brain_protect
Protection against form SPAM for TYPO3
brain_protect stops form SPAM immediately and effectively
brain_protect takes effect immediately after installation: all online forms* are immediately and effectively protected.
- ✅ No configuration necessary, no adaptation of existing forms.
- ✅ No captchas or other obstacles for visitors to your online forms.
- ✅ No additional tasks for web editors.
- ✅99.2% tested effectiveness.
- ✅ 100% GDPR compliant.
- ✅ 100% barrier-free.
- ✅ Independent of external tools such as Google reCAPTCHA or Friendly Captcha.
Why protect?
The web has become rough. Websites are under constant attack from automated (D)DoS attacks and endless form spam.
What sounds harmless can quickly turn into a catastrophe
- Servers collapse under the load, visitors only see error messages.
- Databases overflow, mailboxes explode with pointless spam.
- Domains end up on blacklists, e-mail communication is blocked, sometimes for days.
The usual countermeasures are barely effective
- CAPTCHAs frustrate real users, but no longer stop bots.
- Tools such as "Buster: Captcha Solver for Humans", captcha solver services and, increasingly, AI-based systems overcome them effortlessly.
- Honeypots are recognized and ignored.
- JavaScript obfuscation is quickly thwarted.
- Even simple AI models analyze source code and find ways around these protection mechanisms within seconds.
Attackers are arming themselves with ever more intelligent algorithms, automated bot networks and adaptive AI. Anyone who wants to protect their website must also follow suit. Only those who constantly modernize their measures will stay one step ahead of the wave.
Two layers of protection, one extension: brain_protect for TYPO3
With the TYPO3 extension brain_protect you can protect your website twice: against (D)DoS attacks and against form spam.
Reliable SPAM protection for online forms
brain_protect is an effective, fully GDPR-compliant alternative to classic (re)captchas.
For each form entry, the extension generates a short-lived, cryptographic signature on the server side based on the Time-based One-Time Password (TOTP) algorithm. This signature is automatically sent when the form is sent and checked by the server. Only validly signed requests are accepted. All Extbase forms are already protected in the standard configuration.
This reliably keeps spam out, without captchas, without sessions and without connections to external services. The protection is still effective even if conventional methods such as honeypots, reCaptchas or JavaScript obfuscation have long since been bypassed.
Protection against (D)DoS through intelligent rate limiting
If conventional protection mechanisms at server or data center level are not sufficient, brain_protect intervenes:
The extension specifically limits the number of requests per time unit even before they reach the resource-intensive TYPO3 frontend or database. In this way, (D)DoS attacks are intercepted at an early stage and server loads are effectively reduced.
Rate limiting works without sessions, reacts dynamically to the current situation and can be individually configured using numerous options: For optimum protection at application level.
Tested effectiveness: 99.2% detection rate of form SPAM
We presented the new, barrier-free captcha alternative for protection against form SPAM for TYPO3 to an expert audience for the first time on September 18, 2024 at the TYPO3 University Days in Leipzig (t3ud24).
The evaluation of the subsequent one-year beta test with a detection rate of 99.2% of form SPAM confirms: brain_protect is the universal solution against form SPAM for TYPO3 systems.
Link to Youtube: https: //www.youtube.com/watch?v=wry0AaLfUR8
Price overview
| Running time | Regular price |
|---|---|
| 1 year | 300 € |
| 2 years | 600 € |
| 3 years | 900 € |
After expiry of the selected term, the regular annual price of € 300 (€ 357.50 incl. VAT) or according to the current price list applies.
Unless otherwise stated, all prices are net plus 19% VAT.
Software transfer
The license to use the brain_protect software is non-exclusive, non-transferable and unlimited in time. It is valid for one (1) TYPO3 installation (usually a productive system) and for one (1) associated TYPO3 installation (usually a test or staging system), for any number of websites within the TYPO3 installation and for any number of forms on a TYPO3 website.
Conditions
The contract (term) starts on the day the Auth-Token is provided. Unless otherwise agreed, installation is carried out by the customer. The extension and information on the exact functionality may not be passed on to third parties or published. No concepts or tools may be developed that could circumvent or undermine brain_protect. The license fee is charged in advance for the selected term (1, 2 or 3 years). After expiry of the agreed term, the license is extended by one (1) further year unless it is terminated in writing with one (1) month's notice to the end of the term.
