SPAM IS NOW OUT OF CONTROL - I have a solution but need help implementing.

[mmllc]

I totally blame this on software like Xrumer or whatever new crapware is coming out helping these spammers spam en masse without regard for the forum alerting to them it is profitable to be low lives instead of trying to find a real job that pays them for an honest days work.

I would never complain without offering a solution to this problem and I have searched and searched and no one seems to be able to effectuate this very simple solution that I already have implemented to a certain degree; I need help finishing this off for all Vbulletin owners.

For about a year or so I have added into my registration process a question, in my case, "WHAT YEAR DID YOU START DOING XYZ?"

I've seen some websites ask, WHAT IS 12 + 13 = ?

Or what is the capital of Russia = ?

And based on the answer webasmters can easily tell if this registrant is a bot or human.

In my case, spam bots ALWAYS answer by repeating their NICKNAME instead of a year.

So the only recourse I could take based on this question being incorrect was to go into my SQL and sort them by those who do not answer with a year. The first time I did a mass pruning of these low lives through my SQL I simply zeroed in on them, and deleted the entire row of their USER entry. This seemed to do the trick except, I did not realize by deleting user 84888 would move user 84889 into its place, totally screwing with the "GOOD" members posts, and creating a big big problem. Of course this was the wrong way to go about it.

And mass pruning just simply does not do the trick, please don't suggest it either.

All I ask, which has been asked before and no one stood up to write something to finish this off, is that someone recommend simply that this CUSTOM USER FIELD with the question of WHAT YEAR DID YOU START be in a column during the List Users Awaiting Moderation page where we all can ACCEPT, DENY, or IGNORE new registrants.

I GUARANTEE you this will all but eliminate the SPAM BOT problem by allowing we honest webmasters to see before these fraudsters can join who answers this field as a human or a bot. I've tried to peek into the PHP and this type of programming is beyond me... trust me I have tried.

I'm not mad at vbulletin or anything, I love this software, I just can't put up with these spam bots a single more day. It's taking over my forum despite all the CAPTCHA mods and other preventative measures offered both here and on vbulletin.com.


So to sum up: How can we add a CUSTOM USER FIELD column to the USERS AWAITING MODERATION page, where we see USER NAME, EMAIL, IP ADDRESS already.

Thank you for your help.

-Mike

[kh99]

I read your post and I see what you're asking for. I don't have an answer, but I just want to point out that using "question and answer" human verification with a few simple questions (like you suggested) instead of using reCAPTCHA seems to be working for most people. I know on our site we use that and we get 5-10 spammer registrations a day (almost all putting links in their profile as opposed to posting spam), and I'm convinced that they're all humans. I came to that conclusion because I logged all responses to the questions for a few days and I saw no sign of random guessing or anything like that.

Anyway, just FYI.

[Max Taxable]

I have no spam problem at all. Thousands try, none succeed. And completely without any need for me to moderate it.

I merely make the answer the same as the question in the Q&A, making the question a LONG instruction to copy and paste the question into the answer box. There are three of these, all worded differently but are the same thing.

Bots cannot read, comprehend instructions or copy and paste. Their registration fails.

Why would you need anything other than this? Why do you want to do all the busy work of moderating new registrations?

[mmllc]

Thanks KH99 and Max I appreciate your help.

I wish I had no spam or as little spam as you guys received, we just seem like we're marked for SPAM like Steven Segal was "Marked for Death"

Ok, so, let me do what you guys suggested before making any modifications.


I always enjoyed moderating users one by one until I started getting 100's of new registrations each day, 90% or more being bots, checking one by one became a monotonous task.

Then I looked in the Whos Online, and leaving spiders out, I would see dozens of "guests" and registered users all in the same IP range like, 220.3.139.X - X being 1-999, and when I blocked them via Htaccess, my server load went down tremendously and in a few days the spammers caught on and switched up the IPs they used and it continued.

Not exactly what Im asking of here in my original post, but it goes to the heart of the matter, someone has zeroed in on my forum to be a spammers paradise and Im just trying to fight back whatever way I can.

