vb.org Archive - View Single Post - SpamBots xRummer et al, bypass validate code??

pattycake · #7 09-24-2012, 12:44 AM

the time between registering has long since been defeated by XRumer. They even have a setting of waiting 5, 10, 15, 20, and 30 seconds.

Even if XRumer couldn't get around it like they already have, there is still something wrong in the registration process that is allowing people to validate without knowing the validation code. Thats the issue at hand. Not how to reduce spam, etc... but... how are they bypassing the validation. Something in VB is letting them in.

If you want to at least make XRumer stumble, and this is straight from XRumer:

http://www.blackhatworld.com/blackha...r-posters.html

1. edit the footprints
2. edit the code that detects fields
3. make a custom human verification field
4. don't auto approve accounts

ie, Edit the footprints - XRumer goes to your index.php and looks at the meta tag to see if and what version of vbulletin is being run. Go edit that meta tag and you won't get found by a script. I even changed mine to display "phpBB 1.4" so that they use the wrong script on my site.

ie: Make a custom human verification field - I have a radio button field in registration.
Spammer Check: Are you a script/bot to help you scam (default is YES). Or are you a real; human being?
Every one of the 500+ scripts that has hit my site has failed that question. I could automatically delete their acct iof they don't answer correctly but just to be safe, I don't automatically delete the account - I coded it so they are set to a Coppa user meaning... they cannot post, and have to be manually validated. All legit members bypass that Coppa stuff.

Wanna know another method? Change the name of "register.php". The XRumer script uses "register.php" - if it doesn't exist, it fails If you are using a Linux box, just capitalize the first letter so that it is "Register.php". Yes, there are numerous code changes that need to be made to handle the new name but it's fairly easy to "grep" and find all occurances of "register.php" in vBulletin. It took me less than 10 minutes to make all of the changes.

One more method: Change the regsitartion to use Ajax... All versions of XRumer implode when they hit that code.

Still though, the original question still exists - how are they able to validate without knowing the validation code?

.
.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01172 seconds Memory Usage 1,767KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: