name: anti-fraud
description: "Multi-layered anti-fraud and bot detection system for registration flows. Use when implementing: (1) Registration form security, (2) Bot detection and shadow banning, (3) Behavioral analysis (keystroke, mouse tracking), (4) Risk scoring systems, (5) Honeypot field implementation, (6) Disposable email detection, or any fraud prevention for user registration"

Anti-Fraud & Bot Detection System

A three-layer defense system for registration forms that detects bots while minimizing false positives for legitimate users.

Architecture Overview

Layer 1: SERVER-SIDE (tamper-proof)
├── Encrypted timestamp token verification
├── Device fingerprint matching
└── Minimum fill time enforcement (3s)

Layer 2: MANIPULATION DETECTION (server comparison)
├── Client vs Server timing mismatch
├── Keystroke/input inconsistency
└── Impossible value detection

Layer 3: CLIENT SIGNALS (informational)
├── Honeypot fields
├── Behavioral analysis
└── Content analysis

Key Principle: Never trust client-side data alone.

Quick Implementation

1. Form Token Endpoint

// /api/auth/form-token
// Generate AES-256-GCM encrypted token with timestamp
const token = encrypt({ timestamp: Date.now(), fingerprint, nonce });

2. Behavior Tracking Hook

interface BehaviorSignals {
  totalFillTimeMs: number;
  fieldTimings: Record<string, number>;
  inputMethods: Record<string, 'typed' | 'pasted' | 'autofilled' | 'mixed'>;
  keystrokes: KeystrokeData[];
  keystrokeVariance: number;
  mouseMovements: MouseMovement[];
  hasMouseActivity: boolean;
  focusSequence: string[];
  tabKeyUsed: boolean;
  backspaceCount: number;
}

3. Honeypot Fields

Add hidden fields (CSS hidden, aria-hidden, tabIndex=-1):
- website, phone2, address, company

Any content in honeypot → Instant shadow ban

Risk Scoring

Shadow Ban Triggers (ANY = ban)

Signal Weights

See references/signal-weights.md for complete weight tables.

Critical (+100): HONEYPOT_FILLED, DISPOSABLE_EMAIL
High (+25-40): INSTANT_SUBMIT, ALL_FIELDS_PASTED, BOT_PASSWORD_PATTERN, NO_MOUSE_MOVEMENT
Positive (-5 to -40): PASSWORD_MANAGER_LIKELY, KEYBOARD_ONLY_USER, NATURAL_TYPING_RHYTHM

Shadow Ban Response

if (shouldShadowBan) {
  await delay(1000 + Math.random() * 2000); // Appear legitimate
  return Response.json({ message: 'Registration successful' }, { status: 200 });
  // No account created, no backend call
}

False Positive Prevention

Password Manager Detection (-40 points)

const isPasswordManager = 
  allFieldsAutofilledOrPasted && 
  keystrokeCount < 5 && 
  fillTime >= 1000 && fillTime < 15000;

Keyboard-Only User Detection (-15 points)

const isKeyboardOnly = 
  tabKeyUsed && 
  focusSequence.length >= 2 && 
  !hasMouseActivity && 
  totalFieldTime > 1000;

File Structure

src/
├── lib/anti-fraud/
│   ├── index.ts
│   ├── types.ts
│   ├── constants.ts
│   ├── risk-scoring.ts
│   ├── server-token.ts
│   ├── manipulation-detector.ts
│   └── validators/
│       ├── email-validator.ts
│       ├── name-validator.ts
│       └── password-validator.ts
├── hooks/use-behavior-tracking.ts
├── components/anti-fraud/honeypot-fields.tsx
└── app/api/auth/
    ├── form-token/route.ts
    └── register/route.ts

Resources

• Signal weights & thresholds: See references/signal-weights.md
• Validators (email, name, password): See references/validators.md
• XML patterns & detection: See references/detection-patterns.md

Environment

AUTH_SECRET=your-secret-key-for-token-encryption

Logging

All decisions logged with [ANTI_FRAUD] prefix:

[ANTI_FRAUD] { timestamp, emailDomain, serverFillTimeMs, summary: 'Risk: 25/100 (low) - allow' }