Here is how to protect your forum from XRumer, at least for now

[bcc423]

No matter how sucky support is (or lack of english) ... they know there stuff and that shit can move, and move fast.

I actually sympathize with those guys. It looks like they are either from Russia or from Ukraine. And with good skills, the only way they can make some money is by making that kind of software. That pretty much guarantees they'll never become a respectable ISV with serious investors.

 

[070707]

I actually sympathize with those guys. It looks like they are either from Russia or from Ukraine. And with good skills, the only way they can make some money is by making that kind of software. That pretty much guarantees they'll never become a respectable ISV with serious investors.

Russia. And I don't really think they care about investors. lol.

 

[bcc423]

Russia. And I don't really think they care about investors. lol.

That's the sad part.

I'm originally from Russia (now living in the States), and I used to work as a programmer. So I know their mindset really well.

My first online venture (back in 98) consisted of setting up a page with pictures of 3 chicks and vote buttons. After that, I sent spam via ICQ with a link to that page asking people to tell me which one they think is the prettiest. Hinting that it's a pic of me and two of my girlfriends.

The payload was a link to a web design firm soliciting for work.

Ahh, back in a day

It took me a while to get away from that mindset.

 

[eVandals]

That's the sad part.

I'm originally from Russia (now living in the States), and I used to work as a programmer. So I know their mindset really well.

What's sad? That they don't need investors? How do you know if they have them or not? Why do you think that's only way they can make money? I'm sure they could do other programming related work if they chose, seeing as they created the most industrial forum spamming app on the planet. With regards to "knowing their mindset", I live in the US and can design in photoshop but I don't think I know the mindset of every designer who knows photoshop and lives in the US.

They aren't curing aids, but they're also not controlling botnets, creating spyware and other things russian/ukrainian coders are notorious for. It seems the annoyance of forum owners and moderators is placed lower on their priority list to their profit margins, which are probably pretty strong with or without investors.

 

[Kyle]

Dude, as has been said it's trivial to filter for all of these little css styles. This is not complicated stuff at all.

Your basic idea here, regardless of how many password fields you're generating, how you name them, etc, is that you want to only show the real password field to a real user.

No matter how you try to disguise this, as long as a web browser can render it the correct way, you can be damn sure that its fairly easy to write code to do the same, and pick out the real field.

So now that we've established that the premise is flawed, as you continue down this path of thought trying to think of ever more complicated ways to hide the honeytrap fields all you will be doing is increasing your workload, and the chance that whichever technique you use is going to break in one browser at some point.

Having said, if you have a small low traffic forum that doesnt attract personal attention from spammers you'll be fine using some technique like this, as no-one is going to be bothered to customize XRumer, etc to your setup. But you can be sure if your forum became big, or this technique suddenly became popular as a VBulletin plugin or something similar, it would take minutes to update the spamming toolbox and then you're back to square one.

 

[Bofu2U]

Late to bed, early to rise. Am on AIM for whenever.

 

[turbolapp]

I like this thread. More people should come to wf with a "break my shit" attitude. I can't think of a better group of testers.

 

[bcc423]

So now that we've established that the premise is flawed

I'm afraid you haven't established anything.

There are two basic approaches to doing it. One is to simply parse the html and the other one is to actually render a page.

With parsing, it's next to impossible to figure out which fields are not hidden.

And with rendering, it's really easy to "see" which fields are visible, but it's hard to pinpoint them on a rendered buffer. Just as the user wouldn't know the name of the field he sees on a page.

If you really want to try, the quickest method to implement some test units is to use Firefox with Greasemonkey. That let's you have a rendering engine and a scripting environment without doing any coding.

Can you conceptually describe how would you figure out which fields are actually visible in a buffer (or on the screen)?

Having said, if you have a small low traffic forum that doesnt attract personal attention from spammers you'll ...blah blah blah

You are missing the whole point on this discussion Go make money and look at the boobs.

 

[Faint]

Your idea is so fucking flawed and has been proven wrong multiple times in this thread, yet you still try to convince us that it is a good idea?

If people want to spam your forum, they are going to spam your forum. Deal with it.

 

[moola]

Give it a try: http://70.121.224.218:9095/register_form.jsp

I don't give an ounce of shit about what you do to other forums. I'm not on some sort of anti-spam crusade.

Sure looks like your IP is...

XRumer - Wikipedia, the free encyclopedia

You're just another broke snitch who obviously cannot afford the mere 500$ to experiment with this software for yourself, let alone some hostgator hosting... lol.

 

[bcc423]

Your idea is so fucking flawed and has been proven wrong multiple times in this thread

All that "proof" revolved around stripping out parts of html.

Can you either post some pseudocode or at least conceptually explain how you would figure out which fields are hidden and which aren't?

Assuming that everything can be randomized, and as a result there aren't any ways of mapping certain chunks of html to their function.

The only way to do that would be to actually render the page (with all dependencies, images, external styles, etc.) and then try to figure out which of the visible fields correspond to which html input elements in the form -- without knowing anything about the layout.

That's like face recognition for web pages.

So far, aside from a couple of people who actually seem to know their shit, all responses were nonsense made by script kiddies who don't seem to appreciate (or even be able to grasp) the conceptual difficulty of this problem.

If people want to spam your forum, they are going to spam your forum. Deal with it.

I am dealing with it. But this thread has nothing to do with my "dealing with it".

You know, some people play chess, some solve puzzles, some read jokes. That's called a recreational activity. This thread isn't much different.

If some practical solution arises that's great, if not, that's fine too. Is it really so hard to understand?

 

[Scrabbler]

You seem more like someone that has a homework assignment due on Monday, with all the begging. Just sayin'.

 

[070707]

All that "proof" revolved around stripping out parts of html.

My proof did not. and if you want to get into even further, other automation programs would crack it as they do run through IE.

It really is a never ending game of catch the mouse. If I were you, I would focus more on making money, set up a question/answer and be free. You will stop probably 99% of it.

 

[jryan21]

String parsing, DOM parsing or rendering, it doesn't matter what is being used, it always has to eventually deal with the same code; thus, there will always be some way to incorporate the same logic into it.

Identifying css declarations and string output is trivial. Think about text editors that you may use that incorporate color coding and auto space/indent when you write code. So assume you have arrays from the source code that contain
key=>attribute pairs and the names of the arrays are the css class or div names.

The arrays are in another array, ordered by the order that their corresponding elements would be called and rendered to a browser and you iterate through this array as such:

if array[n] is hidden or not a form field(iterate through elements of n) 
    ignore;
 else
if array[n] is form field and not hidden(iterate through elements of n)
    get name attribute;

Then you have all the names of the form fields you need.

 

[bcc423]

Then you have all the names of the form fields you need.

How would that code find fields that are covered by another element or an image?

They don't have to be declared display:none. There are ways of simply repositioning containers one on top of the other.

How would you implement the "hidden()" function?

It can't just check the style value for the passed DOM element. That simply wouldn't be sufficient.

 

[bcc423]

You seem more like someone that has a homework assignment due on Monday, with all the begging. Just sayin'.

When you start projecting your inner complexes onto other people, it becomes really transparent and evident to everyone else, but you.... Just sayin'.

 

[bcc423]

It really is a never ending game of catch the mouse.

That's what makes it interesting.

If I were you, I would focus more on making money

I never lost that focus, not for a minute