Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

How forum spambots work

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Mon Jan 01, 2007 4:31 pm    Post subject: How forum spambots work Reply with quote

Blogged by Paperghost.

http://www.vitalsecurity.org/2007/01/ever-wondered-how-spambot-works.html

Watch the movie in the link he posted.

The website of the spambot developer is here:

http://www. botmaster.net/

This bot is called X Rumer. Here's the description:

Quote:
XRumer

This extra-powerful software leaves any competitor in the dust trail. XRumer will make a drastic increase in the number of unique visitors to your site, generating a never-ending flow of targeted traffic. The years of hard work the best programmers, SEO specialists and Internet marketing experts have put into this brilliant piece of software make XRumer the diamond among all SEO applications you've ever come across. Both novices and experienced 'gurus' will get amazed by the unbelievable features XRumer hides under the hood. The simple interface should not mislead you since from the very beginning all the efforts of the programmers were put into the development of reliable, feature-rich software. XRumer fully automates the tasks all webmasters hate, and brings websites to high positions in Search Engines while simultaneously generating the flow of fresh and stable traffic.


Evil or Very Mad

So, this forum spambots can read the captcha, enter the correct characters into the registration page, get the activation email, click the link, come back to the forum and make a spam post. It took only 15 minutes for this bot to hit over 55,000 forums.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile


Last edited by suzi on Wed Dec 12, 2007 8:03 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Mon Jan 01, 2007 6:32 pm    Post subject: Reply with quote

That explains a lot. I now have in a single visual verification (captcha) multiple imaging formats used.

I also use ban triggers with litterally hundreds of wildcard DEAs. http://en.wikipedia.org/wiki/Disposable_e-mail_address

A wilcard DEA looks like this; *@*.netmails.net and makes for blocking of addies with variable user name and variable subdomain simultaniously.

My list is made up of published DEA lists and my own contributions added to the mix

I still get spam! Evil or Very Mad

And I'm just a small site.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Mon Jan 01, 2007 6:38 pm    Post subject: Reply with quote

Quote:
A wilcard DEA looks like this; *@*.netmails.net and makes for blocking of addies with variable user name and variable subdomain simultaniously.


Interesting... I have a lot blocked by using *@domain.com

Do you know if the format you use works with phpBB?

The admin panel just suggests *@domain.com.

This was posted on another forum.

http://www.spamsuicide.com/
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Mon Jan 01, 2007 8:09 pm    Post subject: Reply with quote

I really don't know and I'm not particularly familiar with that CP or I'd just see for myself.

I don't know if you have a test board set up or if this can even be easily checked but if you want I have a demo set up as one of my 'power tools' available to my clients.

You are welcome to use it to test with. It's @ http://forums.voiceofthepublic.com/phpbb/index.php and if you want I'll shoot ya a password to the admin CP.

EDIT: BTW It occures to me that you might want it for other tests too. You're welcome to it.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
Nick
Site Admin


Joined: 27 Feb 2004
Last Visit: 15 Jul 2014
Posts: 3913
Location: California

PostPosted: Mon Jan 01, 2007 8:17 pm    Post subject: Reply with quote

You can use the double wild card on phpBB. I added *@*.su just recently when the criminal spammers were using emails with the old Soviet country extension. Seeing as the Soviet Union hasn't existed in some 15+ years now, I don't see anyone having a legit email ending in dot su.

This method works great for emails that have a country code at the end. However, don't use something like *@*.com or you will block every email address that has a dot com ending.
Back to top
View user's profile Send private message
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Mon Jan 01, 2007 8:32 pm    Post subject: Reply with quote

Nick wrote:
like *@*.com


I would think it would then likely work also for sub-domains too then such as *@*.some.com. Is that what you mean?
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
Nick
Site Admin


Joined: 27 Feb 2004
Last Visit: 15 Jul 2014
Posts: 3913
Location: California

PostPosted: Mon Jan 01, 2007 9:38 pm    Post subject: Reply with quote

mikey wrote:
I would think it would then likely work also for sub-domains too then such as *@*.some.com. Is that what you mean?

That would work. If you wanted to ban all the Road Runner cable ISP email addresses, you could. Their emails are like this: usernameATdallas.rr.com. So putting *@*.rr.com would ban any Road Runner email address. If you just wanted to ban the Dallas one, then you could put *@dallas.rr.com and only block the ones from Dallas.

For ISP like Comcast, you can only block all or none with the wild card since their format is usernameATcomcast.net. You could still use the * to block sections of the email name. Say *spamATcomcast.net. Anything with spam at the end would be blocked. If you put *spam* in, then anything with "spam" anywhere in it would be blocked. So an email address BillLikesPamATcomcast.net would get blocked by both filters. BillLikesPamAlotATcomcast.net would only get blocked by the second one, since the address doesn't end with spam.

While I haven't tried it, I see no reason why you couldn't block like this either: username@comcast.* That would block any domain that had Comcast in it, be it .com, .net or .biz

Used AT instead of @ so the board wouldn't autoparse the email addresses into clickable links.
Back to top
View user's profile Send private message
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Mon Jan 01, 2007 10:30 pm    Post subject: Reply with quote

I think I follow now.

As in "BillLikesPamATcomcast.net";

There always seems to be downsides to all blocking concepts. Some unfortunate users seem to always get left behind the 8ball. It's kinda like the sites who get blacklisted because they run a newsletter.

Another wildcard type I've been using is *@*res*.info used because of a bucket load of these; *@*res8.info and I've got several renditions of this type DEA too.

Of course there's also the common wildcard too like; *@abwesend.de

Can't win for loosing.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Tue Jan 02, 2007 1:31 am    Post subject: Reply with quote

Xrumer isn't that new. I've been aware of it since last summer when its creator "botmaster" made his announcements for the new version with captcha support in the Russian Umax forums (and later at Klikvip as well). He's a regular in both forums (along with other well known spambags* from Russia, Belarus and Ukraine) In fact somewhen last autumn (fall for american readers Wink) a russian spammer left some advertisements for it here in the forums, albeit rather shortlived and pointless, as it was written in Russian and thus not properly displayed.

I didn't take the chance of writing about it (I was 6 months ahead of vitalsecurity.org**), because I felt that mentioning this product would backfire and attract all kind of "push button marketers". Since at that time the site was in Russian only I didn't see any need to mention it and hoped it would remain an insider programme. Sadly, now they opened it up for everyone (even multilingual) one can expect a dramatic rise in unsolicited advertisements.

A few words about their hosting company:

Quote:
[olliver@bunkiten ~]$ host botmaster.net
botmaster.net has address 216.195.60.10
botmaster.net mail is handled by 10 mail.botmaster.net.


Quote:
[whois.arin.net]

OrgName: APS Telecom
OrgID: APSTE
Address: 8130 SW BEAVERTON-HILLSDALE HWY
City: PORTLAND
StateProv: OR
PostalCode: 97225
Country: US

NetRange: 216.195.32.0 - 216.195.63.255
CIDR: 216.195.32.0/19
NetName: APS-EPSI
NetHandle: NET-216-195-32-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.3FN.NET
NameServer: NS2.3FN.NET
Comment: send abuse issues to abuse at 3fn.net, send network
Comment: issue to noc at 3fn.net

RegDate: 2003-11-05
Updated: 2004-09-17

RTechHandle: NSW-ARIN
RTechName: Swen, Nash
RTechPhone: +1-800-539-8209
RTechEmail: noc at apxtelecom.com

OrgTechHandle: NSW-ARIN
OrgTechName: Swen, Nash
OrgTechPhone: +1-800-539-8209
OrgTechEmail: noc at apxtelecom.com


(emphasis added by me)

