Spambots attempting to register by facebook

tenants

Well-known member
I have known this was happening for quite some time, I even created an add-on as soon as i saw it happening
https://xenforo.com/community/threa...facebook-bots-now-use-this.40717/#post-441623

It's not a common way for spam bots to register, but it's definitely a route I would automate if I wanted multiple xf accounts on many forums (I don't), so I'm surprised I haven't seen more of them

The evidence was collected from the plugin Tac DeDos (which I'm currently upgrading, and why I started going through and examining the logs)
It was prevent in multiple ways (customImgCaptch + AuthCaptcha, and Tac DeDos)

It couldn't get pass the Captcha, and was also detected as a Bot Dos (it hit many pages very quickly, and may more reasons)

DeDos Proof:

After being automatically blocked by DeDos (and thus 403 forbidden by htaccess) it then went on to hit hundreds of other pages (all returned 403), this was found in the access logs and is very non human behavior

I suspect it is a browser based bot (but not Selenium, something less heavy and no js)

botfbreg.webp

  • This bot had no JavaScript
  • Faked it's user_agent to look like a browser (as pretty much all spam/scraper bots do)
  • Hit multiple pages quite quickly
  • (+some other reasons I can not reveal)
  • At this point the bot has no cookie (this is usually typical of scrapers... but scrapers don't usually try to register, I suspect after registering it would have allowed the cookie to persist)
  • after being locked out via htaccess, continued to hit hundreds of pages:

180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /forums/website-reviews/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /forums/software-issues/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /forums/book-club/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /forums/cooking-recipes/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /forums/surrey-property-ads/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
180.60.30.213 - - [12/May/2015:13:17:17 +0100] "GET /posts/4525/ HTTP/1.1" 403 - "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"


-- and, as the title suggest, it tried to register via face book

[unix_timestamp](human_readable_time) => url_location
[1431433009](Today at 1:16 PM) => /register/facebook?reg=1
[1431433007](Today at 1:16 PM) => /forums/about-surrey-forum/index.rss
[1431433007](Today at 1:16 PM) => /forums/suggestion-box/index.rss
[1431433003](Today at 1:16 PM) => index.php

The IP is from Japan (and the site is a local niche), using what looks like a vpn relay server: ngn-west-213-030-060-180.enjoy.ne.jp

Having looked through my DeDos logs, this is not a lone case, although it's still by far the least common route for bots to register (yet it is the route with the largest holes ... you only need a handful of manually created FB users to automate masses of other sites)
 
Last edited:
Top Bottom