|
Autor |
Nachricht |
pseudocode

|
Titel: Projekt SpamBot (english)
Verfasst am: So, 08 Okt 2006, 10:52 |
|
|
Projekt SpamBot
(english version, hier gibt es die deutsche Version)
It's a rainy day and I don't have anything better to do, so I'll try a project to make phpBB-admins aware of how easy it is to register to their forums automatically (and post messages to their forums, let's see how far I'll get).
Why am I doing this?
I was running a phpBB-forum for quite some time and have been fighting spammers all along. My forum should be accessible as easy as possible and still provide maximum protection against automatic registrations (and automatic postings).
Even though my forum's URL was never advertised, after a short time the first spammers would arrive. The only "contact" to the net was my URL in my profile on phpbb.de.
I want to try how easy it is to get hold of URLs and use them for spam. At the same time I want to provide information on how to protect yourself against this pest most easily.
(My forum went offline some time ago, that's why I'm posting this here.)
To make things clear before I start: this projekt is just a "proof of concept"-game and was only started to show how easy it can be, to do spam-registrations and spam-postings in phpBB-forums. If this project is successful, I will not publish source codes or lists of forums that were victims of the SpamBot. Any inquiry about this will be deleted immediately.
All postings will be marked with a not that it's an automatic posting and that the admin should please delete the message and the account. I will only register once to each forum and post max. one message per forum.
If anyone is annoyed by my bot, I apologize. Please just delete the account, I won't come back again. It's not my intention to go on peoples nerves, the only purpose of this projekt is to make people aware of security holes in their forums. This is best done in the place it is most needed: forums that invite spammers by ignoring their security settings.
You can find a list of hints at the end of this description to make automatic registrations and postings in your forum as hard as possible. There is no cure and no absolute security against human spammers, but if you make it too hard for bots to register to your forum, they won't bother.
The components
CollectBot
This is a script that will retreive URLs of phpBB-forums from the internet. Because phpBB is the most used forum-software, I will only look for phpBB-forums, starting with phpbb.com's memberlist, because I assume that most forum-admins will register here some day and leave their URL in their profiles.
phpbb.com also does not delete inactive users or zero-posters, so I expect to find a huge list of URLs here.
This is how the CollectBot works:
- The first page of phpbb.com's memberlist is opened and read completely.
- URLs entered by the users (marked with "_userwww") is checked and read.
- The URL is opened to make sure that the site is reachable and to filter site that are long gone offline.
- The page is read. This step makes sure we really hit a phpBB-forum (and not some random other website). Website with portals and entry-pages are spared (in this version of the CollectBot). If the bot finds phpBB-bits in the code, it assumes a phpBB-forum and saves the URL in a file.
- The startcounter of the memberlist is increased by 25 and the loop starts again.
To collect even more URLs, the CollectBot will be set to hunt for websites in other big phpBB-forums (e.g. phpbbhacks.com) simultaneously.
VerifyBot
Note: this step will not be executed for now as a closed memberlist does not prevent spam-posts.
This is a script that will go through CollectBot's list and will try to open the memberlist of each forum. If the memberlist is reachable without registration, this forum is especially suitable for spammers as Google can spider the memberlist and find the URLs in each users profile.
Simplified: Google thinks a website is more important if lots of other sites point to this site. So if spammers register in loads of forums and leave their URL in the profile, they're creating more and more "backlinks" that will have Google rank that website higher.
If the memberlist of the forum is reachable without registration, VerifyBot will put the URL into another file with "verified" addresses. All URLs from this list are potentially good targets for spam-registrations.Registrierungen.
RegisterBot
This script will try to fill out the registration-form (profile.php?mode=register&agreed=true) of all verified forums. (The URLs are corrected, stuff like "index.php" and other additions are removed.)
If a CAPTCHA is found on the site, the script will give up immediately. There already is a "proof of concept" (here) that decodes CAPTCHAs autmatically (something that should not be possible), so these scripts will not try to perform this taks.
This "investigation" will only target forums that make it easy for spammers, because the forum-admins ignore the security settings in the forums. Not activating a CAPTCHA is part of this ignorance.
Attention: This is only true for the first version of the scripts. "Projekt SpamBot 2.0" contains a "CAPTCHA-Breaker" that shows how unsafe phpBB's standard-CAPTCHA is (as another "proof of concept")! You can find a description of how to break the CAPTCHA automatically here.
The script will also register if the forum uses a "shortened" registration forum that only asks for a username and an email-address, even though "real" spammers are less likely to register and they'll need extra time to come back to the forum (after they activated it) and complete their profile-data.
RegisterBot will use a random username and a random password to register. The URL and the used username and password will be saved in a file after registration is completed. If the registration page reloads for what reason ever (e.g. because there's a mandatory field or a "humanizer"-question that the bot wouldn't fill out), the registration process is terminated.
The bot will use a (valid) email-address to capture any mail (with the MailBot) and activate accounts that need an activation. The field "website" will be filled with the URL to this article on registration.
MailBot
The MailBot will make way for the PostBot: if a forum requires account-activation with a code that is sent to the users mailbox, this box will take care of it.
To do this, I registered a freemail-account (using gmx.de). The email-address will be entered on registration to receive the registration-mails. MailBot will open the mailbox, read each mail, parse it to find the activation-URL and call it. Doing so we will receive more accounts that could be of interest to spammers.
PostBot
This next script will go the next step and log into the (activated) accounts that we created. It will posts messages to the forums that we created accounts in. Usually spammers will post messages to your forum that contain a bunch of links to create more backlinks for Google.
The PostBot will call the phpBB-forum, log in, read the page and search for a forum that can be posted into. If a forum is found, the bot will post a message with a warning to the forum-admin, telling him that his forum can be used for automatic registrations and posts and asking him to do something about it (using the hints in this text).
First Aid
Is your forum the victim of SpamBot (or a "real" spammer)? What is there to do against this pest?
- Always update your forum-software to the latest version to avoid security-holes.
- Change the value of the "agreed"-variable (used in the agreement before you can register) automatically on each registration with the Unique Registration Hash. (This MOD would have stopped "Projekt SpamBot" right away!)
If you know PHP a bit, you can even change the name of that variable to something else, which should make it nearly impossible for a bot to register automatically.
- Activate visual confirmation (CAPTCHA) of your forum in your ACP. It is recommended to use the enhanced version: (Advanced Visual Confirmation), that can be hardly decoded automatically. The standard-CAPTCHA offers no protection against SpamBots, read more about it here.
- Don't use automatic activation for new users. You should switch to "activation by mail" in the ACP as most spambots use random (fake) email-addresses and can't activate their accounts this way.
- Prevent your memberlist and users profiles to be called by guests: link
- Remove non-active users from the memberlist and prevent the users URL from being shown if they didn't post at least one message to your forum (so-called "zero-posters"): link
- Install CBack's "CrackerTracker" against automatic mass-registrations and -postings.
- The MOD Anti-Spam ACP offers various methods to stop and log spam-attempts.
- Change your registration form: add unusual mandatory fields and remove the website-field from the form. Anti Bot Question Hack, Anti-Spam ACP
- Install MODs like "Admin Reminder" and "Prune Users" to remind your users to participate in your forum and to clear your memberlist from inactive and/or lazy users.
If you don't know how to use these hints and links, you should read the FAQs in your phpBB-support-forum. All hints are well documented and easy to install even for newbies. You can find general help on how to install MODs into phpBB here.
I think that a forum-admin should be able to perform these changes to his forum on his own, that's why I will not offer support of any kind for changing your forum. My "task" is completed by writing this "proof of concept"-project an publishing the given hints.
Hints and suggestions about this topic, this project and forum-security in general can of course be posted and discussed here.
CU,
pseudocode
Zuletzt bearbeitet von pseudocode am Sa, 30 Jun 2007, 21:34, insgesamt 4-mal bearbeitet. (7 Prozent)
|
|
Nach oben |
|
pseudocode