The common denominator for all these spammers turned out being that they would join, and whatever software they are using is very good, bypassing every single type of CAPTCHA method I employ, except for not expecting this extra user field I require at sign up that requires a date, instead, they simply repeat their Nickname which is some crap like XjhiaDADHJAS, total gibberish, in the YEAR STARTED field. So its just the easiest way I can tell that someone that is not a human being at a computer trying to register. What you recommend cuts them off before it even gets to that step, which is even better! I agree.

So, even though some Vbul Webmasters ask for a question that needs to be uniform for someone to join i.e., 2+2 always equals 4, my question allows for many different answers like 2002, 2003, and so on, so it is not a uniform answer that is a yes no result blocking their entry, rather, its for me to see after they have tried to join if its a bot or a human that took the 2 seconds to say, i started in this year which also serves a dual purpose in the members' socializing with other members during their time on our site.



So Max, let me ask you. What setting within the Admincp would block someone from joining if the answer to your question(s) is incorrect? How is this effectuated because I will abandon the way I am doing it and adopt yours if it really works that well. I swear on everything holy these people are using bots, which in turn use hundreds of proxy ip's that make it all but impossible for me (one human) to block them one by one; you seem to have the right way to do it.

Thanks a bunch.

[Lynne]

Since we went to just Q&A (with a couple of questions that are very specific to the site), we get maybe 1 successful spam registration a month - before, we were getting about 5-10 a week. I also use Calorie's Is Bot mod which when I first installed it was catching 90 bots a day (have no idea how many now since I removed the feature that sends an email everytime it catches a bot).

edit: Wow, I turned back on the emails and got 20 about users that were stopped in the last 3 hours! I'm turning it back off. :/

[Max Taxable]

Quote:

Originally Posted by mmllc

So Max, let me ask you. What setting within the Admincp would block someone from joining if the answer to your question(s) is incorrect? How is this effectuated because I will abandon the way I am doing it and adopt yours if it really works that well. I swear on everything holy these people are using bots, which in turn use hundreds of proxy ip's that make it all but impossible for me (one human) to block them one by one; you seem to have the right way to do it.

Thanks a bunch.

I must confess I have another tool I am using which really does most of the bot stoppage - I do not allow IE6 and older to view the site. This is because most of the bots are IE6 or older computers that are compromised and are now zombie computers in botnets.

However, in your human verification settings you choose which actions must be verified before they are allowed to proceed. (See Attachment)

Not sure how it is your human verified actions when not passed still allow you to moderate them. That's another setting I suppose. (You probably have "Moderate New Members" set to "yes" in User Registration Options - I do not.)

I also have an extensive list of known bad IP ranges installed in my .htaccess file which are blocked there. They get an error page when they visit. In addition, I have the Proxy Blocking hack installed, (set to allow browsing but not registering by proxy users) I have found these in combination stop most of the human spammers.

There's really not one "magic bullet" for this, it's a combination of bullets in multiple guns you need.

Again, I know for sure I get thousands of spambot registry attempts per month, none ever make it through. Occasionally, once or twice a month, a human spammer does get in. He is very limited on what he can do by a couple of other good hacks such as, advanced permissions based on post count, signature based on post count, etc. BirdOPrey5 has several really good hacks he's released, for limiting the damage a newly registered human spammer can do. (Including keeping them from using the private message system until they reach a preset post count.)

It all depends on how much you want to install in order to block spam.

Here's a short example of what you need in .htaccess to block IP ranges:

HTML Code:

<Limit GET HEAD POST>
order allow,deny
# Country: CHINA
# ISO Code: CN
# Total Networks: 3,414
# Total Subnets:  331,630,848
deny from 1.0.1.0/24
deny from 1.0.2.0/23
deny from 1.0.8.0/21
deny from 1.0.32.0/19
deny from 1.1.0.0/24
deny from 1.1.2.0/23
deny from 1.1.4.0/22
deny from 1.1.8.0/21
deny from 1.1.16.0/20
deny from 1.1.32.0/19
deny from 1.2.0.0/23
deny from 1.2.2.0/24
deny from 1.2.4.0/22
deny from 1.2.8.0/21
deny from 1.2.16.0/20
deny from 1.2.32.0/19
deny from 1.2.64.0/18
deny from 1.3.0.0/16
deny from 1.4.1.0/24
and so on
and so on
and then

allow from all
</Limit>

I have literally millions of IP ranges from known bad sources blocked, this short list is for example only.

