I cross posted the previous question about YCC Bot Maker at Astahost and I got a response asking for more details. Below is my response.

Thank you for your offer. Let me do some clarification. YCC Bot Maker is a program that signs up for Yahoo! accounts the same way you would if you used Internet Explorer or Firefox. One difference is that it is a VB.NET form that puts all the signup information in one spot and is much quicker than using a web browser. Another difference for this particular question is that YCC Bot Maker uses a series of HttpWebRequest objects and not the Webbrowser object (i.e. the Internet Explorer ActiveX control) to make the requests. I have all the code needed to create the HTTP requests and get valid responses back but I suspect that Yahoo! has added code on their servers to profile the type of “browser” used ask for accounts. More specifically I have changed the UserAgent, Accept, AcceptLanguage, and UA-CPU properties of the HttpWebRequest to mimic Internet Explorer. Even with all of this the Yahoo! server some how knows that my program is not a regular web browser and rejects the request (more on this later).

Up until about a month ago YCC Bot Maker was working fine. Then over night I started getting a prompt to reenter the CAPTCHA. After a through review of the Yahoo! signup page I found that nothing had changed.

There is a series of three requests, get the mail login page which is used to grab the Yahoo! cookie, get the registration page where you actually enter the user data, and finally submit a HTML form POST with the user data and see if it was successful. The first two requests are still fine but when I send the POST, the account is denied and a prompt to enter a new CAPTCHA is shown. After playing around with the sequence I found that I can get a valid account if I reenter the second CAPTCHA and submit once again. An account is only granted if two successful CAPTCHAs are entered. Once again if I use Internet Explorer or FireFox, I do not have to enter the second CAPTCHA. Because I can finally get an account, but only after more verification, I have come to the conclusion that the Yahoo! server knows this is not actually Internet Explorer and adds extra validation.

My question is how does this technology work and how can I get around it.

About a week ago I received word that version 1.2 of YCC Bot Maker had stopped working. This was not a huge surprise as Yahoo! continuously changes its registration process and YCC Bot Maker is very dependant on the data held in the registration page. I hoped to have a fix put out fairly quickly but this time I am stuck and have yet to find a solution.

From what I can gather, Yahoo! has not changed any of the pages or any of the processes used during registration. One day it was working and the next it was broken. This leads to be believe that Yahoo! is doing some sort of new browser profiling or timing analysis. YCC Bot Maker uses the HttpWebRequest object built into .NET. By adding accept, referer, user agent, and others I can fairly approximate the look of IE7.

I start Fiddler (http://www.fiddlertool.com/fiddler/) and make a side by side comparison of a session with IE7 and then YCC Bot Maker. The requests are almost identical except a few header locations are swapped.

Here is the last request during the registration process using IE7 on the India server. The response shows a congratulations page for creating a new account.

POST /registration;_ylt=Amw.PhwB5E.stLUBnuRzxoSZ2PAI HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, */*
Referer: https://edit.india.yahoo.com/registration?.intl=us&new=1&.done=http%3A//mail.yahoo.com&.src=ym&.v=0&.u=3ou4grd43ek4p&partner=&.partner=&pkg=&stepid=&.p=&promo=&.last=
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Host: edit.india.yahoo.com
Content-Length: 807
Connection: Keep-Alive
Pragma: no-cache
Cookie: B=4dnko1h43ek4p&b=3&s=97

u=5b178pd43ek5n&dracs=&t=x2F6Q4.MzeGZRlr35zVb1DkywcQjtqkCMrdWMjcL5jX.V6Y1do4hqQ8aOF2HAHDw3jr30lHHDANXTIXGXaohokYjurJtWrgBEDE3ucfh2EOavo0VGwzarjnQ4VJVw_kLYlX4.XVpbLNai8H1BhVbwb8.iOvNBnMSdx1yaaDHdSh6zml1DMIEHZ143m0LGzz8Rxn6nnHe8JcWdRh1en0AJC.s9eYumSrm1taEZAoQ_SoCEt00C8MtUQ–%7EB&done=http%3A%2F%2Fmail.yahoo.com&last=&partner=yahoo_default&intl=us&src=ym&.scrumb=&jsenabled=0&preferredcontent=us&firstname=sadfdas&secondname=ewerq&gender=m&mm=2&dd=1&yyyy=1981&country=us&postalcode=58443&yahooid=dfk58443lkalsdfk&domain=yahoo.com&password=bobobob&passwordconfirm=bobobob&altemail=&secquestion=Who+was+your+childhood+hero%3F&secquestionanswer=dsfdsfadfs&cword=fw8nyvl&cdata=ftqaZeJZFelVDTGYXguGQO75qbdYepa6qbxfs5c2jew_iXlBPSPrIVt8DMAhTLjTWv7KGDDVEErJLca0hg–&showc=1&tos_agreed=y&IAgreeBtn=Create+My+Account