3fn.net belongs to the spam circles around Esthost, Umaxsearch and Yambo financials and thus is harbouring a lot of spambags:
http://www.google.com/search?q=3fn.net+spam

interestingly, apxtelecom didn't bother to suballocate the 3fn.net ranges, perhaps as spam support. Another indicator of their spam friendliness is the fact that they've been hosting the ranges of Dimago Overseas for quite a long time despite many complaints:

Quote:
Dimago Overseas GmbH NET-216-195-51-0 (NET-216-195-51-0-1)
216.195.51.0 - 216.195.51.255


Dimago Overseas is better known for Umaxsearch, Umaxforums and all their associated PPC landing pages like topmed10.com, topsearch10.com, topadult10.com and the likes. Obviously APS telecom loves spammer money and so it can be expected that nothing but an earthquake, the eruption of the Yellow Stone super vulcano or - as an alternative means - a nuclear blast could bring down these sites.

So what can be done? Firewall the entire 216.195.32.0/19 range and forget about it. This should be lossless compression:
http://www.google.com/search?q=APS+telecom+spam

Olliver

---
* known from the CWS campaign, to be precise:
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK4845

** those who doubt my claim can contact Spamhuntress. She can confirm that I brought the programme to her attention in August 2006
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Tue Jan 02, 2007 9:50 am    Post subject: Reply with quote

mikey wrote:
There always seems to be downsides to all blocking concepts. Some unfortunate users seem to always get left behind the 8ball. It's kinda like the sites who get blacklisted because they run a newsletter.


The mere fact that a site is running a newsletter doesn't cause a blacklisting. If a site gets blacklisted, then it's because it doesn't have a confirmed opt-in loop running and spams any arbitrarily entered email address right away. As explanation:
http://www.spamhaus.org/permissionpass.html

To put it simple: A newsletter, mailing list or any other form of legitimate bulk mail service, should check whether a newly entered address really wants to be added to the recipient list and only start spamming once this user explicitly consented to the mailing by confirming his addition.

Olliver
Back to top
View user's profile Send private message
Chao284
Warrior


Joined: 06 Sep 2004
Last Visit: 09 Dec 2013
Posts: 220
Location: Bremerton, WA

PostPosted: Wed Jan 03, 2007 5:09 pm    Post subject: Reply with quote

suzi, I think only a few board systems like YaBB seem to be affected with the forum spambots, yet most of them seem to be tracked to one specific country the most, the Netherlands, it seems spam gangs in that country have managed to make forum spambots, and to say this, it has gotten more serious as it is, a even a few of the links had redirect issues that included serval IE and Windows Exploitable pages that would also pose a risk,

Now that my friends is a REAL serious problem in that.
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Wed Jan 03, 2007 5:31 pm    Post subject: Reply with quote

Quote:
suzi, I think only a few board systems like YaBB seem to be affected with the forum spambots, yet most of them seem to be tracked to one specific country the most, the Netherlands,


I disagree based on what I've seen right here at this forum and another forum I help admin. And many of them come from IP addresses in Korea and China, but not all of them by any means.

Did you watch that video? It shows the spambot being programmed to hit several different forum softwares, including phpBB, Yabb, VBulletin and Invision Power Board.

The spambots are widespread. If you do a search on a username used by a spambot, you can get anywhere from a few thousand to over 100,000 hits for it.

Here's one I banned recently:

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-21,GGLG:en&q=mortgagerefi

Note all the hits that say "View the profile of mortgagerefi" --no doubt all those were done with a spambot like the one in the video.

Here's one with "only" 76,900 hits:

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-21,GGLG:en&q=gfireballq

Here's one just getting started, that I banned this morning:

http://www.google.com/search?hl=en&lr=&rls=GGLG%2CGGLG%3A2006-21%2CGGLG%3Aen&q=Terhatard&btnG=Search

IMO, it's a widespread, huge problem. Sometimes the homepage links go to sites dropping malware, too. One of our admins here got hit with the WMF exploit a year ago Christmas by clicking on a spambot user's homepage link on another forum. This is evidently big money, big income for the spammers, or it wouldn't be so widespread.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Angoid
Expert Developer


Joined: 08 Dec 2006
Last Visit: 09 Mar 2013
Posts: 87
Location: Notts, UK

PostPosted: Thu Jan 04, 2007 5:16 am    Post subject: Reply with quote

I've just added this comment over there, seeing that others here have had a say Laughing

Quote:
This is what makes forum running, administering, and moderating a real hell.

