XRumer discussion

[Wildcat Media]

Of all the things to be posted in one of my forums as spam, this one takes the cake. It's a spam for the spamming tool on the 'net: XRumer. Thought I'd copy and paste the contents of it here for discussion (so no, I'm not spamming here ).

XRumer 7.7.35 is the best soft for mass posting.

+ automatically register profiles, edit profiles, make topics/replies on forums
+ automatically confirm links in e-mails (and auto-register email accounts for that!)
+ automatically break captchas during registering and posting (only XRumer 7.7.35 can break more than 150 types of captchas, included ReCaptcha and flash-captchas)
+ XRumer recognize and answer the antibot-questions (like "2+2=?", "What is capital of England?", etc.; ONLY XRumer 7.7.35 have answers on more than 70.000 antibot questions!)
+ this program has unique intellectual mode "Antispam": its a spesial thematic posting
+ automatically update and check proxy-lists for 100% anonymity
+ its works withs blogs and social networks
+ there are lot of articles about XRumer on recouses with high reputation: "Washington post", "WikiPedia.Org", "Sophos Labs", "Symantec"
+ monthly updates increase powerful of this software everytime, XRumer has a 7-years history

And, by the way, XRumer price will be officially increased to $650 in 5 january 2013, with new important functions.

Need more info? Just Google :wink:

I will admit that several years ago, I'd played with an early version of XRumer to see what it did, how it worked, and how I might try to combat it. I was dismayed at what I'd found: I made some minimal settings and hit a button, and it was alarming in how fast it could register and post on forums...dozens of them literally within minutes! This is a dangerous tool for spamming.

It's interesting to note all of the anti-spam features that it "breaks", or claims to. The "70,000 antibot questions" demonstrates that even Q&A captcha can be broken, since so many forum admins use common questions and answers. Apparently they had even "broken" my own "VIP Code" Q&A as we had dozens of spam registrations in 12 hours one day.

What's even more sad is that they are making a killing on this software...and spammers are buying it!

 

[dtmcl]

I got the same thread in our webmaster marketplace, just removed it.

 

[Blue]

I can edit my Q&As faster than they can figure them out.

 

[CTXMedia]

FoolBotHoneyPot does the trick for all eight of my sites.

 

[craigiri]

Do you think they could break a qa like

Circus funny guy with a d-a-s-h between each letter?

 

[Edrondol]

Do you think they could break a qa like

Circus funny guy with a d-a-s-h between each letter?

It'll stop it until the information gets added by a human. After that it'll pick it up normally and get through.

edit: That's the problem with straight Q&A protection. Pictures work best as they can be easily rotated and can't be easily screen scraped by a bot.

 

[tenants]

It'll stop it until the information gets added by a human. After that it'll pick it up normally and get through.

edit: That's the problem with straight Q&A protection. Pictures work best as they can be easily rotated and can't be easily screen scraped by a bot.

Couldn't agree more, QA's have had their day, and they are now being targeted.
Once something is target, it's then a never ending battle... you'll only win for a short amount of time until a flood of bots get through

Some things are much harder to target than others, custom images are quite hard (since they can be very different on every forum)

Non popular techniques will only work until a time they become popular... then they will be targeted
Standard images sets can be targeted
Standard CAPTCHA systems can be targeted (even systems with the funding of Google -> ReCaptcha)

Make your anti-spam technique anti-targetable (custom registration pages / custom images / custom techniques)...
This strategy will hold off bots for a long time!

There is little point for bots to target a system of an individual forum

I would also advise more than just one mechanism (so you avoid bot floods when one fails)

 

[RickM]

I still maintain that the only real way to combat these is to dynamicly generate the form on the fly, with unique names for each field that expire after X minutes. Then also use some fancy CSRF on the form to make sure it's being posted from your site, then top that off with both session and cookie data being used.

Heck now that most browsers support the HTML 5 "Web SQL Database" standard, you could even write to a local DB then pull the value back. That alone would stop the likes of XRumor for a while.

 

[tenants]

I still maintain that the only real way to combat these is to dynamicly generate the form

FoolBotHoneyPot does this for each forum

• Each forum uses unique names for every field
• The standard fields "name, email, etc.." are all uuids
• The order of the fields are dynamically arranged
• Hidden fields act as traps (with name / email etc being honey-pots)

The nice about FBHP is that there is no negative impact on users... unlike CAPTCHA

There is no need rename the fly unless your forum is being targeted (in which case, you have bigger problems).. but I can update to make it so.

 

[craigiri]

It'll stop it until the information gets added by a human. After that it'll pick it up normally and get through.

edit: That's the problem with straight Q&A protection. Pictures work best as they can be easily rotated and can't be easily screen scraped by a bot.

But doesn't that assume each forum individually is targeted and fed back by a human? How long would it take for X to update their script? A forum could change that separater every two weeks or month - i.e., circus funny guy with a period between letter.....

Scripts have yet to break our XF install, but I think I will add the time-to-register add-on and the honeypot as extras.

With these scripts, it isn't a matter of whether they can avoid every trap, but whether it is of value (time) for them to do so. Fortunately for those of us who pay some attention, there are lots of easy targets around.

 

[tenants]

But doesn't that assume each forum individually is targeted .

People don't realise that the question they use are rarely unique, or can easily be queried

So by adding the answer to the Xrummer TextCAPCHA for one forum, you often get through many more forums.

If you take a photo of your room for CAPTHCA... that will never be the same photo on any two systems

for X to update their script? A forum could change that separater every two weeks or month - i.e., circus funny guy with a period between letter.....

It is possible to update the TextCAPTCHA imedialy after a run, so how often you need to change the QA really depends on how "bothered" the bot user can be... if they haven't gained many links, then they will be fairly botherd

But yes, many thousand of individual forums have been target (they held a competition not long ago to record 70k QA and answers) but for one technique: "QA"... and this technique is very easy to record and share the answer with everyone.

It's always of value to break a technique (it takes no effort to leave a bot running overnight), but it's rarely of value to break a technique where it will only apply to one forum (recording an image for an individual custom img CAPTHCA that is used no where else, is time consuming and will only get you through one forum.. this is then easy for the forum owner to replace with another unique img)

The "great" thing about XRumer is that it lets you create links on thousands of forums (not that it can target one)

 

[vVv]

i'm surprised these A-hole's haven't had their sites hacked, destroyed, nor sued yet... Then of course, what's the point, everyone loves to talk about them anyway, even it's to "learn" more about them and how they function and work.. so they're still getting "patted on back" and more publicity anyway ... lol. my as well turn off all anti-spam features, warm welcoming to your forums and chat over coffee and donuts, make pritty ad banner to advertise them too and place that on your forums as well to help give them more sales..

 

[tenants]

... hey, if they posted half decent "spam", I would almost encourage them.. turn off everything and let them through

Some actually do start pretty good conversations, and people reply to them, so they're not all bad (unfortunately none click adverts... and it wouldn't be legal/ethical if they did)
but the vast majority are non-nonsensical, not on topic enough and seem to be just advertising.

Haking/DOS attack would obviously be illegally, and would only reduce their sales for that day. And they do claim to comply to the the laws of USA, Canada, Australy, Europe and Russian Federation

2. Isn't it a spam-bot?
In no way XRumer acts like a spam-bot since spam is defined in legislation as 'unsolicited email', whereas XRumer simply posts messages created by users, which cannot be illegal providing the user does not violate the legislation by provoking racial hatred or anything prohibited by the law. Besides, in most cases XRumer is smart enough to find sections like 'Flood', 'Off topic', 'Flame', 'Chit-chat' where advertising takes place with the permission from moderators and webmasters. XRumer is not an email spam bomber and should not be confused with such software. The laws of USA, Russia, Canada, Spain, Germany, France and other countries explicitly state the illegal nature of email spam which XRumer has nothing to do with.

http://www.botmasterlabs.net/faq/

Watching the progress of XRumer (and a few others) is pretty interesting.. but I have to agree, we have far too many threads about it on XF now.

 

[Kim]

I think giving them any publicity by name is a mistake myself.

It is exactly what they want.

 

[Brandon Sheley]

We deleted the sales thread that was posted on our site a few weeks ago as well.
It's interesting if you google the first sentence and see how many forums don't realize it's spam

 

[vVv]

i'm all for the "learning" about them though, learning their functionality, processes, the source code / etc... Because that's knowing/learning your enemy, but just without giving them more publicity / "pats on the back" though lol. Would be awesome to block them all at a "top level / source" method. Not just by username, email address, and IP address.. but by some how "knowing" they're coming to site from xrumer/spammer software / program / whatever.. they're then blocked instantly. Like.. user1, user2 are coming from xrumer software/program/tool - blocked. user3 and user4 are legit-not coming from xrumer/spammer program/software/tool, allow.

 

[Brandon Sheley]

Would be awesome to block them all at a "top level / source" method.

Well I'm not sure exactly how well it works but mr GTB told me about this code to put in your .htaccess file to block the program.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^xpymep.exe
RewriteRule ^.* - [F,L]
</IfModule>

 

[vVv]

Well I'm not sure exactly how well it works but mr GTB told me about this code to put in your .htaccess file to block the program.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^xpymep.exe
RewriteRule ^.* - [F,L]
</IfModule>

haha nice!! will try it! see, that's easier to do than installing millions of anti-spam crap all the time. now, if only there's way to do this for all known spam software as well haha. just build it into core files of forum software to block em all like that.. then no need for anti-spam resources lol.

have in ACP > Block Spam/Xrumer software .exe files/programs/tools >
add new / delete
soft ban/ hard ban
etc etc

 

[Brandon Sheley]

if only there's way to do this for all known spam software as well haha. just build it into core files of forum software to block em all like that.. then no need for anti-spam resources lol.

He eventually mentioned this link and I edited my htaccess to block a few things.
http://www.javascriptkit.com/howto/htaccess13.shtml

 

[vVv]

He eventually mentioned this link and I edited my htaccess to block a few things.
http://www.javascriptkit.com/howto/htaccess13.shtml

sweet deal! thanks man, will edit my htaccess file again, that other one seems to be working too. like i said above there, someone make resource or build it into core.. like..

have in ACP > Block Spam/Xrumer software .exe files/programs/tools >
add new / delete
soft ban/ hard ban
etc etc

Or, way to enter those listings from that link you just gave too. Have central blockage center in ACP for that stuff. Keep the .htaccess file nice/clean/tidy lol.