As soon as my account was suspended, Jeff, head of PokerStar’s security team, emailed me to inform me that I had violated their Terms of Service by running a bot and that they were shutting down my account and seizing the funds I had in it.
What follows is the email conversation I had with Jeff about being suspended, creating bots, and improving PokerStars’s bot detection techniques.
I hope that posting this will create an awareness of the issues that will ultimately lead to better security for the online poker community.
October 2, 2008
Upon a review of your account, we find that you are running an automated player program, commonly known as a “bot”. The running of a bot is against the terms of service to which you agreed when opening your PokerStars account. Those terms of service are located here:
Among them are these terms:
5.5 AUTOMATIC PLAYERS (BOTS). The use of artificial intelligence including, without limitation, “robots” is strictly forbidden in connection with the Software and the Games. All actions taken in relation to the Games by a User must be executed personally by players through the user interface accessible by use of the Software.
5.8 FRAUDULENT BEHAVIOUR In the event that PokerStars deems that a User has engaged or attempted to engage in fraudulent, unlawful, dishonest or improper activity while using the Service, including without limitation, engaging in any of the activities set forth above […] PokerStars shall be entitled to take such action as it sees fit, including immediately blocking access to the Service, [and] terminating such User’s account with PokerStars […]
As such, your PokerStars account has been closed, and the funds within it have been seized and will not be returned. they will be used to compensate the victims of illicit activity on PokerStars. Please do not attempt to return to the games on another account. You are no longer welcome to play on PokerStars.
PokerStars Game Security
Jeff and team,
Thanks for the email, really. What started off as a small experiment turned into this massive project that I haven’t been able to let go of. I’ll happily stop running the bot (not that I have a choice at this point) and won’t make attempt to open a second account.
It may be bit much to ask at this point, but is there any possibility that my account can be reopened? I have no intent to run the software again, but I still love the game and would like to resume normal play on your fantastic site.
Thanks and I hope you all have a wonderful day.
Thank you for being forthcoming here. It is refreshing, as many
developers in your situation will try to “deny, deny, deny”, in an attempt
to return to the site.
Unfortunately, we cannot be lenient in such matters. We cannot re-open
your account. We have a zero tolerance policy toward bots, and as such
your account must remain closed.
PokerStars Game Security
I completely understand. Perhaps I can be of some service to PokerStars so that my work was not in vain.
In the process of developing the bot I’ve developed several advanced analysis tools that contributed greatly to my bot’s improvement and ultimate profitability. If you’re interested I’m willing to share everything I have–the tools, methodology, code, analysis and ideas to improve PokerStars’s security.
It’s important to understand that it was never about the money. My poker income was good when I took the leap and it was unlikely that I’d ever earn more with a bot. I liked the challenge and that kept me motivated for a long time–probably too long. Ironically, it was after it was clearly profitable that I really lost interest.
I’ve since moved on to other things, but would like to see it put to good use.
Let me know.
Your email has been forwarded to Jeff.
Thank you for your patience.
PokerStars Support Team
>If you’re interested I’m willing to share everything I
>have–the tools, methodology, code, analysis and ideas to improve
As long as you understand that what you’re offering is to travel along a one-way street, we would welcome the opportunity to see what you have to share. We will not, however, be able to share any of the details of what we’re already doing to detect bots such as yours.
I will say that should the data you provide give us any insight that we’ve overlooked, we would *possibly* reconsider the permanence of your barring.
>It’s important to understand that it was never about the money. My poker
>income was good when I took the leap and it was unlikely that I’d ever
>earn more with a bot. I liked the challenge and that kept me motivated
>for a long time–probably too long.
This is a concept and a mentality that we’re all-too-familiar with. The same is true of the vast majority of people who develop and run bots. I myself am a programmer and poker theorist as well, and if I wasn’t challenging myself by catching bots, I could definitely see the allure of the challenge of writing one.
Let’s see what you have to share, and perhaps it will ultimately (though not immediately) result in some sort of reprieve for you in the long run.
You may recall that several weeks ago we had a brief discussion after my account was suspended for operating a bot. I said that I’d like to share some information with you, you said don’t expect anything in return, and I said okay. It’s taken a little bit longer than I would have liked, but here’s my follow-on email.
Below are my best guesses as far as what you currently do to identify bots as well as some thoughts on how they might be improved.
The easiest and most obvious way to narrow down the field is to look for players with abnormally high numbers of hands in a given time period. This stems from the fact that most bots can’t compete in terms of skill, but can compensate for this disadvantage by playing massive quantities of hands. This one’s pretty obvious and I’m sure PokerStars considers it.
When I personally played HUSNGs, I probably played 10-15 on a given day, rarely playing more than 25. At 40-50 games/day, my bot was probably in the top 1% in terms of volume of HUSNGs played and yet it still went many months before the account was finally suspended. Even now, I’m not positive that’s what finally did it in, though I’d guess it probably was a big factor.
The “easiest” way to circumvent this is to set up multiple accounts, so that no individual account raises a flag. Fortunately, the logistical problems associated with creating multiple accounts with multiple addresses (assuming PokerStars look into the playing habits of players from the same address) or having friends run the software and exchange money is probably more than most people want to or can do successfully.
Along the way I made several big mistakes that probably should have raised a flag or two.
I had two programs: one that played the games and one that registered for new ones. One day the program that played the games crashed while I was out. I hadn’t built in a check for this, so the other program kept opening new ones for several hours, even though I was sitting out for all of them. By the time I got home, the bot had sat out for more than 20 consecutive games. I waited for the suspension, but nothing ever happened.
Another oddity was that the bot stuck to the same buyin for extended periods of time, which you wouldn’t expect from a human. There were periods of something like 800 games where it played nothing by $6+$0.25 Turbo HUSNGs. I’m sure there are people that do this, but most people tend to move up every now and then, even if only a little bit.
I saw a CAPTCHA once while I was personally playing at a NL100 Heads Up table and I think once while the bot was playing a HUSNG. There may have been more, but my general impression was that you didn’t do them very often and didn’t target my account despite the other warning signs.
I realize there are lots of considerations to make when deciding whether to use CAPTCHAs.
As with any test, you’re still faced with false-positives (people who either don’t see the CAPTCHA or do but answer incorrectly) and false-negatives (correct answers, though still a bot). I imagine most people who are prompted with a CAPTCHA notice it, but a lot probably get it wrong due to their complexity.
You also have to worry about bots that can detect and solve CAPTCHAs. I never tried to write or purchase CAPTCHA solving software because it didn’t appear to be a major threat. (Though who knows, missing a few of them may have eventually led to the suspension). One of the problems of detecting and solving a PokerStars CAPTCHA is that they occur so infrequently so its hard to gather a large enough sample size to be confident in whatever system you develop to solve them. In that sense, the scarcity was good for you.
As I’m sure you know you can’t just throw a CAPTCHA at anyone who demonstrates suspicious activity. You have to consider the impact on legitimate players. If you prompt players with too many CAPTCHAs you may risk them getting annoyed and switching to one of your competitors. Additionally, the fact that you have to have it in the first place implies there are bots that they should be concerned about. You’ll likely also have a high false-positive rate, resulting in angry explosions on poker forums of players crying foul.
You may have realized the tradeoff and purposely chosen a more passive, non-intrusive approach rather than aggressively testing suspicious accounts. In exchange you get some false-negatives, which might be the underlying reason my account lasted as long as it did.
That being said, I think you should still test the high volume players more often. If a player is in the top 5% by volume he is probably the type of player who will probably appreciate your attempts to protect against bots.
Additionally, knowing that CAPTCHAs are a threat probably discourages most people from trying to develop a PokerStars bot. The semi-frequent threads on poker forums about your CAPTCHAs have probably done more to minimize the number of bots on PokerStars than the CAPTCHA itself.
When I first saw a PokerStars CAPTCHA I attempted to take a screen shot of it, but was unable to. MSPaint said it couldn’t load the data, and no other software could either. It seemed that the PokerStars software disabled print screen during the CAPTCHA test. It could have been the result of an error on my part and not an intentional move by the software. If you don’t do this, maybe you should, as it makes it a lot harder to program the bot to detect a CAPTCHA when it doesn’t know what it’s looking for.
My hack was to have the bot check for abnormalities in the chat area of the screen. If the colors or window hierarchy were abnormal, the computer played loud obnoxious noises to draw my attention. Another hypothetical solution was to extract the CAPTCHA and send it to me on my cell phone, which I could quickly access and respond to.
It’d be hard to find a method that doesn’t result in any false positives or false negatives, but taken together with other flags you can definitely increase the likelihood of identifying bots.
I think you also attempt to hinder bots by making slight changes to the dimensions of the game window every now and then. I’m not sure if this was intentional or a software bug or whether it was targeted or random, but it caused me a bit of trouble. At the time my bot (and most bots) operated on a fixed mapping which assumed that certain pixel are static. By resizing the windows you made it a lot harder to extract important information.
I had the bot resize the window by having the mouse click and drag it to the correct position, but sometimes things were still slightly off. I was able to overcome this by having the bot calculate where to look versus having it based on fixed positions, but it was a messy fix. Luckily, the images for things like the cards didn’t change; their positions just shifted by a few pixels.
This method can never fully prevent bot detection, as any changes you make developers can and will adapt to, but it will disable the majority of the commercial botting platforms.
I’m not sure what PokerStars does with this, if anything, but I have a good idea of what it doesn’t do. You don’t check to see whether the locations that I click are consistent with a human. At least not very well.
Here’s what I did, but looking back, I’m really not sure it was worth the effort. Using the PokerStars log file, I extracted the locations I clicked during the course of a day and overlaid it on a screenshot of the table. With this, I could see where I clicked and set up the bot so that it clicked in similar locations. For example, when the bot would click call, fold, and raise the distribution resembled two bell curves in the shape of a cross, so that most of the clicks usually occurred near the center with very few at the corners. Again, at this point, I think this was mostly unnecessary.
One thing that you should check for is where a normal player clicks on the table itself; how often does he check out the Instant Hand History, how often does he click on the table graphics, how does he double click a player’s avatar to edit notes, etc. My bot rarely strayed from the area around the action buttons, which should have been a large flag if the software had been looking for abnormal behavior.
Another thing I did when starting out was to have the mouse to drag around versus having it jump from location to location. Theoretically this was supposed to make it look more human, though it just looked ridiculous in practice. A friend even worked out acceleration and deceleration so that it would look more natural. After doing this for a few days I switched it back to mouse hopping, figuring it was a huge waste of time if you weren’t actually checking it and if you were, the silly methods I used weren’t likely to fool you.
I saw on some botting forum that people claimed to have mouse movement down to a science. They proudly announced they had discovered what normal mouse movement looks like so they don’t have to fear being caught by site security. These developers likely wasted a lot of time working on inconsequential preventative measures. Probably not unlike me with some of these things…
Nonetheless, there is a big opportunity in mouse movement. Have the PokerStars software look for abnormal behavior not only in where the user clicks, but the path and speed between those nodes. If the behavior is abnormal, have the software notify your security team, who can then do further investigation. If the software doesn’t detect strange behavior, at least store a history of the user’s mouse movement in some encrypted file for a few days. If you do suspect an account of using automation software, have the software send you that log and do your own analysis on it, looking for indications of bot use.
Again, abnormal behavior is not a sure sign of a bot. PokerStars allows lots of scripts that aid multitablers and these tools do not violate the terms of service. However, when analyzed with respect to other available data it is one more piece of evidence you can look at before making your final decision.
Since PokerStars uses a custom control for the chat window, it’s not an easy task to extract the relevant information. In the beginning this was a major challenge, as most of the information the bot needs to make quality decisions is contained there (with the exception of stack sizes and holecards, which have to be read using less elegant methods).
I started off using some unreliable character recognition techniques, but eventually found a much easier way. While talking to another bot developer about the problem, he said he’s never had the problem. After some detective work we discovered that he ran PokerOffice, which adds its own control to the window which can be read using normal methods. So rather than doing the extensive work required to have the bot obtain the text, I just let PokerOffice run in the background and let it do the majority of the work.
Make the chat box harder to read and you’ll make it harder for bots to get the information they need to make intelligent decisions.
It might seem that I think PokerStars’s current bot detection algorithms are less than stellar. On the contrary, based on what I’ve seen and read in various forums about the security on other sites, PokerStars is second to none. Your site is so notoriously difficult to operate a bot on that most do not even try.
I don’t think there’s a single method you can use to tell whether someone is or is not a bot. The best you can do is use the data you have to make educated decisions about who might be, and then use your own judgment to make the final call.
You probably have terabytes worth of information available to you and as I’m sure you know it’s not a trivial task to analyze it all. Fortunately, the methods above should be relatively easy for PokerStars to implement on the client side. Until the final judgment has to be made, you shouldn’t have to rely on hand histories to narrow down the field.
I wish you guys the best of luck. It’s a tricky and important problem without an easy solution.
Thank you for your email.
I have now forwarded your email to the department responsible for handling
this matter. As this department is currently receiving a bulk number of
requests, please allow some time before being contacted. Our apologies for
any inconvenience that this may have caused.
Thank you for your patience, cooperation and for choosing PokerStars.
PokerStars Support Team
Very cool, Matt. I really wonder what they thought of you…
They never got back to me, so maybe there’s your answer :)
You analyze the actual windows GUI? Why can’t you go after the internet stream of data? Sure it’s encrypted, but the key to decrypt must be in memory somewhere.
[Note: I know nothing about poker sites.]
It’s very, very hard because of the encryption (though it has been done).
This is very interesting, thanks for sharing!
In your case (using a custom app) the easiest way to detect you is just to take a screenshot. Unless you completely hide every window and use keystrokes to control the app when the poker client is open.
You choose the hardest of the poker sites (pokerstars) networks like ipoker and even fulltilt are very tolerant with bots, they get a lot of rake from them.
Pokerstars is feared even by the bot gods (see openholdem.org)
Does anyone have proof that they actually take screen shots?
It would be a major invasion of privacy and I doubt they would risk it.
As far PokerStars being difficult to navigate, that was half the fun!
I also ran a bot on pokerstars for a while, towards the end of the development (things were just getting exciting) I left the bot on all day running on 12 tables, and came home to a complete mess – something had gone really wrong, and long story short my 4 monitors had different sized table windows open (I had left a nice 4×3 grid) some were sat out, others were not sat down, loads of error messages, and tons of dialogue boxes saying – please contact an administrator, check the email and I have an exact copy of the first email you recieved above.
Pokers stars scanned my machine and sent back data to them.
I used the event log to track it back.
What actually happened was that I came back to the machine after ten minutes away and saw a window I did not recognise in the center of the screen with text but no program name the text on top was flying along saying things like progam names various and then packing packing and something else I did not catch but it mentioned also winrar (which may have been doing the packing) but this program basically disappeared in front of my eyes as I moved the mouse within seconds it was gone.
Tracking back through the event log I found references to different calls for programs to run about that time but I do not know enough about the event log to nail them down
I have the event logs saved to another removable disc (kept separate) this is the only program that is on my machine that I know nothing about.
Not a trojan or keylogger sending back data …….very good anti spy and anti virus on board ………no this is difinately pokerstars at it. I remember also that the program was saying something about desktop itself?
Just as a update to the above Pokerstars CAN and Will scan your machine YOU give them permission in your terms and cons accpt.
What they are NOT allowed to do is scan and copy data from your machine and transmitt that back …….WELL that is what they are doing.
I am in the position of using my events logs to prove it
Keep you posted
La storia di Matt Mazur: sviluppatore di Poker Bot – Prima parte | giocopokernews.com
La storia di Matt Mazur: sviluppatore di Poker Bot – Prima parte : Poker online e tornei di Texas Hold'em in Italia – Freeroll bonus promozioni e recensioni poker rooms online
I think the mobile applications are more interesting for hack
I Run Bots on Poker Stars with my own Stealth Methods. I have been successfully extracting money from them for six years. It isn’t hard to bypass security measures when using double unity mode on two PCs.
What do you mean “double” unity mode?
Fuck you poker stars