vb.org Archive
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   SpamBots xRummer et al, bypass validate code?? (https://vborg.vbsupport.ru/showthread.php?t=287672)

pattycake 09-10-2012 01:38 AM
SpamBots xRummer et al, bypass validate code??
 
I have been studying the various methods used by spambots to auto-register and I'm trying to understand their methods so I can better fight them off.

Here's my question:
If a validation email is created for new members, and that email includes a validation code,
how is it that spambots are able to validate if they never received the validation code?

Here is an example:
Spammer used npaqvp@ype.com to signup.
It's the actual email address usd by the spambot - the email address is a bogus, invalid email address that will bounce.

The validation email included among other things, the following links:

Code:
http://xxxxx.com/register.php?a=act&u=5692&i=dbbce576f9aa08c4f40ef2d5318f616cbf6c39a8
The validation code for the above is: dbbce576f9aa08c4f40ef2d5318f616cbf6c39a8

If he never got the email (it was an invalid, bogus email address), that means that he obviously never got the validation code, so how was he (or the spambot) still able to validate?? He doesn't know the validation code because he never got the email... yet he was still able to validate his acct.

Is there some link that would allow him to validate without having that validation code?

Confused,
-pat-

ForceHSS 09-10-2012 04:24 AM
Maybe the email is being forward to his real email address when sent to this fake one

vijayninel 09-10-2012 04:53 AM
This is interesting. It also means that we could be sending mails, newsletters etc to non existing e-mail addresses. Something that could get you in trouble in the longer run.

pattycake 09-10-2012 06:30 AM
Quote:
Originally Posted by vijayninel (Post 2364175)
This is interesting. It also means that we could be sending mails, newsletters etc to non existing e-mail addresses. Something that could get you in trouble in the longer run.
I also own a very large forum with 150,000 members, 4 million posts... I monitor all bounced emails daily because yes, been there, done that ... it can get you black-balled by a provider for continuing to sending emails to non-existant or bogus emails. They assume you are a spammer using some list.

I revised my forum softare adding a field called "Disable Emails"... if anyone bounces an email, they get tagged with "Disable Emails'... the system will not longer send any emails to that address until the email address has been corrected.

btw: I have stopped the spambots from posting... took a bit of creative coding in the register.php script but it has been 100% effective. They can still signup like any other person but... they (and they alone) get tagged as an UnApproved Coppa user meaning... they cannot post, pm, do a sig. All I have to do is view the Coppa users ever so often. Since I don't do Coppa at my site, anyone in there is a SpamBot... one click and they all are gone.

--------------- Added [DATE]1347262898[/DATE] at [TIME]1347262898[/TIME] ---------------

Quote:
Originally Posted by ForceHSS (Post 2364172)
Maybe the email is being forward to his real email address when sent to this fake one
Nope... vBulletin sends the email to whatever email address he entered during registration... he could not enter a "cc" or a "bcc" or a forward unless the original email address was real.

Check that... if he actually owns the mail server, it could be done. He could first create the bogus email address, then disable the bogus email address, but put a .forward (or a .copy) in it, forwarding it to a real email address. But, he would have to have control over the mail server.

I really think there must be a command line to regsiter.php that will allow someone to validate without knowing that validation code.

I'm going to start pouring thru the logs to see if I can find out for sure.

--------------- Added [DATE]1347274867[/DATE] at [TIME]1347274867[/TIME] ---------------

Here's another that just validated... notice the bounced/invalid email address.

Code:
Unknown user: AnnenlySeDfef@aol.com

RCPT TO generated following response:
550 5.1.1 <AnnenlySeDfef@aol.com>: Recipient address rejected: aol.com

Original message follows.
Received: from mail.xxxxx.com [127.0.0.1] by mail.xxxxx.com with ESMTP
  (SMTPD32-8.15) id AA1C2D4300CC; Mon, 10 Sep 2012 02:43:24 -0500
Date: Mon, 10 Sep 2012 07:54:17 +0000
To: AnnenlySeDfef@aol.com
From: "xxxxx.com" <xxxxx_admin@xxxxxx.com>
Auto-Submitted: auto-generated
Return-Path: pat@xxxxk.com
Message-ID: <20120910075417.4f7bb88beeed@www.xxxx.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Subject: Action Required to Activate Membership for xxxxx.com

Dear ScavaOnette,

Thank you for registering at the xxxxx.com. Before we can activate your account one last step must be taken to complete your registration.

Please note - you must complete this last step to become a registered member. You will only need to visit this URL once to activate your account.

To complete your registration, please visit this URL:
http://xxxxx.com/register.php?a=act&u=5698&i=6225256255d02fe1f3bff014b90e3920f146aece

Notice it bounced, undelivered, yet he was still able to validate. How could he validate without having the validation code??

.

pattycake 09-23-2012 09:19 PM
this continues to happen... spammer's email bounces so he does not get the validaion code, yet he is still able to supply the verification code and validate. Surely I'm not the only one that is experiencing this?

Max Taxable 09-23-2012 11:26 PM
Quote:
Originally Posted by pattycake (Post 2368031)
this continues to happen... spammer's email bounces so he does not get the validaion code, yet he is still able to supply the verification code and validate. Surely I'm not the only one that is experiencing this?
End all autospam registrations now, with this simple and elegant modification.

IsBot - Registration time check

pattycake 09-24-2012 12:44 AM
the time between registering has long since been defeated by XRumer. They even have a setting of waiting 5, 10, 15, 20, and 30 seconds.

Even if XRumer couldn't get around it like they already have, there is still something wrong in the registration process that is allowing people to validate without knowing the validation code. Thats the issue at hand. Not how to reduce spam, etc... but... how are they bypassing the validation. Something in VB is letting them in.

If you want to at least make XRumer stumble, and this is straight from XRumer:

http://www.blackhatworld.com/blackha...r-posters.html

1. edit the footprints
2. edit the code that detects fields
3. make a custom human verification field
4. don't auto approve accounts

ie, Edit the footprints - XRumer goes to your index.php and looks at the meta tag to see if and what version of vbulletin is being run. Go edit that meta tag and you won't get found by a script. I even changed mine to display "phpBB 1.4" so that they use the wrong script on my site.

ie: Make a custom human verification field - I have a radio button field in registration.
Spammer Check: Are you a script/bot to help you scam (default is YES). Or are you a real; human being?
Every one of the 500+ scripts that has hit my site has failed that question. I could automatically delete their acct iof they don't answer correctly but just to be safe, I don't automatically delete the account - I coded it so they are set to a Coppa user meaning... they cannot post, and have to be manually validated. All legit members bypass that Coppa stuff.

Wanna know another method? Change the name of "register.php". The XRumer script uses "register.php" - if it doesn't exist, it fails If you are using a Linux box, just capitalize the first letter so that it is "Register.php". Yes, there are numerous code changes that need to be made to handle the new name but it's fairly easy to "grep" and find all occurances of "register.php" in vBulletin. It took me less than 10 minutes to make all of the changes.

One more method: Change the regsitartion to use Ajax... All versions of XRumer implode when they hit that code.

Still though, the original question still exists - how are they able to validate without knowing the validation code?









.
.

Max Taxable 09-24-2012 01:15 AM
Quote:
Originally Posted by pattycake (Post 2368064)
the time between registering has long since been defeated by XRumer. They even have a setting of waiting 5, 10, 15, 20, and 30 seconds. .
Nonsense. I haven't had a single auto registration be successful since I installed that modification.

pattycake 09-24-2012 01:29 AM
ok... whatever, I'm just telling you that the new XRumer has an option to use the delay. YMMV

Max Taxable 09-24-2012 01:36 AM
Quote:
Originally Posted by pattycake (Post 2368069)
ok... whatever, I'm just telling you that the new XRumer has an option to use the delay. YMMV
Any link you can post where it shows this feature? I keep up with it pretty well, have seen the latest version and no mention of time based defeats.

And yes it looks like you might have found evidence of some kind of exploit on the verification codes. I haven't experienced this yet or ever heard of it, but my main goal is to stop bogus registrations, not collect them.

IsBot isn't the only tool I use, two of my tools are homemade custom ones I'll never talk about.... And ones that will never be defeated or bypassed.

I get ZERO spam despite 100s of attempts daily. I get NO auto registrations despite 100s of attempts daily.

Might be why I never ran into the problem you're describing.


All times are GMT. The time now is 05:39 AM.
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01091 seconds
  • Memory Usage 1,767KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (5)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete