Xrumer 16.0 spam now targeting hidden fields / honeypots (core antispam)

tenants

Well-known member
#1
I predicted correctly that next version would have this in, see:

https://xenforo.com/community/threa...on-page-honey-pots.37063/page-37#post-1129233

Can people let me know when the core honeypots start becoming ineffective

I believe it will take 2-3 months before people start picking up the latest xrumer version and this becomes a problem for xenforo

I did say this would happen if the core adopts honeypots, thankfully the core has missed quite a few things out that we can still catch bots with

I believe I predicted 10 months, it's taken over a year (xrumer have been slower than I thought)

See:


http://www.botmasterlabs.net/event/2017-01-03/1/ (see IntelliForm)
and
+ improved bypass of antibot-protections by analyzing HTML source code.
+ improved bypass of antibot-protections of ?honeypot? type
http://theseobay.com/about-xrumer/2745-new-xrumer-16-xevil-ocr-out.html

It might just be that xrumer think they have gotten around xenforo hidden feilds, but they haven't actually done it well enough (just a xrumer boast, they do this sometimes). We'll have to wait and see

Please make sure you have alternative mechanisms on if you don't want floods of bot spam over the next few months. The core API's will remain effective for quite some time, I suggest using non-standard captcha/customisable (ones that's aren't used by everyone) for a secondary mechanism.

I suspect google no-captach recaptcha is next on their to-do-list (this is why I recommend non standard/customisable captcha), see: http://www.botmasterlabs.net/event/2016-08-10/1/
 
Last edited:

tenants

Well-known member
#2
I am seeing a steady increase of bot count since the xrumer release (released on Jan 3rd):


upload_2017-2-4_11-43-0.png






Many botters assumed Xrumer to be fairly dead, particular since the release of GSA, but it looks like people are starting to pick it up again, slowly but surely. When people start cracking the latest xrumer and giving away free versions, that's when we'll really start to see a lot of bot traffic, and this time it's going to be a lot nastier bot traffic.
 

tenants

Well-known member
#3
They are now going through their promotion phase:
https://www.google.co.uk/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=xrumer+16.0
About 138,000 results as of 8/2/17 (This will go up and down as spam gets deleted)

And some bonified proof from @Deebs that js enabled bots are by passing the cores honeypots and registration timer (I strongly suspect this is xrumer), a human will not get caught by 3 fbhp honeypots:



We also have some non js enabled bots bypassing the core honeypots (I strongly suspect these are mostly GSA)
 

rainmotorsports

Well-known member
#4
I haven't added your plugin back yet but the recent moderation based on rules I have set in TPU Detect Spam is catching some weird ones that match no patterns we normally see. They in fact look like traditional machine generated Spam so I think I'm seeing it too.
 

tenants

Well-known member
#5
There are strange ones coming out of the woodwork, both xrumer and GSA are competing, both are bypassing lots of the common anti-spam techniques (reg timer, hidden fields, js detection).
 

MattW

Well-known member
#6
And some bonified proof from @Deebs that js enabled bots are by passing the cores honeypots and registration timer (I strongly suspect this is xrumer), a human will not get caught by 3 fbhp honeypots:



We also have some non js enabled bots bypassing the core honeypots (I strongly suspect these are mostly GSA)
Have seen the same myself

upload_2017-2-9_2-15-19.png


That is also getting past Cloudflared "I'm under attack" protection
upload_2017-2-9_2-16-29.png
 

tenants

Well-known member
#7
okay, as expected... They''re starting to come

How often are you seeing these logs at the moment @MattW (the ones that are js enabled, bypass the registration timer, bypass the cores honeypots but still get caught by fbhp honeypots) once a day, once week?
They should be fairly rare to start with
 

MattW

Well-known member
#8
I've had to disable registration on this particular site, as it was getting killed with spam registrations (it's a minecraft forum).

From Friday 3rd at 00:04 to 21:28 when I turned off registration, I've got 99 blocked attempts where they hit the FBHP honeypots, but passed the Core ones
 

tenants

Well-known member
#9
okay, a brilliant site to test with , how many of those 99 (aprox) were js enabled bots that were bypassing core hp?

.. sounds like one of my forums, I never turned off registration, fbhp still does and ace job, I didnt touch it for over a year, but it's and old version of xf & fbhp, I also had customImgCaptcha as a backup,
it might need updating to the latest version of fbhp now for these new types of bots

- There's no need to turn off registration, fbhp will deal with all of these bots (and even reduce the impact they have on sever load and resources)
 

tenants

Well-known member
#11
woah, you are getting hit severely with the new types of bots, I didn't expect them so soon, it usually takes a lot longer for new xrumer versions to propagate

Okay, I'm just adding a 2nd detection method
- We already have one that detects Non Browser Based Bots
- Deebs is just testing out a version that also detects Browser Based Bots (This is the type that are hitting you, sounds like xrumer has it in for you)

- It will be up to 100% efficient as before, I've just add the responses back to the fbhp honeypots, so it's already stronger against these types of bots (they were using responses to detect certain types of fields, I had responses in the original fbhp, just added them back)

How long have you had this issue for? The new version of xrumer only released at the begging of Jan
 

MattW

Well-known member
#14
The site itself is pretty dead, but I only picked up on it because it was causing a high server load
upload_2017-2-9_6-12-7.png


Daily Posts stats.
 

Deebs

Well-known member
#17
woah, you are getting hit severely with the new types of bots, I didn't expect them so soon, it usually takes a lot longer for new xrumer versions to propagate

Okay, I'm just adding a 2nd detection method
- We already have one that detects Non Browser Based Bots
- Deebs is just testing out a version that also detects Browser Based Bots (This is the type that are hitting you, sounds like xrumer has it in for you)

- It will be up to 100% efficient as before, I've just add the responses back to the fbhp honeypots, so it's already stronger against these types of bots (they were using responses to detect certain types of fields, I had responses in the original fbhp, just added them back)

How long have you had this issue for? The new version of xrumer only released at the begging of Jan
@tenants new version installed...
 

tenants

Well-known member
#18
Have seen the same myself

View attachment 147803

That is also getting past Cloudflared "I'm under attack" protection
View attachment 147804

With undetected clean IP addresses, cloudflare wont stop these, they are also not distributively hammering the site, so ddos protection wont help
APIs wont be able to detect clean IP's, if they are just registering and wait, and now not getting detected by many methods, they'll be able to get away with it until they decide to activate their spam accounts.

JS enabled bots, bypassing core honeypots, bypassing the registration time, not detected by APIs (because they're not getting detected by honeypots, and delaying their spamming actions until they have a large volume registered). That's our freind xrumer, all of these options came at once, it sounds a lot like xrumer is now using (at least partially) browser based automation to get past many of the common anti-spam mechanisms

- Next will be nocaptach recaptcha, xrumer are looking into it.
I havent seen much from GSA about nocaptach recaptcha


If you see bots that are bypassing the core honeypots but not js enable, I strongly believe this are mostly due to a new wave of GSA (they haven't mentioned bypassing js detection)
If you see bots that are bypassing the core honeypots and are js enable, I strongly believe this are mostly due to a new wave of Xrumer

In your case @MattW I couldn't be more sure this is xrumer, even if they told me their selves.

I've sent you a version of fbhp that goes out of it's way to detect browser based bots, send me the logs via pm when they start hitting again

Cheers...

[we've wiped them out elegantly 100% once with fbhp, we'll do it again ... just please stand up and shout if anyone mentions adding fbhp methods to the core again!
If they do, I can't help anyone, we'll all be running out of hard ant-spam methods (methods that can be targeted and should never be added to core products!)]
 
Last edited:
Top