The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
#1
09-10-2012, 01:38 AM
|
|||
|
|||
SpamBots xRummer et al, bypass validate code??
I have been studying the various methods used by spambots to auto-register and I'm trying to understand their methods so I can better fight them off.
Here's my question: If a validation email is created for new members, and that email includes a validation code, how is it that spambots are able to validate if they never received the validation code? Here is an example: Spammer used npaqvp@ype.com to signup. It's the actual email address usd by the spambot - the email address is a bogus, invalid email address that will bounce. The validation email included among other things, the following links: Code:
http://xxxxx.com/register.php?a=act&u=5692&i=dbbce576f9aa08c4f40ef2d5318f616cbf6c39a8 If he never got the email (it was an invalid, bogus email address), that means that he obviously never got the validation code, so how was he (or the spambot) still able to validate?? He doesn't know the validation code because he never got the email... yet he was still able to validate his acct. Is there some link that would allow him to validate without having that validation code? Confused, -pat- 
|
|
#3
09-10-2012, 04:53 AM
|
||||
|
||||
|
This is interesting. It also means that we could be sending mails, newsletters etc to non existing e-mail addresses. Something that could get you in trouble in the longer run.
|
|
#4
09-10-2012, 06:30 AM
|
|||
|
|||
|
Quote:
I revised my forum softare adding a field called "Disable Emails"... if anyone bounces an email, they get tagged with "Disable Emails'... the system will not longer send any emails to that address until the email address has been corrected. btw: I have stopped the spambots from posting... took a bit of creative coding in the register.php script but it has been 100% effective. They can still signup like any other person but... they (and they alone) get tagged as an UnApproved Coppa user meaning... they cannot post, pm, do a sig. All I have to do is view the Coppa users ever so often. Since I don't do Coppa at my site, anyone in there is a SpamBot... one click and they all are gone. --------------- Added [DATE]1347262898[/DATE] at [TIME]1347262898[/TIME] --------------- Quote:
Check that... if he actually owns the mail server, it could be done. He could first create the bogus email address, then disable the bogus email address, but put a .forward (or a .copy) in it, forwarding it to a real email address. But, he would have to have control over the mail server. I really think there must be a command line to regsiter.php that will allow someone to validate without knowing that validation code. I'm going to start pouring thru the logs to see if I can find out for sure. --------------- Added [DATE]1347274867[/DATE] at [TIME]1347274867[/TIME] --------------- Here's another that just validated... notice the bounced/invalid email address. Code:
Unknown user: AnnenlySeDfef@aol.com RCPT TO generated following response: 550 5.1.1 <AnnenlySeDfef@aol.com>: Recipient address rejected: aol.com Original message follows. Received: from mail.xxxxx.com [127.0.0.1] by mail.xxxxx.com with ESMTP (SMTPD32-8.15) id AA1C2D4300CC; Mon, 10 Sep 2012 02:43:24 -0500 Date: Mon, 10 Sep 2012 07:54:17 +0000 To: AnnenlySeDfef@aol.com From: "xxxxx.com" <xxxxx_admin@xxxxxx.com> Auto-Submitted: auto-generated Return-Path: pat@xxxxk.com Message-ID: <20120910075417.4f7bb88beeed@www.xxxx.com> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-Mailer: vBulletin Mail via PHP Subject: Action Required to Activate Membership for xxxxx.com Dear ScavaOnette, Thank you for registering at the xxxxx.com. Before we can activate your account one last step must be taken to complete your registration. Please note - you must complete this last step to become a registered member. You will only need to visit this URL once to activate your account. To complete your registration, please visit this URL: http://xxxxx.com/register.php?a=act&u=5698&i=6225256255d02fe1f3bff014b90e3920f146aece Notice it bounced, undelivered, yet he was still able to validate. How could he validate without having the validation code?? .
|
|
#5
09-23-2012, 09:19 PM
|
|||
|
|||
|
this continues to happen... spammer's email bounces so he does not get the validaion code, yet he is still able to supply the verification code and validate. Surely I'm not the only one that is experiencing this?
|
|
#6
09-23-2012, 11:26 PM
|
||||
|
||||
|
Quote:
IsBot - Registration time check
|
|
#7
09-24-2012, 12:44 AM
|
|||
|
|||
|
the time between registering has long since been defeated by XRumer. They even have a setting of waiting 5, 10, 15, 20, and 30 seconds.
Even if XRumer couldn't get around it like they already have, there is still something wrong in the registration process that is allowing people to validate without knowing the validation code. Thats the issue at hand. Not how to reduce spam, etc... but... how are they bypassing the validation. Something in VB is letting them in. If you want to at least make XRumer stumble, and this is straight from XRumer: http://www.blackhatworld.com/blackha...r-posters.html 1. edit the footprints 2. edit the code that detects fields 3. make a custom human verification field 4. don't auto approve accounts ie, Edit the footprints - XRumer goes to your index.php and looks at the meta tag to see if and what version of vbulletin is being run. Go edit that meta tag and you won't get found by a script. I even changed mine to display "phpBB 1.4" so that they use the wrong script on my site. ie: Make a custom human verification field - I have a radio button field in registration. Spammer Check: Are you a script/bot to help you scam (default is YES). Or are you a real; human being? Every one of the 500+ scripts that has hit my site has failed that question. I could automatically delete their acct iof they don't answer correctly but just to be safe, I don't automatically delete the account - I coded it so they are set to a Coppa user meaning... they cannot post, and have to be manually validated. All legit members bypass that Coppa stuff. Wanna know another method? Change the name of "register.php". The XRumer script uses "register.php" - if it doesn't exist, it fails If you are using a Linux box, just capitalize the first letter so that it is "Register.php". Yes, there are numerous code changes that need to be made to handle the new name but it's fairly easy to "grep" and find all occurances of "register.php" in vBulletin. It took me less than 10 minutes to make all of the changes. One more method: Change the regsitartion to use Ajax... All versions of XRumer implode when they hit that code. Still though, the original question still exists - how are they able to validate without knowing the validation code? . .
|
|
#8
09-24-2012, 01:15 AM
|
||||
|
||||
|
Quote:
|
|
#10
09-24-2012, 01:36 AM
|
||||
|
||||
|
Quote:
And yes it looks like you might have found evidence of some kind of exploit on the verification codes. I haven't experienced this yet or ever heard of it, but my main goal is to stop bogus registrations, not collect them. IsBot isn't the only tool I use, two of my tools are homemade custom ones I'll never talk about.... And ones that will never be defeated or bypassed. I get ZERO spam despite 100s of attempts daily. I get NO auto registrations despite 100s of attempts daily. Might be why I never ran into the problem you're describing.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 02:33 PM.