1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XRumer discussion

Discussion in 'Off Topic' started by Rudy, Nov 27, 2012.

  1. Rudy

    Rudy Well-Known Member

    Of all the things to be posted in one of my forums as spam, this one takes the cake. It's a spam for the spamming tool on the 'net: XRumer. Thought I'd copy and paste the contents of it here for discussion (so no, I'm not spamming here :D ).

    I will admit that several years ago, I'd played with an early version of XRumer to see what it did, how it worked, and how I might try to combat it. I was dismayed at what I'd found: I made some minimal settings and hit a button, and it was alarming in how fast it could register and post on forums...dozens of them literally within minutes! This is a dangerous tool for spamming.

    It's interesting to note all of the anti-spam features that it "breaks", or claims to. The "70,000 antibot questions" demonstrates that even Q&A captcha can be broken, since so many forum admins use common questions and answers. Apparently they had even "broken" my own "VIP Code" Q&A as we had dozens of spam registrations in 12 hours one day.

    What's even more sad is that they are making a killing on this software...and spammers are buying it!
    Digital Doctor likes this.
  2. ShadyX

    ShadyX Well-Known Member

    I got the same thread in our webmaster marketplace, just removed it.
  3. Blue

    Blue Well-Known Member

    I can edit my Q&As faster than they can figure them out.
  4. CyclingTribe

    CyclingTribe Well-Known Member

    FoolBotHoneyPot does the trick for all eight of my sites. :D
  5. craigiri

    craigiri Well-Known Member

    Do you think they could break a qa like

    Circus funny guy with a d-a-s-h between each letter?
  6. Edrondol

    Edrondol Well-Known Member

    It'll stop it until the information gets added by a human. After that it'll pick it up normally and get through.

    edit: That's the problem with straight Q&A protection. Pictures work best as they can be easily rotated and can't be easily screen scraped by a bot.
    tenants likes this.
  7. tenants

    tenants Well-Known Member

    Couldn't agree more, QA's have had their day, and they are now being targeted.
    Once something is target, it's then a never ending battle... you'll only win for a short amount of time until a flood of bots get through

    Some things are much harder to target than others, custom images are quite hard (since they can be very different on every forum)

    Non popular techniques will only work until a time they become popular... then they will be targeted
    Standard images sets can be targeted
    Standard CAPTCHA systems can be targeted (even systems with the funding of Google -> ReCaptcha)

    Make your anti-spam technique anti-targetable (custom registration pages / custom images / custom techniques)...
    This strategy will hold off bots for a long time!

    There is little point for bots to target a system of an individual forum

    I would also advise more than just one mechanism (so you avoid bot floods when one fails)
  8. RickM

    RickM Well-Known Member

    I still maintain that the only real way to combat these is to dynamicly generate the form on the fly, with unique names for each field that expire after X minutes. Then also use some fancy CSRF on the form to make sure it's being posted from your site, then top that off with both session and cookie data being used.

    Heck now that most browsers support the HTML 5 "Web SQL Database" standard, you could even write to a local DB then pull the value back. That alone would stop the likes of XRumor for a while.
  9. tenants

    tenants Well-Known Member

    FoolBotHoneyPot does this for each forum
    • Each forum uses unique names for every field
    • The standard fields "name, email, etc.." are all uuids
    • The order of the fields are dynamically arranged
    • Hidden fields act as traps (with name / email etc being honey-pots)
    The nice about FBHP is that there is no negative impact on users... unlike CAPTCHA

    There is no need rename the fly unless your forum is being targeted (in which case, you have bigger problems).. but I can update to make it so.
    CyclingTribe likes this.
  10. craigiri

    craigiri Well-Known Member

    But doesn't that assume each forum individually is targeted and fed back by a human? How long would it take for X to update their script? A forum could change that separater every two weeks or month - i.e., circus funny guy with a period between letter.....

    Scripts have yet to break our XF install, but I think I will add the time-to-register add-on and the honeypot as extras.

    With these scripts, it isn't a matter of whether they can avoid every trap, but whether it is of value (time) for them to do so. Fortunately for those of us who pay some attention, there are lots of easy targets around.
  11. tenants

    tenants Well-Known Member

    People don't realise that the question they use are rarely unique, or can easily be queried

    So by adding the answer to the Xrummer TextCAPCHA for one forum, you often get through many more forums.