The number of times the same spam username has appeared on forums I'm at has gone up substantially over the past year, and we all have programs such as this one to thank for it.

Also, can the programmers and users of such programs please bear this in mind (I know you don't care, but many people do): these programs are often used to spam forums with porn, including kiddie porn. I'm referring to family-friendly forums, and would the programmers of this software like to have their 7-year-old daughters coming to them saying, "Mum/dad, what does this lot mean?" indicating a lot of links to nasty websites.


I know .... I've had teenage girls PM me on a certain other board where I have admin privileges asking me what a certain post is about, telling me that it's inappropriate, and can I delete it. I check the thread ..... and you can tell from the links what it is. Very nasty.

Errrrr ... except my comment doesn't appear to have made it over there. Maybe it needs approval - I won't repost, at least not right now anyway.
_________________
If you don't know what eschatology is then don't worry; it's not the end of the world.
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Thu Jan 04, 2007 8:50 am    Post subject: Reply with quote

Did you mean you posted a comment at Paperghost's blog? The comments are moderated and I'm sure it will be posted when he checks it. There's another place where spam is rampant -- blog comments. But that's another rant. Evil or Very Mad
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Angoid
Expert Developer


Joined: 08 Dec 2006
Last Visit: 09 Mar 2013
Posts: 87
Location: Notts, UK

PostPosted: Thu Jan 04, 2007 9:08 am    Post subject: Reply with quote

Yep, that's the one Smile

Just checked, and the comment appears now. Yes, blog spam is getting more and more rampant as well.

I wondered whether it was moderated, so I didn't want to spam that blog with the same text multiple times!!!!!!!

Using spam to fight spam, now, THAT's an idea! NOT!
_________________
If you don't know what eschatology is then don't worry; it's not the end of the world.
Back to top
View user's profile Send private message
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Thu Jan 04, 2007 9:42 am    Post subject: Reply with quote

You can also add SMF & Xoops to the list of affected boards. In addition they also hit the blog/journal wares as well such as PHPNuke, WPMU, all the large commercial bloggers, and more I can't think of in the form of comment spam.

Chao284, I work or patron a bunch of boards and I can tell you first hand that the spam epidemic affects all board administrators.

I don't believe even any small boards have been left untouched by the probs of spam.

Quote:
That explains a lot. I now have in a single visual verification (captcha) multiple imaging formats used.


The worst part is that all the added sec causes many users not to sign up because they just don't want to jump thru the hoops. I know this is true because I've done it myself...not signing up just cause I didn't want to bother with all the hoopla.

It is a big prob.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
Angoid
Expert Developer


Joined: 08 Dec 2006
Last Visit: 09 Mar 2013
Posts: 87
Location: Notts, UK

PostPosted: Thu Jan 04, 2007 10:02 am    Post subject: Reply with quote

It depends on how much someone really wants to join the forum - is the subject matter important enough for them?

Clearly if there are a lot of hoops to jump through they'll probably end up passing it by .... which is a great pity.

How about Snitz? There's probably a bot somewhere that will hit it. I'm on a forum that used to use Snitz, but they decided it was outdated and moved over to Invision.
_________________
If you don't know what eschatology is then don't worry; it's not the end of the world.
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Thu Jan 04, 2007 7:56 pm    Post subject: Reply with quote

Is Snitz an ASP forum? I looked at a few ASP forums when I was on a Windows host.

Answered my own question. Apparently there is some concern about spam on Snitz too.