Request a quote / Order license(s)
FAQ
The TYPO3 extension brain_protect is compatible with TYPO3 v10, v11, v12 and v13.
With brain_protect, protection against form SPAM is not the responsibility of the web editor.
So nothing changes for editors and there is nothing for them to consider.
After installation, all Extbase-based forms are immediately protected.
Protection for other online forms can be configured in a few simple steps.
Existing forms do not need to be adapted.
All optional configuration is carried out centrally via the extension configuration.
A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a test that is generated and evaluated by computers to determine whether the user is a human or an automated program (bot). A major disadvantage is the reduced accessibility: anyone who has difficulty seeing or cannot see at all what is displayed on the screen as a CAPTCHA is practically locked out.
reCAPTCHA is widely used and offers both visible and invisible options. It was developed by Google. When using the service, personal data of site visitors (e.g. the IP address) is transferred to servers in the USA. Google states that it only uses the information for risk analysis. Nevertheless, it is problematic to pass the data on to third-party providers outside the EU.
The visitor to the website must select all images that have a certain characteristic. For example, "Click on all images that show a traffic light". This procedure is often better than a simple captcha, but anyone who has to constantly fill in these captchas will quickly become annoyed! And there are also data protection concerns here, because the service is often offered by third-party providers with server locations outside the EU.
With this version of the captcha, an audio version of the test is played instead of an image. The site visitor has to enter the words or numbers that are played to them from an audio file. This method is often used as a supplement to picture riddles or as an alternative for the visually impaired to ensure accessibility. The barrier here can be the language in which the audio is played.
JavaScript obfuscation modifies the JavaScript code of the website so that it is difficult for humans to read and understand, but remains executable for computers. This is often done for security reasons or to protect intellectual property, to prevent the source code from being easily copied or analyzed.
Typical JavaScript obfuscation techniques include changing variables and function names, removing spaces and comments, encrypting strings and confusing control flow structures.
Advantages of obfuscation
- Makes code more difficult to understand to prevent imitation and unauthorized use, thereby providing protection against reverse engineering
- Hides critical sections of code from potential attackers, which improves (perceived) security somewhat
- Removing unnecessary parts (such as spaces and comments) can reduce the file size and thus improve the loading time of the website
Disadvantages of obfuscation
- The modified code is more difficult to debug and maintain
- In some cases, obfuscation can increase the execution time of the code
- Obfuscation does not provide absolute protection, as experienced developers may still be able to analyze and understand the code
JavaScript obfuscation can be useful, but is not a complete safeguard in itself and requires additional safeguards!
TOTP ("time based one time password") is a widespread and effective method that uses passwords that are only valid for a limited time. It is often used for two-factor authentication (2FA). TOTP is based on the HMAC-SHA-1 algorithm, where the current time is used as part of the input.
The generated passwords are only valid for a short period of time, typically 30 - 60 seconds. Each generated password can only be used once.
When setting up TOTP, a cryptographic key is shared between the user and the server. Both the server and the user use the current time to generate the unique password. As the passwords are only valid for a short time and are unique, the risk of misuse is greatly reduced. The complexity is still relatively low.
The potential vulnerability of a man-in-the-middle attack (MitM) is unproblematic with a valid SSL certificate.
A honeypot is an additional, invisible and empty input field in a form. This field is not visible to human users and should therefore not be filled in. However, bots, which are often programmed to fill in all fields of a form, often fill in this field anyway. A completed honeypot field is therefore a sign of form SPAM. In this case, the submission of the form is blocked or the data record is marked as spam.
Additional measures can be taken to ensure that the honeypot field is not inadvertently filled in by human users. This includes giving the field a name that is misleading to humans or hiding it in a way that ensures it remains invisible to screen readers. This method should not affect the normal user flow, as real users will not see the honeypot field. Often this does not work reliably; in particular, the honeypot approach has accessibility issues and generates false positives due to the auto-completion of forms by the browser.
A form that is protected by a honeypot can be hacked relatively easily, so the level of protection is rather low. More advanced bots can recognize and ignore honeypots. A honeypot is ineffective against simple but targeted attacks.
False positives are cases where legitimate human users are mistakenly recognized as bots. This leads to frustration, lost interactions and is sometimes damaging to a website's reputation. Causes can include difficult CAPTCHA tasks, technical issues, lack of accessibility and atypical user behavior. Sometimes it is also due to invisible honeypot fields being filled in by a browser autofill function.