke/input inconsistency
└── Impossible value detection
Layer 3: CLIENT SIGNALS (informational)
├── Honeypot fields
├── Behavioral analysis
└── Content analysisKey Principle: Never trust client-side data alone.
Quick Implementation
1. Form Token Endpoint
// /api/auth/form-token
// Generate AES-256-GCM encrypted token with timestamp
const token = encrypt({ timestamp: Date.now(), fingerprint, nonce });2. Behavior Tracking Hook
interface BehaviorSignals {
totalFillTimeMs: number;
fieldTimings: Record<string, number>;
inputMethods: Record<string, 'typed' | 'pasted' | 'autofilled' | 'mixed'>;
keystrokes: KeystrokeData[];
keystrokeVariance: number;
mouseMovements: MouseMovement[];
hasMouseActivity: boolean;
focusSequence: string[];
tabKeyUsed: boolean;
backspaceCount: number;
}3. Honeypot Fields
Add hidden fields (CSS hidden, aria-hidden, tabIndex=-1):
website,phone2,address,company
Any content in honeypot → Instant shadow ban
Risk Scoring
Shadow Ban Triggers (ANY = ban)
| Trigger | Condition |
|---|---|
| Server timing | Fill time < 3 seconds |
| Token | Invalid or missing |
| Manipulation | High confidence detection |
| Score | >= 80 points |
| Honeypot | Any field filled |
| Disposable domain |
Signal Weights
See references/signal-weights.md for complete weight tables.
Critical (+100): HONEYPOT_FILLED, DISPOSABLE_EMAIL
High (+25-40): INSTANT_SUBMIT, ALL_FIELDS_PASTED, BOT_PASSWORD_PATTERN, NO_MOUSE_MOVEMENT
Positive (-5 to -40): PASSWORD_MANAGER_LIKELY, KEYBOARD_ONLY_USER, NATURAL_TYPING_RHYTHM
Shadow Ban Response
if (shouldShadowBan) {
await delay(1000 + Math.random() * 2000); // Appear legitimate
return Response.json({ message: 'Registration successful' }, { status: 200 });
// No account created, no backend call
}False Positive Prevention
Password Manager Detection (-40 points)
const isPasswordManager =
allFieldsAutofilledOrPasted &&
keystrokeCount < 5 &&
fillTime >= 1000 && fillTime < 15000;Keyboard-Only User Detection (-15 points)
const isKeyboardOnly =
tabKeyUsed &&
focusSequence.length >= 2 &&
!hasMouseActivity &&
totalFieldTime > 1000;File Structure
src/
├── lib/anti-fraud/
│ ├── index.ts
│ ├── types.ts
│ ├── constants.ts
│ ├── risk-scoring.ts
│ ├── server-token.ts
│ ├── manipulation-detector.ts
│ └── validators/
│ ├── email-validator.ts
│ ├── name-validator.ts
│ └── password-validator.ts
├── hooks/use-behavior-tracking.ts
├── components/anti-fraud/honeypot-fields.tsx
└── app/api/auth/
├── form-token/route.ts
└── register/route.tsResources
- Signal weights & thresholds: See
references/signal-weights.md - Validators (email, name, password): See
references/validators.md - XML patterns & detection: See
references/detection-patterns.md
Environment
AUTH_SECRET=your-secret-key-for-token-encryptionLogging
All decisions logged with [ANTI_FRAUD] prefix:
[ANTI_FRAUD] { timestamp, emailDomain, serverFillTimeMs, summary: 'Risk: 25/100 (low) - allow' }Install
npx skillscat add art-of-technology/anti-fraud-skill Install via the SkillsCat registry.