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=62874&SearchTerms=forum,spam
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Angoid
Expert Developer


Joined: 08 Dec 2006
Last Visit: 09 Mar 2013
Posts: 87
Location: Notts, UK

PostPosted: Fri Jan 05, 2007 12:42 am    Post subject: Reply with quote

Snitz is ASP, yes .... the forum I was referring to is Unity, the forum for Enya, so a music forum. It was running Snitz 2000, but a few months ago made the switch to Invision.
_________________
If you don't know what eschatology is then don't worry; it's not the end of the world.
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Tue Jan 09, 2007 9:22 pm    Post subject: Reply with quote

Well, well, lookie at our latest homepage link spammer:

http://www.spywarewarrior.com/profile.php?mode=viewprofile&u=16331

username XRumer332

I'd have to say that spammer isn't too bright. Rolling Eyes Laughing

Looks like he is just getting started with his spam campaign. Only 419 Google hits for his name so far.

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-21,GGLG:en&q=XRumer332
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Angoid
Expert Developer


Joined: 08 Dec 2006
Last Visit: 09 Mar 2013
Posts: 87
Location: Notts, UK

PostPosted: Wed Jan 10, 2007 1:47 am    Post subject: Reply with quote

I did some Googling last night on "Xrumer" and came up with lots of spamvertising links in forums where a user called "Xcracker" was asking for info about it.

In a lot of cases, someoone would point them back to its homepage. There were lots of Russian sites in there as well.

It just struck me that I was on rather thin ice, and that I could easily have hit a malicious site - I didn't, but then I had some other things to do so didn't get that far.
_________________
If you don't know what eschatology is then don't worry; it's not the end of the world.
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Fri Jan 12, 2007 7:32 pm    Post subject: Reply with quote

I found a link to another forum spam tool:

http://www.icontool.com/fp/

Quote:
Forum Poster allow you to post any message you want to over 40000 forum boards.

The current version can post to
1. phpBB Forum Boards from version 2.0.0 to 2.0.21 (http://www.phpbb.com/)
2. phpBB 3.0 "Olympus" Beta 2 (http://www.phpbb.com/development/)
3. Invision Power Board (http://www.invisionboard.com/)
4. Snitz Forums 2000 (http://forum.snitz.com/)
5. vBulletin 3 (http://www.vbulletin.com/)

Forum Poster automatically register a user with the username, e-mail and password you typed on the board. It login as the registered user on the board and then post it. All made automatically. With just one click! (Please browse our demo boards for posting)

Forum Poster support add, edit, delete forums URL, Import and export forum URL list.

Forum boards are an effective way to drive traffic to your site. With your posted Ads you can bring hundreds of new visitors to your site and increase your search engine rankings which counts on link popularity like Google.


Rolling Eyes Evil or Very Mad

Sheesh! Even phpBB 3.0, which is supposed to have a lot of anti-spam features.

I found the link on this forum that has a lot of email domains used for spamming.

http://www.invisionfuse.com/forums/index.php?showtopic=272
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Nick
Site Admin


Joined: 27 Feb 2004
Last Visit: 15 Jul 2014
Posts: 3913
Location: California

PostPosted: Fri Jan 12, 2007 9:41 pm    Post subject: Reply with quote

Wouldn't surprise me if some of the beta testers for phpBB are also beta testing their spam bots as new builds are released.
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Sat Jan 13, 2007 2:30 am    Post subject: Reply with quote

Nick wrote:
Wouldn't surprise me if some of the beta testers for phpBB are also beta testing their spam bots as new builds are released.


Of course they do, just like any other board version, no matter whether it's Open Source or super secret proprietary code. Bad boys have always probed and will probe for exploits because of their strong believe in social darwinism (contrary to what modern societies pretend to practice as ideology). So in my opinion the surprise would rather lie in the question whether phpBB developers will ever start torturing their code from a spammer's perspective until it collapses and fix its weaknesses.