    If you take a photo of your room for CAPTHCA... that will never be the same photo on any two systems

    It is possible to update the TextCAPTCHA imedialy after a run, so how often you need to change the QA really depends on how "bothered" the bot user can be... if they haven't gained many links, then they will be fairly botherd

    But yes, many thousand of individual forums have been target (they held a competition not long ago to record 70k QA and answers) but for one technique: "QA"... and this technique is very easy to record and share the answer with everyone.

    It's always of value to break a technique (it takes no effort to leave a bot running overnight), but it's rarely of value to break a technique where it will only apply to one forum (recording an image for an individual custom img CAPTHCA that is used no where else, is time consuming and will only get you through one forum.. this is then easy for the forum owner to replace with another unique img)

    The "great" thing about XRumer is that it lets you create links on thousands of forums (not that it can target one)
  12. vVv

    vVv Guest

    i'm surprised these A-hole's haven't had their sites hacked, destroyed, nor sued yet... Then of course, what's the point, everyone loves to talk about them anyway, even it's to "learn" more about them and how they function and work.. so they're still getting "patted on back" and more publicity anyway ... lol. my as well turn off all anti-spam features, warm welcoming to your forums and chat over coffee and donuts, make pritty ad banner to advertise them too and place that on your forums as well to help give them more sales.. :) :p
    8thos likes this.
  13. tenants

    tenants Well-Known Member

    ... hey, if they posted half decent "spam", I would almost encourage them.. turn off everything and let them through ;)

    Some actually do start pretty good conversations, and people reply to them, so they're not all bad (unfortunately none click adverts... and it wouldn't be legal/ethical if they did)
    but the vast majority are non-nonsensical, not on topic enough and seem to be just advertising.

    Haking/DOS attack would obviously be illegally, and would only reduce their sales for that day. And they do claim to comply to the the laws of USA, Canada, Australy, Europe and Russian Federation


    Watching the progress of XRumer (and a few others) is pretty interesting.. but I have to agree, we have far too many threads about it on XF now.
  14. Kim

    Kim Well-Known Member

    I think giving them any publicity by name is a mistake myself.

    It is exactly what they want.
    8thos, Brandon Sheley and vVv like this.
  15. Brandon Sheley

    Brandon Sheley Well-Known Member

    We deleted the sales thread that was posted on our site a few weeks ago as well.
    It's interesting if you google the first sentence and see how many forums don't realize it's spam :p
    vVv likes this.
  16. vVv

    vVv Guest

    i'm all for the "learning" about them though, learning their functionality, processes, the source code / etc... Because that's knowing/learning your enemy, but just without giving them more publicity / "pats on the back" though lol. Would be awesome to block them all at a "top level / source" method. Not just by username, email address, and IP address.. but by some how "knowing" they're coming to site from xrumer/spammer software / program / whatever.. they're then blocked instantly. Like.. user1, user2 are coming from xrumer software/program/tool - blocked. user3 and user4 are legit-not coming from xrumer/spammer program/software/tool, allow.
  17. Brandon Sheley

    Brandon Sheley Well-Known Member

    Well I'm not sure exactly how well it works but mr GTB told me about this code to put in your .htaccess file to block the program.

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} ^xpymep.exe
    RewriteRule ^.* - [F,L]
    vVv likes this.
  18. vVv

    vVv Guest

    haha nice!! will try it! :D see, that's easier to do than installing millions of anti-spam crap all the time. now, if only there's way to do this for all known spam software as well haha. just build it into core files of forum software to block em all like that.. then no need for anti-spam resources lol.

    have in ACP > Block Spam/Xrumer software .exe files/programs/tools >
    add new / delete
    soft ban/ hard ban
    etc etc
  19. Brandon Sheley

    Brandon Sheley Well-Known Member

    He eventually mentioned this link and I edited my htaccess to block a few things.
    vVv likes this.
  20. vVv

    vVv Guest

    sweet deal! thanks man, will edit my htaccess file again, that other one seems to be working too. :) :D like i said above there, someone make resource or build it into core.. like..

    have in ACP > Block Spam/Xrumer software .exe files/programs/tools >
    add new / delete
    soft ban/ hard ban
    etc etc

    Or, way to enter those listings from that link you just gave too. Have central blockage center in ACP for that stuff. Keep the .htaccess file nice/clean/tidy lol.
    Brandon Sheley likes this.

Share This Page