|
Titel: (Kein Titel)
Verfasst am: Di, 10 Okt 2006, 18:59 |
|
|
Results
CollectBot:
Almost 365000 user profiles from different website were scanned. Ca. 10% of them had entered a website, ca 6000 (exactly 5965) addresses were identified to be running a reachable phpBB-forum.
VerifyBot:
not executed
RegisterBot:
The bot could register to almost 1000 forums automatically, this number could be raised drastically if you'd also include pages with CAPTCHAS that can been decoded by a script.
MailBot:
Ca. 300 registrations were activated, the other registrations were either accessible right away or have to be activated by the admin (the number of those were not counted).
PostBot:
Almost 300 (exactly 288) posts were published automatically - after 1-2 days after the registration to give the admins the opportunity to find out about the reason for our registration through the link we left in the profiles.
Checks showed that the forums that were spammed were not all tiny forums, a lot of huge (and active) forums with thousands of users and ten thousands of posts have been hit, some of them are even about "security" ...
More sophisticated routines in the PostBot could score even more "hits" in a second run.
You can find the results of the second "run" of the project here. Ten times more forums have been hit this time, so all together 13000 accounts have been created and almost 3300 posts were published!
This text was published with the subject "You have been spammed":
Code: |
Hi there!
Your forum is wide open to automatic registrations and postings. Spammers can use it to spread their junk automatically, just like we did to send you this message.
Please read this article to learn how we did this and how to secure your forum against this pest:
http://www.beehave.de/forum/viewtopic.php?t=1400
This is a one-time posting by 'Projekt SpamBot' to help forum-admins to secure their software. This account will not be used again, you can delete it (and this post) if you wish.
Greetings,
pseudocode
PS: if you want to contact us, please follow the link and contribute to our discussion. Emails or PMs to this account will not be read. |
Only time will tell, how many postings will still be there after weeks / months and how many forums that got spammed will not change anything in their config. I hope I contributed a little to a future with less spam.
Zuletzt bearbeitet von pseudocode am Fr, 20 Okt 2006, 10:03, insgesamt einmal bearbeitet. (1 Prozent)
|
|
Nach oben |
|
Spitt

|
Titel: (Kein Titel)
Verfasst am: Fr, 13 Okt 2006, 20:18 |
|
|
hello, you didnt hit my main site, but I wanted to thank you for your postbot anyways. I saw another site get slammed hard. I will go ahead and put some of the countermeaasures up on all my sites, and hope they work well to prevent bots.
I wanted to add some as well...
## MOD Title: Visual Confirmation for Guests
## MOD Author: Kanuck < aaron@kanuck.net > (Aaron Adams) http://kanuck.net/
## MOD Description: Adds visual confirmation for guest posts, eliminating spam.
## MOD Version: 1.0.1
## MOD Title: Remove Sid For Guests (Search Engine Optimization)
## MOD Author: _underscore_ < thekingofzzt@gmail.com > (N/A) N/A
## MOD Author: espicom < N/A > (N/A) N/A
## MOD Description: Removes all sid=xyz in the urls for either all guests, guests that have a bot user-agent,
## or simply no one. It's admin configurable, so you can chance the settings or disable any
## time you want.
## MOD Version: 1.0.2_repack
## MOD Title: Unique Registration Hash
## MOD Author: pentapenguin < n/a > (Jeremy Conley) http://www.pentapenguin.com
## MOD Description: This MOD changes the "agreed=true" part of the registration
## form to a unique identifier to help stop spam bots from registering.
##
## MOD Version: 0.1.0
|
|
Nach oben |
|
pseudocode

|
Titel: (Kein Titel)
Verfasst am: Sa, 14 Okt 2006, 10:53 |
|
|
Spitt @ Fr, 13 Okt 2006, 20:18 gab folgendes von sich: |
I saw another site get slammed hard. |
Try searching Google for "projekt spambot" (with the quotes) and you will find more hits each day
There are more deserted (but running) forums out there than I would have thought.
Spitt gab folgendes von sich: |
## MOD Title: Visual Confirmation for Guests |
I have seen this MOD on a couple of sites, but never used it myself as I didn't want guests to post in my forum (while I had it). I even saw this on posts for registered users which I think it too much "security", even though it stopped my bot a couple of times. I'd rather secure the registration as much as needed and then leave the users umolested.
Spitt @ Fr, 13 Okt 2006, 20:18 gab folgendes von sich: |
## MOD Title: Remove Sid For Guests (Search Engine Optimization) |
That was the first MOD I ever included. Good for helping Google to spider your forum, not really a security improvement.
Spitt @ Fr, 13 Okt 2006, 20:18 gab folgendes von sich: |
## MOD Title: Unique Registration Hash |
Didn't know it, but that's a VERY good one! Is not even noticed by the user but would have stopped my bot dead in its tracks right from the start!
Thanks for your contribution.
|
|
Nach oben |
|
boris

Beiträge: 10869
|
Titel: (Kein Titel)
Verfasst am: Sa, 14 Okt 2006, 11:28 |
|
|
Spitt @ Fr, 13 Okt 2006, 20:18 gab folgendes von sich: |
## MOD Title: Unique Registration Hash |
Good one ! To confuse the bots even more, you can also change the NAME of the "agreed"-variable to something different.
____________ beehave - home of humbug ... [we can't afford to be neutral]
|
|
Nach oben |
|
pseudocode

|
Titel: (Kein Titel)
Verfasst am: Sa, 14 Okt 2006, 13:14 |
|
|
RegisterBot reloaded
To test whether last weeks Spambot-project changed something for the better, I sent the RegisterBot around the net once again.
I only tested forums that allowed automatic registrations the first time the bot visited. No messages were posted this time, it was just checked if automatic registrations are still possible.
This is the result:
1317 registration attempts were started, of those 1195 (90,7%) were successful! A CAPTCHA was only found 12 times (0,9%), all other attempts were not successful. This does not necessarily mean that security-changes have been made, some pages were just not reachable, with others a duplicate username could have resulted in an error.
I will let the RegisterBot check the 1195 forums, that still allow automatic registrations, once again in a couple of weeks, to check, was has been done until then.
CU,
pseudocode
|
|
Nach oben |
|
boneless

|
Titel: (Kein Titel)
Verfasst am: Do, 19 Okt 2006, 13:27 |
|
|
right i think you definately need to make a difference between boards where peeps just post for shits and giggles and actual support boards, like the one you posted this morning on.
We definately need peoples to be able to make a post on the fly. Reason for this is they pay 395 per license for our product and want fast help.
We stopped providing icq/messenger support as it takes up most of the day and we do have lifes of our own outside of the internet. thats the main reason why peoples need ot be able to post on the fly...
having said that we got now 5 mods on constant lookout for spam, the most it stays on is like 4-6 hours and the most thread views i have seen was like 4 of which two were mods of our board.
also i am aware of the automated activation procedure in the software, prob is when it fucks up it will make one of our customers very angry not being able to get the support the way he needs to get. This will almost 100% sure make them post bullshit on other boards (we deal with the adult community of the internet and they are a bunch of whining kids to be honest ).
So to prevent us from getting badmouthed on other boards we left it open.
I hope my post here clarifies our view on this a bit....
i do want to thnk you for making board owners aware of this as lots of them are obviously open to spam.
Regards,
Ed Dost aka boneless
|
|
Nach oben |
|
pseudocode

|
Titel: (Kein Titel)
Verfasst am: Do, 19 Okt 2006, 19:30 |
|
|
I get your point and admit, that the bot hit a couple of forums that want it just the way they have it. But if you sit in the first rows, you may get wet
The whole project was meant to warn people that just run a forum and do not think about forum-security. With your mods and your quick response time to remove spam you have basically just "humanized" the steps I recommended.
I understand that you need your forum to be accessible by everone as quickly as possible and that the advanced CAPTCHA is making that goal impossible to reach. Still I recommend you install the "Unique Registration Hash"-MOD and change the name of the "agreed"-variable throughout your forum. Your users will not notice any changes but stupid bots (like mine) will have a hard time.
boneless @ Do, 19 Okt 2006, 13:27 gab folgendes von sich: |
we deal with the adult community of the internet and they are a bunch of whining kids to be honest  |
That statement made my day, thanks
|
|
Nach oben |
|
boneless

|
Titel: (Kein Titel)
Verfasst am: Do, 19 Okt 2006, 19:45 |
|
|
pseudocode @ Do, 19 Okt 2006, 19:30 gab folgendes von sich: |
Still I recommend you install the "Unique Registration Hash"-MOD and change the name of the "agreed"-variable throughout your forum. Your users will not notice any changes but stupid bots (like mine) will have a hard time. |
good stuff man, ill have someone look into it
yes we have been hit by the spambots lately, but i found even boards with the auth email on get slammed hard by them.
Basicly our forum will not hold a lot of value for the spammers, as we deal with webmasters and companies and they are defo not looking for viagra and the likes
Anyways, im glad tosee someone took the time to warn others, like i said it might not go for us, but a lot of boards will get a lot less spam if they follow a bit of your directions
regards,
Ed
|
|
Nach oben |
|
pseudocode

|
Titel: (Kein Titel)
Verfasst am: Do, 19 Okt 2006, 20:00 |
|
|
boneless @ Do, 19 Okt 2006, 19:45 gab folgendes von sich: |
Basicly our forum will not hold a lot of value for the spammers, as we deal with webmasters and companies and they are defo not looking for viagra and the likes  |
Even if your users don't click on the links, there still is value for the spammers: your forum can be found by search engines (otherwise my bot would've never found out your URL), so every spam-message will create backlinks to the spammers' sites.
If the search engines come back they will count those links and rank pages with the most backlinks higher for that special keyword. So every spam-message that is not deleted will help the spammers to get visitors to their sites indirectly.
That's why I recommended to close the memberlist to guests so the search engines can't spider them and count a backlink from the users profiles (even if the spam-posts are deleted).
|
|
Nach oben |
|
boneless

|
Titel: (Kein Titel)
Verfasst am: Do, 19 Okt 2006, 20:21 |
|
|
true that, i will have our admin look into it, i myself am the tech support of our script but wont touch phpbb with a long stick
|
|
Nach oben |
|
pseudocode

|
Titel: (Kein Titel)
Verfasst am: Do, 19 Okt 2006, 20:44 |
|
|
Then the bot's mission is accomplished
Good to hear from you, there's always more to learn as I never worked with a huge forum and the time it took me to keep it running (and free from spam) was getting too much for my spare time.
Also it's rewarding that my work (which started just as a "proof of concept"-fun-idea) actually helped people. Most replies were just something like "get lost" (didn't want to use the f-word) or "don't care", a lot of people thought this was a trick to get them to this website with more spam waiting.
I'll put together a set of reactions when I find the time.
|
|
Nach oben |
|
pseudocode

|
Titel: (Kein Titel)
Verfasst am: Fr, 20 Okt 2006, 10:00 |
|
|
Projekt SpamBot - Second Flush
This time the bot didn't look for URLs in phpBB-forums but spidert the web using search engines.
This is the result:
- CollectBot v2: more than 220000 URLs were spidert using ca. 200 search keywords
- the bot found more than 55000 different URLs, 32210 of them were phpBB-forums
- RegisterBot: 12.169 automatic registrations were made
- MailBot: 1.089 accounts were activated using the confirmation-link in a mail
- PostBot: 2.914 posts were published automatically
This should be enough as a "proof of concept", "Projekt SpamBot" has now ended. As soon as I find the time, I will publish some of the reactions here.
CU,
pseudocode
|
|
Nach oben |
|
Spitt

|
Titel: (Kein Titel)
Verfasst am: Di, 24 Okt 2006, 12:47 |
|
|
heh next time you send that thing out... could you create some back links for me
*cough*ubergameguides.com*cough*
Again, thank you for your help.
|
|
Nach oben |
|
pseudocode

|
Titel: (Kein Titel)
Verfasst am: Do, 26 Okt 2006, 12:23 |
|
|
<whisper>sendmeallyourmoney</whisper>
Honestly: the project has ended, no more registrations (especially no postings) will be made. The only thing I may let the bot check is how many CAPTCHAs have been installed, and no registrations are necessary for that
|
|
Nach oben |
|
damnian

|
Titel: (Kein Titel)
Verfasst am: So, 29 Okt 2006, 02:35 |
|
|
Hi pseudocode, please check your inbox.
|
|
Nach oben |
|
daxamite

|
Titel: Thanks for the info
Verfasst am: So, 03 Dez 2006, 20:32 |
|
|
Hello pseudocode,
Your bot posted on my forum. Since then I visited your site here and made the neccessary changes to my forum.
Thanks for the help in the fight against spammers!
James
www.triphopstop.com
|
|
Nach oben |
|
Keef

|
Titel: (Kein Titel)
Verfasst am: Sa, 07 Jul 2007, 13:54 |
|
|
Thanks for the "spam" to our site. You found the one forum that we deliberately leave open for anonymous postings - there is a good reason for that. Yes we do get some spam on there, but we have a team of Admins who delete it as fast as it arrives,
However, we also suffer from Bots registering - their accounts get deleted PDQ, since we have "Admin Approval Needed" switched on. I like the other stuff you suggest to stop non-members reading the memberlist or names appearing in the memberlist before they are approved.
If we block the memberlist to non-members, does that prevent Google etc from indexing the duff registrations and recognising their links?
Mit freundlichen Grüssen!
Keef
|
|
Nach oben |
|
pseudocode

|
Titel: (Kein Titel)
Verfasst am: So, 08 Jul 2007, 10:36 |
|
|
Keef gab folgendes von sich: |
If we block the memberlist to non-members, does that prevent Google etc from indexing the duff registrations and recognising their links? |
Exactly. If Google can't see your memberlist, the bots websites will not be indexed and don't receive a "backlink" from your site (which increases their pagerank in Google).
The bots won't probably check if your memberlist is visible to guests and still register (if you don't also install the suggested MODs) but at least their registration won't help them any more.
regards,
pseudocode
|
|
Nach oben |
|
phoenix

|
Titel: (Kein Titel)
Verfasst am: So, 15 Jul 2007, 17:08 |
|
|
Thanks for your joke
But all phpbb has this kind of security hole, you can add any mods, it will not change really it anymore
There are also some other holes, and not only in phpbb, but it needn't to spell the list it here, it could be found on security websites ( astalavista, millworms, secunia, ... )
I really thank you for your joke.
A simple protection, like an advice : all registered users can post in 1 forum, like, 'introduce yourself ". If good, join a groupe where users can post in other forum, if but, put in prison and place it in a "garbage forum" with private datas published.
In my case, it is all the more funny than the memberlist receive a nofollow , so no google page rank. nofollow is also available for all other links : links, picture, videos, " swf ", everything in noffolow
Moreover, in the memberlist, when you click on the link, you just come back to my forum, so , when my users click on your link, they come back to me !
But it is juste for the fun
The best protection is attack.
When I am spam, i usually do search log, ip, and after making some whois, publishing first of all your email adresse so as to let the future bots spam you, with all personnal datas. but this is still nothing.
I usually take the website about the advertisment, and I manage so as to force the website to move to a double Xeon server, that is approximatively cost surronuding 300$ a month.
So, you would like to test forums protections, should I develop mine with you ?
The first thing you should think about, phpbb is very weak, and it needs very few time so as to crash it, because phpbb eats too much sql.
Sorry, I have also forgotten.
I take the hash code of the spammer, decrypt it, and after, I will check if I can use the same password for spammer email adress or simply to check some entries of the outsourcing, maybe some spammers are not so clever or not so carreful
|
|
Nach oben |
|
|
 |
ähnliche Beiträge |
 |
Thema
| Autor
| Forum
| Antworten
| Verfasst am
|
 |
Film: Das Lazarus-Projekt |
boris |
zelluloid |
0 |
Di, 05 Mai 2020, 23:25  |
 |
Projekt: Eigenbräu |
jrose |
le finesnäcker |
20 |
So, 28 Mai 2017, 10:52  |
 |
Film: Das Jerico Projekt |
boris |
zelluloid |
0 |
Mo, 02 Jan 2017, 23:13  |
 |
Algis Budrys - Projekt Luna |
boris |
kühnes mittelscharfer |
0 |
Mi, 27 März 2013, 20:10  |
 |
Film: Johnny English |
boris |
zelluloid |
0 |
Sa, 05 Sep 2009, 20:41  |
Schreiben: nein. Antworten: nein. Bearbeiten: nein. Löschen: nein. Umfragen: nein.
|