I've met a lot of web developers over the years, some of them quite smart and highly decorated but in most cases incredibly naive and incompetent when it comes to security issues or implications of the code they write. Often they don't even know how to use basic features of Apache and would be totally lost in configuring a server and/or PHP themselves. And there lies the actual problem: They can't conceive of any abuse and therefore conclude it doesn't exist. There are exceptions to my observation like for instance Fud Forum which is led by a competent maintainer (Ilia Alshanetsky from Toronto, active PHP core developer and head of PHP's quality assurance team and a very open minded, patient and helpful person, too). But as I said before, in regard to web applications this is rather the exception than the rule. Broken code can be fixed and/or improved but a narrow minded and/or clue resistent developer/maintainer probably can't. Although miracles do happen from time to time...

Olliver (throwing another 2 into the hat)
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Sat Jan 13, 2007 9:43 am    Post subject: Reply with quote

Well said, Olliver. I haven't met with many web developers, but it's not difficult to observe that many don't have a clue about how to make their applications and their web servers secure. I took a php class about 2 years ago. The instructor was a local web developer and seemingly very knowledgable about php, apache, etc. But any time I mentioned security, he immediately changed the subject. That was around the time a lot of php forums were being hacked. He did have a lot of subject matter to cover in a short period of time, but security wasn't on his agenda in any way, shape, or form.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Angoid
Expert Developer


Joined: 08 Dec 2006
Last Visit: 09 Mar 2013
Posts: 87
Location: Notts, UK

PostPosted: Sun Jan 14, 2007 2:18 am    Post subject: Reply with quote

It is a problem, isn't it?

Some time ago I joined a Christian Webmasters Forum and in a thread somewhere along the line I raised the issue of security.

I got a reply from a regular there who said that he had run a virus scan some 2 years before and it had come up clean, and therefore his system was secure and OK.

I mentioned this in passing to ChrisRLG who then joined up there specifically to "back me up". It just struck me as pretty poor that people who are building websites for their churches, missionary organisations, etc. were just so totally clueless about security.

There are, unfortunately, many who think that security is not an issue. One thing I sometimes find myself saying to my non-techie friends and family is that it shouldn't be necessary, but unfortunately it's highly necessary. Most people (and I'm thinking about users here as opposed to website builders and programmers) just want their computers to read/send email, write letters, listen to music, watch videos, surf, conduct their businesses, buy/sell/auction, research, etc. In other words, their computers are merely tools to get a job done. But all too often they then have to add words such as HijackThis, Smitfraud, etc. to their vocabulary.

Computer code should be tested to destruction, just like anything would in the world of engineering. I'm sure every bot will work slightly differently, so one would (ideally) need to test anti-spam tactics against most spambots out there, or at least the most popular ... in the same way that a website should be tested using all the major Internet browsers. But as any programmer will tell you, it's not easy due to the complexity of the task in hand.

In the case of Xrumer, it says it can store the forms it has to fill in to "learn" from its mistakes (and thus hopefully get it right next time). That's my paraphrase of what its list of features said, anyway.

We get a lot of spam registrations over at Suggestafix (most of them porn, and drugs), and I understand they get a lot over at Enya's forum as well (both use Invision). Sometimes, I've seen a spammer arrive at Moya Brennan's forum only to find exactly the same spammer has hit MalwareRemoval - both using phpBB2 - and quite possibly here too.

Where the spammers are using cheap labour in a far-eastern country to do the dirty work, there's little or no defence (except perhaps to have a question and answer which requires more than a rudimentary command of the English language - but then you start to exclude those real would-be members for whom English is not their first language).

Hmmmm ... food for thought, methinx!
_________________
If you don't know what eschatology is then don't worry; it's not the end of the world.
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Tue Jan 16, 2007 8:35 am    Post subject: Reply with quote

Angoid wrote:
Some time ago I joined a Christian Webmasters Forum and in a thread somewhere along the line I raised the issue of security.

I got a reply from a regular there who said that he had run a virus scan some 2 years before and it had come up clean, and therefore his system was secure and OK.


