Here is how to protect your forum from XRumer, at least for now

bcc423

bcc423

все муда
Dec 16, 2008
667
17
0
If you run a forum using some off-the-shelf software, then you've probably noticed a lot of new registrations (and posts) from this forum spam software.

Most of them use a 10-character password, like "sFueJHf5if".
If your software doesn't hash password then it will be easy to spot.

But here is a way to weed out those registrations. It works for now. Since it seems to be able to beat captcha, there is one trick you can use to disable the registration.

Create an extra password field on your registration page and hide it using css property "display:none;".

On your registration page, you would normally have something like:

<form....>
<input ...>
<input ...>
<input type="password" name="password">
<input type="password" name="password_confirm">
...
</form>

With two password fields to make sure the user doesn't make a typo. That's pretty much a standard.

Add a hidden div, so your form would look like:

<form....>
<input ...>
<input ...>
<input type="password" name="password">
<div style="display:none;">
<input type="password" name="passwordzz">
</div>
<input type="password" name="password_confirm">
...
</form>

And on the server side, disable all registrations that have "passwordzz" filled out.

You can use any name, as long as the type of the input is "password".

It looks like XRummer fills out all fields in a form that have type "password" with identical random value.

Normal users would have "password" and "password_confirm" filled out, but "passwordzz" would be blank.

Registrations by XRummer would have all three fields filled out.

At least as of 12/31/9 it seems to be working.

In the future, it would be a good idea to randomize the names of your password inputs and include 10+ of fake ones hidden by the display property. That would make it harder for the authors of XRumer to make an update that would deal with it. If that fails, try using the "class" to hide the fields and set the display property in the external css file. That will make parsing and working it out a much harder task for the programmers of XRumer.

Also, as shown in the example above, it's best to "stick" the hidden password field in between the two real ones, not at the end of the form. It doesn't matter now, but could help in the future.
 
  • Like
Reactions: justo_tx


I know that people here mostly use that software, but in case there is one lonely legit forum owner among you. I thought this post would help :)
 
or you could have 10-20 form fields for each required field, with random name attributes and the correct one is always a different value.. do I make any sense?
 
or you could have 10-20 form fields for each required field, with random name attributes and the correct one is always a different value.. do I make any sense?
Click to expand...

Yep. Any kind of randomization will help.
 
I'm thinking of setting up a site with instructions on how to combat Xrumer, getting a copy of Xrumer, and making a run promoting that site with a short explanation.

That would be an awesome link bait.

Better yet, I'll simply mention that idea on some marketing forum, and 50 other people will do it for their own benefit.
 
Thanks for letting me know what you do so I can set up my xrumer to learn it!
Click to expand...

How exactly would you teach it to pick only two real password fields out of a random pool?
 
How many times have you personally used xrumer?
Click to expand...
None. I've seen a demo once, but the point is you can't train software for that.

It's like picking a combination lock. Some types of protection are just not based on obscurity.

Of course, with just one extra field, it's easy. But let's say I have a form with
10 fields of type password with names like
fdkjhgkdsf
g34defhgfd
34df
erhrthrt
wthrthrt

and so on.

Only two of them are valid. The rest are fake and hidden with CSS.

How would training it once help if those fields change on a schedule that's not known to you?
 
bcc423 said:
How exactly would you teach it to pick only two real password fields out of a random pool?
Click to expand...

Do you really think I give 2 shits about your one forum? I have shit scraping constantly. Fuck, if you want to play a game, I will hit your forum all day long.

If you really want to play a game, do what you do, and I will break it. Just send me the URL.
 
You seem to be taking it way too personally.

If you really want to play a game, do what you do, and I will break it. Just send me the URL.
Click to expand...
Let me work on proof of concept, and I'll post the URL. Let's see how it works out.
I'll just set up a form imitating registration system, and let's see if you can automate it.
 
all you have to do is set up a text question in your registration page. Its stopped all bots since i set it up.
for example: "is wagenhym a stud or just a man-whore?"
xrumer doesnt know that he's just a man whore
 
The point is to inconvenience the users as little as possible while protecting from bots.

I hate captchas or anything of that sort because it's annoying.
 
<div style="display:none;">Password (confirm): <input type="password" name="e33e38f695cee208ba0f324cfddd34bc"></div>

<div>Password (confirm): <input type="password" name="e5bd7a8981301bf0fb999513ef294878"></div>
Click to expand...

wtf does that do? oh right, nothing..
 
you're overcomplicating things bro. gdubs12345 is right. many straightforward plugins exist for vB/phpBB/etc that add a custom question to the sign-up page. simple and effective remedy for xrumer. and if a new member can't be bothered to fill out one extra (brainless) field, then i don't want them on my forum anyways.
 
You must log in or register to reply here.
Top Bottom