Yesterday marked the two-week anniversary of my bitcoin faucet. So, I want to share some thoughts on what it's been like running it. Interestingly, the day I started my faucet happens to be the same day my keyboard was manufactured 26 years ago. :P

Before I get started, I'd like to take a moment to thank my loyal users for their continued enjoyment of the faucet, and for propelling my faucet to the top of the charts!

Stats

It's been an exciting couple of weeks, watching this little experiment take off, and I've been gathering all kinds of data. So, I'd like to give y'all an idea of what the first two weeks looked like.

FaucetBOX.com List Ranking

As a crude indication of popularity, I've been keeping an eye on my rank in the FaucetBOX faucet list.

As you can see, my faucet reached the top 100 after just four days of existence, and broke into the top 50 just one week later! It's still going strong, despite being the youngest faucet within the top 50, and I'm prediciting it will hit the top 25 within a week or so.

Average Hourly Payout per Day

A better indication of activity would be to look at the average number of hourly payouts. This shows that my faucet is healthy and growing, providing plenty of satoshi to my users.

The demand on my faucet is only going one way: up.

Traffic

This graph also echoes the fact that things are on the up-and-up! If you're paying attention, you'll have noticed the sudden jump in pageviews on Oct. 20. This was due to a short-lived attack attempt by a few bots that have since been beaten back into the cyber-oblivion from whence they came. You can see from looking at the payouts graph that they weren't overly successful.

Let's see where the bulk of my referral traffic came from.

| -------------- | ---------- |
| Source         | Referral % |
| -------------- | ---------- |
| ifaucet.net    | 49.96%     |
| Other          | 35.09%     |
| Advertisements | 8.57%      |
| makejar.com    | 5.95%      |
| Faucetbox      | 0.31%      |
| Scanthebox     | 0.12%      |
| -------------- | ---------- |

Unsurprisingly, ifaucet.net has been the top referrer over these last couple of weeks, making them a valuable channel for any faucet. Other sources also contributed a significant share of referrals.

The Advertisements stat were ads ran by others, not by me. So, I'd like to say thanks to those such as The Faucet Runner who by running these ads on their own dime have helped promote my faucet!

Despite my current rank in their list, Faucetbox itself isn't yet a significant contributor of traffic.

On CAPTCHAs

When I started my faucet, I tapped the well-known reCAPTCHA to act as a front-line discriminator between bots and humans. While it's true that reCAPTCHA offers a nice user experience, sadly it has fallen short of my personal expectations.

To be fair, I seem to recall that stopping bots was never the first goal of reCAPTCHA. As far as I recall, it was to assist in digitizing books and deciphering house numbers and street signs. With reCAPTCHA 2.0, I was greatly impressed with the user experience it offers.

As an experiment, on October 21, I decided to roll out Funcaptcha as I was intrigued to see how well it would perform in comparison. I have seen a definite increase in the number of CAPTCHA fails versus reCAPTCHA in the time since. So far, my only complaints are that Funcaptcha doesn't offer daily or hourly stats, as far as I can tell, and that sometimes it takes too damn long to validate a CAPTCHA result. The worst part is that my users will see lots of timeouts during periods of high activity, and this degrades the user's experience substantially.

reCAPTCHA's average response time during the time I had it on the site was a mere 50 ms, and it was very consistent, even during periods of heavy load. Funcaptcha's average response time during the last 7 days was 432 ms., which isn't that great, but it is okay. It's relatively close to FaucetBOX's average response time of 390 ms. But, I can't help but wonder if Funcaptcha is also written in PHP, or perhaps Java. Either one might could explain the slow performance. Or, perhaps the fellers down there need to upgrade their infrastructure. :)

EDIT: Oct 31.: Added a graph of Funcaptcha request times.

Does Funcaptcha do what it's supposed to do? Certainly. It's also worthwhile to note that CAPTCHA solving services exist for reCAPTCHA even the "no CAPTCHA" variant, as well as for several others such as Solve Media. Although, I've not seen one for Funcaptcha to date. But, it's my opinion that CAPTCHAs will not be viable in the long run for keeping bots out and humans in, even if they are quite handy at the moment.

Interestngly, even after the faucet no longer served reCAPTCHA challenges, or sent responses for validation, Google's reCAPTCHA stats show that the key is still in use. The only logical conclusion I can draw from this is that either their statistics are wrong, or that the keypair was somehow compromised.

| ------- | ---------- | --------- | --------- | --------- |
| Date    | No CAPTCHA | Pass      | Fail      | Total     |
| ------- | ---------- | --------- | --------- | --------- |
| Oct. 22 | 63 (8%)    | 605 (75%) | 143 (18%) | 811       |
| Oct. 23 | 57 (7%)    | 602 (75%) | 146 (18%) | 805       |
| Oct. 24 | 52 (7%)    | 546 (75%) | 132 (18%) | 730       |
| Oct. 25 | 41 (6%)    | 490 (71%) | 156 (23%) | 687       |
| Oct. 26 | 50 (10%)   | 373 (74%) | 81  (16%) | 504       | 
| Oct. 27 | 28 (6%)    | 323 (74%) | 85  (19%) | 436       | 
| ------- | ---------- | --------- | --------- | --------- |

Although these requets are trending down, it's still quite alarming that there are any requests being made for these days in the first place. If you're using reCAPTCHA for your faucet, you may want to consider alternatives. As always, keep in mind that no CAPTCHA will ever be perfect or stop 100% of bots 100% of the time.

On Anti-Bot Measures

Naturally, I've had my fair share of bot attacks, even in the first two weeks of running my faucet. When you build a well, some people will come with a bucket, and even more will come with a dredge pump. It's just a fact of life. The real problem to solve is making sure that the guy with the dredge pump can't drain the well dry, so that there's plenty to go around for all the users who come with their buckets in hand.

That said, here are some common "countermeasures" I've seen passed around that aren't all that effective. If you're using any of these methods, please give the points below some thought.

Claim Button Timeouts / "I'm a human" Checkboxes

Even non-humans are capable of checking a checkbox, considering that a lot of these bots are not merely scripts, but scripts running in a browser.

As a user, I've seen some of these with rather long timeouts, or cases where the button doesn't appear at all. Both are equally irritating for a user. Such checkboxes may catch some small-time scripts, but in the long run a CAPTCHA alone will be a better defense.

Anti-bot Links

These are the most annoying things for a user, and in many cases I've personally seen, these "features" are used merely to click-bait users instead of really stopping bots. As a user, I've always found this to be a major pain in the ass. Furthermore, click-baiting users is a violation of the TOS of most ad networks!

Let's consider how this works. The user must click the links in a predefined order, and uses an image to show the user the order in which they must be clicked. This order is communicated to the server via a form field.

If the links have been clicked, the "claim" button appears, and all should be well. When the form is submitted, the value from the form field is compared with data associated with that session. If this matches, and the request was submitted within some seconds of when the link order was first generated, then it's assumed the user is not a bot.

Even without OCRing the image, with 3 links, the bot still has a 1 in 9 chance of guessing the correct order. With 5 links, 1 in 120; and with 10 links, 1 in 3,628,000. So, for this to even be marginally effective you'd have to have a good number of these links strewn throughout your page. Furthermore, you'd have to invent many different ways of instructing the user to click the links. Over time this will be increasingly difficult to maintain, and will become easier for bots to solve.

This will only serve to drive away more users as it becomes necessary to increase the complexity of such a solution. Keep in mind, Moore's Law also applies to botnets, and Murphy's Law applies to the rest of us.

Port Detection

Some faucets will block users who are coming from IP addresses that also expose ports 80 (http), 443 (https), 8080 (http-proxy), and more. While this may seem like a prudent measure, in that it would be atypical for a normal internet user to be running a webserver or proxy on their machine.

However, let's consider a common case. The user is behind a NAT that exposes a web interface, or acts as a MTA. This is a pretty common setup on some networks, and the exposure of some services is completely unintentional. Should the users who happen to be behind these NATs pay for the incompetence of the entity routing their traffic? I think not.

The second thing to consider is that each time you probe for a port, what you're really doing is slowing down the response time back to the user. Each port you attempt to connect will incur a certain amount of network latency. The timeout would have to be fairly high (around 250 ms or more) in order to reliably detect the open port. In a lot of setups, the default will be 30 seconds or so per connection attempt.

In cases where the port isn't open at all, this will add the entire amount of the delay to the response time for your user. Thus, your faucet will appear sluggish and unresponsive, and a large number of requests to your site will timeout, leading users to believe that it doesn't work at all.

Long story short, you're only going to drive away good users. While this will catch some bots, it won't stop many of them, and it's certainly not more effective than other measures. Want proof? Check out my stats for Oct 26th in the graphs above. I ran a test with some port detection logic for the whole day, just to see whether or not it would be effective, and you can clearly see it had little to no impact on traffic or payouts. For the record, I was blocking any hosts that exposed any of these ports: 80, 443, and 8080.

Conclusion

It's been a great two weeks since starting my faucet. I've seem my fair share of action, and I'm looking forward to serving more and more users. Peroonally, I think that faucets being plenty of people's first step into bitcoin, and cryptocurrency in general, to make for a nice little niche.

In a future article, I'll write more about my own anti-bot measures, thoughts on bitcoin based advertiseing networks, and other things. So, stay tuned, and make sure to stop by the faucet and claim your free satoshi if you ain't done so in the last 60 minutes.