Here is the same output from YCC Bot Maker on the India server. This time I receive a “please try this code instead” and a failed attempt. Additionally, if I make another request with the previous failed attempt using the new CAPTCHA, I get a successful account creation page.

POST /registration;_ylt=AkbfFrpAnjNO5TMJr36fEHeZ2PAI HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Content-Type: application/x-www-form-urlencoded
Referer: https://edit.india.yahoo.com/registration?.intl=us&new=1&.done=http%3A//mail.yahoo.com&.src=ym&.v=0&.u=ee7n00143f8gg&partner=&.partner=&pkg=&stepid=&.p=&promo=&.last=
Host: edit.india.yahoo.com
Cookie: B=11uird143f8gg&b=3&s=2v
Content-Length: 804
Connection: Keep-Alive

u=f1p49q543f8gj&dracs=&t=c.kVhRIoP.HFU6QfWH.b0CftVs9X73rAw.U_hBx.y9JCxffF2ctaHKrOcaKQnOBNm7iClR402hHW8RM8BozEdxaxki05iRoJ.Dag.P3_jRAw9QILVBTONHiCwpdt50_E0q81D9Nd16qrsR7tpnSvMJ6zZhJP0hRIBkNgFzXDuR8l4A9ndFkQtuMvJnrtFyGdngja5d16AAi0Tq5VeYqKBDTWuTm6iIlQurTLJyvYQ0EPYbheZ3_esw–%7EB&done=http%3A%2F%2Fmail.yahoo.com&last=&partner=yahoo_default&intl=us&src=ym&.scrumb=&jsenabled=0&preferredcontent=us&firstname=MQYhLVgujy&secondname=BrXTSVyGEk&gender=m&mm=5&dd=12&yyyy=1947&country=us&postalcode=40076&yahooid=igbl49U&domain=yahoo.com&password=Nb6s5cR&passwordconfirm=Nb6s5cR&altemail=&secquestion=Where+did+you+meet+your+spouse%3F&secquestionanswer=7IiKII&cword=8teyj4e&cdata=5wtKjOJZFemg3x.fc7zjW2fNv.BxMnIccglRTwNkIaMYMDzucE_SZ7cB5ZHefjZetpKvKLtJpHLekJpb4g–&showc=1&tos_agreed=y&IAgreeBtn=Create+My+Account

You can see that the requests are exactly the same with the exception of user data and Yahoo! specific variables. I have no way of explaining this because from everything I know it should. I need your help getting the next version of YCC Bot Maker working. If you have suggestions or know of some new technology Yahoo! is using please let me know.

A user in the forums has told me that YCC Bot Maker has once again stopped working. The issue has been verified. No matter what server you try you will always get an Invalid SEC Word error. It will be a few days before I can take a look at the code but I will get an update as soon as possible.

I also plan to add some new features to the code base so the next version should be 2.0

The site has been down for just at two weeks and I am glad to see that it came back online earlier today. The outage was due to my hosting company migrating their servers to another server farm. Apparently they were having business problems and their previous provider showed them the door on a very short notice. Most of their servers were back online within a few days but the server that runs this site took much longer. I currently have hosting through a site called Astahost.com which is a post in a forum for credits free web host. I have been with them since the site was created and this is the first major problem that I have had. They provide a lot of bells and whistles even compared with paid hosting and of course they are free except the time that I put in to make forum posts. The free server is the lowest priority and thus was the last to be put back online. I certainly was hoping for a quicker response but there are certain limitations I must expect from a free provider. Hopefully this will not happen for another few years and I can keep my relationship with a provider that up until now has not given me many problems.

P.S. I have a few posts that I have been saving over the past few weeks so I will post them in one big spurt.