The regular's logic is scary:
Just because a scan centuries ago indicated no problems doesn't mean it's still valid as of today. In other words, the regular assumes a static state where in fact are constant changes. Thus any green light flickering on the application's display is of temporary nature and may even be subject to errors (false negatives). In this case the judgement could be undermined by two factors:

1. Within several years, the PC is very likely to have seen applications come and go. Perhaps, in case the regular is Windows user and loves IE, applications could even be extended to unwanted installations by rogue websites.

2. Also within several years, a virus scanner may have considerably broadened its database of signatures, thus what now is being recognised upon the attempt of execution, may have gone through undetected years ago.

Quote:
I mentioned this in passing to ChrisRLG who then joined up there specifically to "back me up". It just struck me as pretty poor that people who are building websites for their churches, missionary organisations, etc. were just so totally clueless about security.


Well, it could be, but still I see a logical fallacy here:
The fact that someone is neglecting one's PC doesn't necessarily indicate someone neglecting security in other fields also. Therefore I would be careful with jumping to conclusions.

Quote:
One thing I sometimes find myself saying to my non-techie friends and family is that it shouldn't be necessary, but unfortunately it's highly necessary. Most people (and I'm thinking about users here as opposed to website builders and programmers) just want their computers to read/send email, write letters, listen to music, watch videos, surf, conduct their businesses, buy/sell/auction, research, etc. In other words, their computers are merely tools to get a job done. But all too often they then have to add words such as HijackThis, Smitfraud, etc. to their vocabulary.


Perhaps this paradox situation is owned to Microsoft's advertisements suggesting that any mentally retarded can run a Windows PC and the Operating System will take care of the technically complicated rest. Unfortunately the reality looks entirely different:
A PC should be considered a complex technical device like a car, and similar to the necessity of having a driving license as certificate of one's competence to use this device, a computer owner should first learn how this system works in the first place. No matter how the graphical interface is simplified, there's still the need of maintenance and administration by the user and that requires a certain level of intelligence.

Quote:
Computer code should be tested to destruction, just like anything would in the world of engineering. I'm sure every bot will work slightly differently, so one would (ideally) need to test anti-spam tactics against most spambots out there, or at least the most popular ... in the same way that a website should be tested using all the major Internet browsers. But as any programmer will tell you, it's not easy due to the complexity of the task in hand.


I mostly agree with you, but like to add that you need not know any garden variety desktopnaya spamilka of this world to check for flaws. Just comparing what parts of the code deal with user input and what/how it can be (ab)used (including different php/perl whatever settings) should suffice.

Quote:
In the case of Xrumer, it says it can store the forms it has to fill in to "learn" from its mistakes (and thus hopefully get it right next time). That's my paraphrase of what its list of features said, anyway.


Sales pitch. This may only work for stock scripts with never changing input elements. A good strategy may be random naming of input fields on forms to thwart Xrumer's strategy, because these names are only of interest for the html document and the script at the receiving end, thus they can contain any names as long as they keep matching to each other. Also various hidden fields with check values may be enough to confuse these desktop tools, which only work well as long as there are static factors that enable mass processing.

Usenet (alt.www.webmaster for example) provides enough examples of how people resolved problems with spambots abusing their contact forms or forums, so developers need not reinvent the wheel to find workarounds. But as previously written, as long as maintainer X has an inflated ego and (as a result) is clue resistant, he will always assume that things he cannot imagine wouldn't exist.

Quote:
Where the spammers are using cheap labour in a far-eastern country to do the dirty work, there's little or no defence (except perhaps to have a question and answer which requires more than a rudimentary command of the English language - but then you start to exclude those real would-be members for whom English is not their first language).


Or programmers becoming spammers themselves and coding spamtools for their own use and that of fellow spammers. They create brands and products which they hope will sell and make those tools highly profitable. As seen with Xrumer, a product aiming at the typical push button marketer who thinks it's ok to spam people with unwanted crap as long as it's not illegal on the paper. So obviously acceptance isn't measured with ethical values but with the amount of money a product or action can generate.

Quote:
Hmmmm ... food for thought, methinx!


It surely is. At least a good bait for dragging me into a discussion Wink.

Olliver

Edit: Corrected highly embarrassing grammar error Embarassed
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Wed Dec 12, 2007 8:04 pm    Post subject: Reply with quote

I made this a sticky so I can find it easier. Cool
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Mon Dec 17, 2007 1:38 pm    Post subject: Reply with quote

suzi wrote:
I made this a sticky so I can find it easier. Cool

I did not know it was still worth reading, nearly forgot about the subject.

Forum, guestbook and contact form spam are closely related in that there's an easily spammable processing script at the remote end of the form. HTML itself provides valuable help for spammers, because the form tag requires the processing script as "action" element:

Example:
Code:
<form id="contact" method="post" action="http://example.org/form.cgi">


This is not very hard to parse from an html source. A regular expression substitution like:
Code:
perl -pi -e 's/^.+action\=\"([^\"]+)\".+/$1/g' source.html

would return the url of the processing script.

Similarly, the field names equate to what will become the variables in the processing script:
Code:
<input type="text" name="sender" />

"name" is the key element a spambot needs to know. since contact forms all over the world usually keep the order "name", "email", "subject", "message" automation is highly successful.

It is vital to know that all Javascript trickery, like checking input for expected values, has no bearing on the outcome. The contact form is merely a frontend and if you know the receiving end and the values it expects, you can simply bypass the form and directly POST your request (type="text" would tell the bot to submit as plain text, rather than url encoded). Sadly a sizeable number of programmers are pretty unimaginative when it comes to abusing their own code for learning about its implications. Which become apparent once a Javascript check can be bypassed by turning off Javascript.

Javascript is not entirely useless, however:
I don't mean to give spammers ideas, but I recommend studying a Javascript object reference and how settings can be overwritten. It is possible to provide useless data as default (that what the source code will reveal) and only change it to meaningful data with event handlers like "onClick" "onChange" and the likes. But as I wrote above, you really need to know how HTTP works and how server side scripts differ from javascript (which is executed on the user's machine and always "one request behind" from the server's perspective).

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Mon Dec 17, 2007 2:28 pm    Post subject: Reply with quote

Nice to see you Olliver. Wink

Sometimes I want to give the link to the video of XRumer in action to someone, so now I will be able to find it more quickly. Smile
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Mon Dec 17, 2007 5:03 pm    Post subject: xrumer desktopnaya spamilka Reply with quote

suzi wrote:
Nice to see you Olliver. Wink 8

Fortunately you cannot really see me (vis a vis) as I spent the last two weeks programming like a maniac, because I badly needed to complete a website. And since I hardly slept during this time, I look a bit ...well deranged. You would not really want to see me in that messy state I am right now Smile I should be tired, but I'm so wound up I can't find any rest even though the bulk of the work is finished.

Quote:
Sometimes I want to give the link to the video of XRumer in action to someone, so now I will be able to find it more quickly. Smile


Speaking of Xrumer:
People should be aware of the "cloaking feature" which makes use of certain CSS styles that do not display links as underlined in either the normal or mouseover ("a:hover") state. Thus someone can plant links with empty spaces as text and get away with it.

You've just encountered an example Smile. Try moving your mouse between get away and with it and see what you're missing. This is what Xrumer does with spam posts: It replaces any blanks in a message with links containing blanks as link text. So as an admin of a forum I really would highly recommend to deactivate CSS in your browser whilst maintaining your forums, so you can immediately spot cloaked spam posts.

On a related note, you can also have much fun with "visibility:hidden" in CSS. For instance create a block of spamlinks in a paragraph and make it invisible to visitors by changing its visibility state. Search Engines, however, do not really want to know anything of CSS and therefore happily follow the links.

Did you know that you can find this thread by searching Gargle for "десктопная спамилка"? that's desktopnaya spamilka, but to be honest it was not that hard to achieve as "desktopnaya spamilka" only yields two results in Gargle. But try searching for "десктопная спамилка" and you'll get an interesting collection of spamblogs and *cough* our beloved friends from the Umaxspamforums...

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group