I realize I am pretty militant on this, but the results speak volumes. I am committed to a spam free board, with as little effort on my part and on the part of my volunteer moderators as possible. You either are serious about blocking the garbage, or you are not in my view.

Good luck, please keep us posted on what you do and how it works. There's always more to learn out here.

[munkfish]

I've just come across Xrumer since we've been attacked for the last few days...

What I'm noticing is that the idiot spam bot master is inserting the same sequence of strings in certain fields each and every time, which makes it so simple to identify the spam bot registrations.

In our specific case, the spambot master is inserting the email address into our telephone number field - under no other circumstance has anyone else ever done this, nor should they (given it's supposed to be only digits in a tel number - or certainly at least there should never be an '@' symbol in a telephone number), so to identify spambot registrations it's as easy as searching for '@' in the specific field and then updating the usergroupid to the id of the banned usergroup for any user that meets that criteria on registration.

I've written a very simple plugin to do this, I couldn't see anything that is sophisticated enough to do what I needed to do (ironically it's a very simple thing that needs to be done, but of course from one botnet master to another the way that they choose to complete a registration form will differ, so this is only a 'hack' really short of someone writing a more complete plugin which includes customizable fields=>strings to search on). The closest I saw was this:

https://vborg.vbsupport.ru/showthrea...ghlight=xrumer

which works by searching for the existence of certain email addresses and/or IP addresses (and maybe one other criteria) in a registration and blocks them when it finds them, but it doesn't allow for the kind of custom search that I (or generally anyone else that is attacked by Xrumer will) need to perform in order to adequately defend against the attack.

I appreciate this thread is over a year old, but it seemed to be the most suitable thread relating to Xrumer attacks I could find, maybe this will help someone else... this is the plugin code (read 'hack'! ) that I wrote:

PHP Code:

/*
hook location: register_addmember_complete
After a user has subscribed, check to see if a certain string is in one of the custom fields 
and ban the user if it is.

The reason for this is that Xrumer (automated bot registration application) attacks often use 
the same sequence of characters in certain sign up fields that are pretty much guaranteed to be 
unique just to bot signups, so by searching for these strings we can ban them before they can 
create any spam posts.

*/

// Email of admin to send notification to (leave empty to not send email):
$admin_email="foo@bar.com";

// Usergroup ID of banned user group:
$bangroupid=16;

// array of fields=>strings to search for:
$fields=array(
    // idiot spambot always puts email addresses in the telephone field... 
    "field14"=>"@",
);

// this sql does what we want the plugin to do, basically ban any user with an @ in field 14:
// update user set usergroupid=16 where userid in (select userid from userfield where field14 like "%@%");

// something like this the sql needs to look like:
// update user set usergroupid=$bangroupid where userid in (select userid from userfield where field14 like "%@%" and userid=$userid)";
$sql="UPDATE user SET usergroupid=$bangroupid WHERE userid IN (SELECT userid FROM userfield WHERE (";

$parts=array();
foreach($fields as $fieldname => $regexp){
    $parts[]="$fieldname LIKE \"%$regexp%\"";
}
// join up all the sql 'WHERE' clauses with an 'OR' operator:
$sql.=join($parts, " OR ").") AND userid=$userid)";
// *MUST ADMIT i DIDN'T TEST THIS!!! CAREFUL IF YOU USE MORE THAN ONE SEARCH CLAUSE!*

$rc=$db->query_write($sql);

// if we 'hit' a spammer, report it via email:
if( $db->affected_rows()==1 && isset($admin_email) && !empty($admin_email) ){
    $message="The following user was banned by the Bot Registration Banning plugin:\n\n";
    $message.="Username: $username\n";
    // CHANGE THIS:
    $message.="Admin Panel: http://path.to.your.forum.com/board/admincp/user.php?do=edit&u=$userid";
    vbmail($admin_email, "Bot registrant banned on TGT", $message, true);
} 


To use it you need to add a new plugin in the admin panel, set it to hook into the register_addmember_complete hook location (on the 'add plugin' page), obviously set it active and then modify the config variables $admin_email and $bangroupid. If you leave admin email empty it just won't send out any emails (I think?). The bangroupid can be found by looking at the usergroup.php page and seeing what the numeric ID is of your banned user group.

The path to your forum also needs changing in the code if you want to receive notification emails when it bans anyone.

Re the logic of the code itself... hopefully it's fairly self explanatory but it WILL no doubt need changing for your own forum and I can't really explain how you do that, it all depends on what common factor the Xrumer botmaster uses in his attack against your forum, all I can say is to check your bot registrations, look for a common pattern/string that's used consistently and then modify the code to search for that pattern. I can try and help but really the only way is to have direct access to your forum db to check it/test it.

Anyway... HTH.

PS the code is working on our VB4 board (sorry for posting in the vb3 board but like I say above this seems to be the place where xrumer is discussed most (maybe the thread can be moved?) and if I'm honest I don't really want to maintain this code... it's really just a quick 'hack' after all and if it were to be published properly it should really have a configuration screen where you can customize what strings to grep for etc)... anyway it should work OK on vb 3 and 5 as well.

If anyone wants to modify it and turn it into a 'proper' plugin with a decent config screen etc then that is fine with props.

Cheers.

[Max Taxable]

Quote:

Originally Posted by munkfish

I've just come across Xrumer since we've been attacked for the last few days...

Wow, it's been so long since I posted in this thread, much has changed.

Get this modification, and end all autospam immediately. It's up for Mod of the Month, really works great. It uses the SPEED of the bots against them. 100% reliable and fool proof, and also won't ever be defeated, since the whole point of bots is speed, and load time is a variable they can't program.

I was beta testing this for about a year before the release, it's never failed and has never interfered with a human. I've since uninstalled or disabled all of my other anti-spam tools.

[munkfish]

Cheers, have installed that now, belt and braces and all that (in fact that bot blocker acts before my hack does... ho hum).

Interesting though - the Xrumer software must have been manually programmed to automatically answer all of our human verification questions because since I've enabled the bot blocker plugin to block any registrations that take less than 15 seconds, it has been working (ie the bot is answering our HV questions so must be programmed since the questions are impossible to answer by a bot (well, ours are anyway due to the way they are worded in colloquialism and such that a bot would be unable to answer)).

Well... that or the HV system has a hole in it.

[Max Taxable]

Quote:

Originally Posted by munkfish

Cheers, have installed that now, belt and braces and all that (in fact that bot blocker acts before my hack does... ho hum).

Interesting though - the Xrumer software must have been manually programmed to automatically answer all of our human verification questions because since I've enabled the bot blocker plugin to block any registrations that take less than 15 seconds, it has been working (ie the bot is answering our HV questions so must be programmed since the questions are impossible to answer by a bot (well, ours are anyway due to the way they are worded in colloquialism and such that a bot would be unable to answer)).

Well... that or the HV system has a hole in it.

I have tested the latest version of XRumer, and saw no settings for the Q and A test. They say it's done by "averaging" whatever that is, the same way they defeat the CAPTCHAs. However, it is worth noting that before I used the time based test, my Q&A was always long worded instruction to copy/paste the question into the answer box. No bots ever got past that, since they cannot copy/paste.

Of course now that I have the time based test, I don't use any or the other human verification options. They're obsolete now.

NOTE: Please be sure to vote for "Spammers Suck" as mod of the month, here: https://vborg.vbsupport.ru/showthread.php?t=289983