Spam bots defeat Recaptcha.

**CarterMarkham** · Thu 22 May '08, 8:07am

i have to ask, I have been making a list in vBulletin for blocked IP's, is it a problem if one gets listed twice? I cant go through the whole list and double check...

**CarterMarkham** · Thu 22 May '08, 10:25am

I have disabled reCAPTCHA as its very hard to read. I need to do something here. Im going to check out IS Bot when I get home.

**Suri.CMS** · Thu 22 May '08, 10:55am

I've blocked China in htaccess. That seems to do the trick.

How do you block a specific country ?
Can you please elaborate ?

**hbr** · Thu 22 May '08, 11:10am

Originally posted by Suri.CMS

How do you block a specific country ?
Can you please elaborate ?

Just have a look at this:

| APNIC

http://www.apnic.net/db/ranges.html

A global, open, stable, and secure Internet that serves the entire Asia Pacific community

Start with 58.17.*.* and 222.176. to 222.183.

**diettalk** · Thu 22 May '08, 11:19am

Originally posted by Suri.CMS

How do you block a specific country ?
Can you please elaborate ?

You can try... http://ip.ludost.net/

**joomlajon** · Fri 23 May '08, 4:08am

403 - Access Forbidden

http://www.parkansky.com/china.htm

http://www.blockacountry.com/

I have also got a couple of chinaaccounts, and I have a non english forum.

beijmanli [email protected]
lovebeijgo [email protected]

**CarterMarkham** · Fri 23 May '08, 4:25am

Won't a large htaccess file slow down your site?

**steven s** · Fri 23 May '08, 9:10am

Most of these have spammed my board also in the past two days.

**hbr** · Fri 23 May '08, 12:05pm

I had a look at the serverlogs.

One thing, that is common to all bot registrations is, that the are quite different to "normal" registrations.

Here are two bot-registrations from the serverlogs:

61.173.43.67 - - [23/May/2008:05:56:30 +0200] "GET /register.php?do=signup HTTP/1.1" 200 17751 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de"
61.173.43.67 - - [23/May/2008:05:56:31 +0200] "POST /register.php?do=register HTTP/1.1" 200 23960 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
61.173.43.67 - - [23/May/2008:05:56:32 +0200] "GET /image.php?type=hv&hash=e04cd6d3adbcc6d2cf83f0b9caa47c56 HTTP/1.1" 200 14536 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
61.173.43.67 - - [23/May/2008:05:57:28 +0200] "POST /register.php?do=addmember HTTP/1.1" 200 15480 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=register"
61.173.43.67 - - [23/May/2008:06:42:23 +0200] "GET /register.php?a=act&u=10848&i=74842131 HTTP/1.1" 200 24245 "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"

and

218.240.13.108 - - [23/May/2008:07:22:34 +0200] "GET /register.php?do=signup HTTP/1.1" 200 17646 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de"
218.240.13.108 - - [23/May/2008:07:22:37 +0200] "POST /register.php?do=register HTTP/1.1" 200 23855 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
218.240.13.108 - - [23/May/2008:07:22:39 +0200] "GET /image.php?type=hv&hash=a6c3342ed881d2d11e9fa8890a5c6ca8 HTTP/1.1" 200 17554 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
218.240.13.108 - - [23/May/2008:07:25:53 +0200] "POST /register.php?do=addmember HTTP/1.1" 200 15370 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=register"
218.240.13.108 - - [23/May/2008:07:26:16 +0200] "GET /register.php?a=act&u=10849&i=7684469 HTTP/1.1" 200 24248 "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
218.240.13.108 - - [23/May/2008:16:45:12 +0200] "GET /register.php?do=signup HTTP/1.1" 200 17646 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de"
218.240.13.108 - - [23/May/2008:16:45:17 +0200] "POST /register.php?do=register HTTP/1.1" 200 23855 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
218.240.13.108 - - [23/May/2008:16:45:25 +0200] "GET /image.php?type=hv&hash=7e2605968c62524a0e9614933758f977 HTTP/1.1" 200 11875 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
218.240.13.108 - - [23/May/2008:16:45:33 +0200] "POST /register.php?do=addmember HTTP/1.1" 200 24670 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=register"
218.240.13.108 - - [23/May/2008:16:45:39 +0200] "GET /profile.php?do=editsignature HTTP/1.1" 200 26624 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de"
218.240.13.108 - - [23/May/2008:16:45:49 +0200] "POST /profile.php?do=updatesignature HTTP/1.1" 200 26933 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/profile.php?do=editsignature"

Please note that this is really everything they did from the server point of view. The remarkable thing is: there was not a single image loaded, no javascript, no nothing besides the scripts. The bots seem to get directly to the vb-scripts and register the bot-user.

Probably they got a hook into that MD5-Checksum/Hash of the images (I guess this is a MD5-Checksum). MD5 is quite outdated in some ways. I would propose to change to SHA1 for testing purposes. I am willing to join some tests.

Please Jelsoft-programmers have a look at this issue. I guess there is some trouble ahead that needs to be avoided...

**Dv_** · Fri 23 May '08, 11:18pm

Another one...

lmno820
email : [email protected]
IP : 59.173.226.84

**renep** · Fri 23 May '08, 11:34pm

Originally posted by hbr

I had a look at the serverlogs.

I don't understand your point

What's so special about these log entries?

**hbr** · Sat 24 May '08, 12:19am

Originally posted by renep

I don't understand your point

What's so special about these log entries?

They prove that this is an automated action, not done by a person with a browser.
Probably they will help to have this issue fixed or at least make it more difficult.

**Hooligun** · Sat 24 May '08, 12:53am

I got atleast 15 spammers this week. I never had spam before on the board, since vb3.7 these problems apear. First i had normal auth, now i got recaptcha and here they are again. While i had no spam on 3.6.8 or later.. But since vb3.7 spam spam spam all over. I hope this gets fixed, cause this starts to be anoying.

**AdrianH** · Sat 24 May '08, 2:35am

They are walking right past all the captcha systems I have tried so far.

Anyway, there is an image mod from v3** that is available and working on v3.7, I am trying that out now and it is called BEFORE the registration fields so it acts as an extra layer.

Users are required to click the appropriate image to be able to proceed to the registration fields.

Miscellaneous Hacks - Enhanced Captcha Image Verification - stop bots from signing up!! - Page 19 - vBulletin.org Forum

http://www.vbulletin.org/forum/showthread.php?p=1529848#post1529848

Miscellaneous Hacks - Enhanced Captcha Image Verification - stop bots from signing up!! vBulletin 3.8 Add-ons

I have increased the default number of images displayed from 4 to 8.

There are instructions in the thread to do this and Jason the coder is looking at makinga new version with ACP controls in the future.

**AdrianH** · Sat 24 May '08, 2:47am

Another tool for anyone interested is a huge list of spammers email addresses maintained by my old friend ForumNut at http://forumnutsandbolts.freeforums.org/portal.php mainly phpbb2 stuff there but he keeps up this list which can be used as a blocklist .

The thread is located here.....

http://forumnutsandbolts.freeforums.org/spammer-e-mail-list-v03-28-08-t34.html

( Registration is required)

He gets hate mail from the spammers along with expletives and threats but the list keeps growing

Spam bots defeat Recaptcha.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment