1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spambots attempting to register by facebook

Discussion in 'Forum Management' started by tenants, May 12, 2015.

  1. tenants

    tenants Well-Known Member

    I have known this was happening for quite some time, I even created an add-on as soon as i saw it happening
    https://xenforo.com/community/threa...facebook-bots-now-use-this.40717/#post-441623

    It's not a common way for spam bots to register, but it's definitely a route I would automate if I wanted multiple xf accounts on many forums (I don't), so I'm surprised I haven't seen more of them

    The evidence was collected from the plugin Tac DeDos (which I'm currently upgrading, and why I started going through and examining the logs)
    It was prevent in multiple ways (customImgCaptch + AuthCaptcha, and Tac DeDos)

    It couldn't get pass the Captcha, and was also detected as a Bot Dos (it hit many pages very quickly, and may more reasons)

    DeDos Proof:

    After being automatically blocked by DeDos (and thus 403 forbidden by htaccess) it then went on to hit hundreds of other pages (all returned 403), this was found in the access logs and is very non human behavior

    I suspect it is a browser based bot (but not Selenium, something less heavy and no js)

    botfbreg.JPG

    • This bot had no JavaScript
    • Faked it's user_agent to look like a browser (as pretty much all spam/scraper bots do)
    • Hit multiple pages quite quickly
    • (+some other reasons I can not reveal)
    • At this point the bot has no cookie (this is usually typical of scrapers... but scrapers don't usually try to register, I suspect after registering it would have allowed the cookie to persist)
    • after being locked out via htaccess, continued to hit hundreds of pages:

    180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /forums/website-reviews/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
    180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /forums/software-issues/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
    180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /forums/book-club/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
    180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /forums/cooking-recipes/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
    180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /forums/surrey-property-ads/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
    180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /posts/4525/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"


    -- and, as the title suggest, it tried to register via face book

    [unix_timestamp](human_readable_time) => url_location
    [1431433009](Today at 1:16 PM) => /register/facebook?reg=1
    [1431433007](Today at 1:16 PM) => /forums/about-surrey-forum/index.rss
    [1431433007](Today at 1:16 PM) => /forums/suggestion-box/index.rss
    [1431433003](Today at 1:16 PM) => index.php

    The IP is from Japan (and the site is a local niche), using what looks like a vpn relay server: ngn-west-213-030-060-180.enjoy.ne.jp

    Having looked through my DeDos logs, this is not a lone case, although it's still by far the least common route for bots to register (yet it is the route with the largest holes ... you only need a handful of manually created FB users to automate masses of other sites)
     
    Last edited: May 12, 2015
    ForestForTrees likes this.
  2. Deathstarr

    Deathstarr Active Member

    Interesting and thank you for the heads up. I would have not though this.
     

Share This Page