Spammers Getting Around Image Verification

**Wayne Luke** · Wed 1 Oct '08, 2:00pm

You'll have to switch Human Verification methods. Human Verification especially Image Verification is a cat and mouse game. There are only so many changes we can make to the system before they crack it again. The other verification methods are a little more difficult but will eventually be cracked as well.

If you insist on continuing to use Image based Captcha's then changing the fonts so that they are different from those supplied with vBulletin will slow them down. As will changing the backgrounds.

The only long term solution to spam will be bayesian filters similar to those used by email clients. vBulletin allows you to use the Akismet Anti-spam filter at this time and will expand to allowing the Typepad Anti-spam filter in 3.8.0.

Personally, I'd recommend moderating a new user's posts until they have 5 approved before turning off registration. Legitimate users will still post and wait for approval. Spam will be deleted before it reaches the public. Plus if you let them register then you can build you're own anti-spam database to either track it in the future or ban the offenders from your site altogether.

**Rusted** · Wed 1 Oct '08, 2:34pm

Another vote for non-human spam bot. Maybe human configured, but it was happening too fast and to too many sites to be human one at a time. I had a flood (about 30 accounts each) created on 3 of the sites I admin. Changing the captcha seemed to stop it.

**Wayne Luke** · Wed 1 Oct '08, 2:43pm

Originally posted by Rusted

Another vote for non-human spam bot. Maybe human configured, but it was happening too fast and to too many sites to be human one at a time. I had a flood (about 30 accounts each) created on 3 of the sites I admin. Changing the captcha seemed to stop it.

The newest thing for attacks of this nature are "Human Assisted Bots". People are only called in when the bot beeps that its stuck. The centers that do this could have dozens if not hundreds of people working to register and spam different sites. With modern computers, a single person can unleash the bot on dozens of sites at a time.

**JonUrban** · Wed 1 Oct '08, 2:47pm

My forum got hammered today as well. I had to turn off new registrations, then deleted all of the spam members.

What got these people fired up? Who do they think they'll attract?

**Dominiek** · Wed 1 Oct '08, 2:58pm

Originally posted by Wayne Luke

The newest thing for attacks of this nature are "Human Assisted Bots". People are only called in when the bot beeps that its stuck. The centers that do this could have dozens if not hundreds of people working to register and spam different sites. With modern computers, a single person can unleash the bot on dozens of sites at a time.

The delay between the HTTP GET of the image and the HTTP POST of the reply is less than a second. And that interval is always the same. It's just too fast and consistent to be human.

**Doodad** · Wed 1 Oct '08, 3:32pm

Count me among the number. Started apparently the other day and today has been murder. I am cleaning out the addresses.

**Thamelas** · Wed 1 Oct '08, 4:15pm

I'm being hammered too. I use email verification, captcha, and the NoSpam mod which requires a correct answer to a question that I make up. They are getting by everything like its not even there.

**khosk** · Wed 1 Oct '08, 4:26pm

I have checked my logs, the spambot isn't even checking the captcha. It calls register.php with a parameter of s and some long hex string then calls index.php with a parameter of s and you can see the rest. No image.php is ever called, so the spambot is bypassing the check.

the first two parameters are getting cut off when I post.

register.php s = 062e492e20f2647ed111199cd81519a9
index.php s = 29407f6d587142b54a2129a1a679a85b

PHP Code:




84.19.188.30 - - [01/Oct/2008:18:38:44 -0400] "GET /forum/register.php? HTTP/1.0" 200 18156 "http://volkovtrio.com/sound/pre/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"
84.19.188.30 - - [01/Oct/2008:18:38:48 -0400] "GET /forum/index.php? HTTP/1.0" 200 45797 "http://www.erisaboard.com/index.php?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"
84.19.188.30 - - [01/Oct/2008:18:39:01 -0400] "GET /forum/register.php HTTP/1.0" 200 17854 "http://www.erisaboard.com/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"
84.19.188.30 - - [01/Oct/2008:18:39:02 -0400] "POST /forum/register.php?do=register HTTP/1.0" 200 23413 "http://www.erisaboard.com/forum/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"
84.19.188.30 - - [01/Oct/2008:18:39:05 -0400] "POST /forum/register.php?do=addmember HTTP/1.0" 200 23907 "http://www.erisaboard.com/forum/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"

**Wayne Luke** · Wed 1 Oct '08, 4:45pm

The s is the session hash. Do you have image verification on?

**khosk** · Wed 1 Oct '08, 4:52pm

Yes, but it never even calls it. I have tested and everything looks fine but the spambot can register without ever calling the image for verification.

**Ohiosweetheart** · Wed 1 Oct '08, 4:55pm

Originally posted by Steve Machol

Verification does not stop human spammers from registering then turning over the posting to a bot.

Please see this: How to Reduce Spam and Registration Bots

I've had 50 + spammers just today, on each of my sites. After being banned, they then use the contact us and proceed to spam ME.

Can contact us not be disabled for the banned usergroup??

**Photics** · Wed 1 Oct '08, 5:05pm

This seems like such a silly thing and a huge waste of time.

Early this morning, after I figured out what was going on, the new posts were set to automatically be placed into moderation. The messages and the spam accounts were deleted. These spam messages didn't make me want to buy any viagra or visit any porn sites.

**wutthehell** · Wed 1 Oct '08, 5:11pm

Our site has been hit bad as well. However I am having an issue implenting the extra question during verification. I am using 3.7.1 and I don't have a "User Profile Fields"....

I have had to turn off new regs as well.... seems like a pretty big exploit?
AdminCP -> User Profile Fields -> Add New User Profile Field

Profile Field Type: Single-Line Text Field
<<Continue>>

Use the following information when creating the Profile Field:
Title: Can you spell?
(Note: Adjust the title to the question you want to ask)
Description: Enter the first character of the word "Monkey"
(Note: Adjust the question. Don't use this example as it would be quickly picked up by bot registrations)
Default Value: B
(Note: anything but a valid answer)
Field Required: No, but display at registration
Field Editable by User: Only at registration
Private Field: Yes
Field Searchable on Members List: No
Show on Members List: No
Regular Expression: ^[mM]$
(Note: this expression would only allow a 'm' or 'M' as valid answers, adjust to your needs)

Oh Yeah... heres my list of banned IPs...
190.11.1*
78.157.1*
200.63.4*
85.12.2*
87.118.1*
79.143.1*
204.246.1*
136.226.2*
93.92.2*
91.66.2*
85.12.2*
89.18.1*
94.75.1*
92.112.1*
221.12.1*
195.149.*
93.80.*
87.226.*
89.208.*
92.243.*
77.121.*

**Photics** · Wed 1 Oct '08, 5:13pm

I implemented the extra question. It didn't seem to work for me. HA!

**Wayne Luke** · Wed 1 Oct '08, 5:51pm

Originally posted by Photics

I implemented the extra question. It didn't seem to work for me. HA!

Was your question: What is 2 + 2?

You need to ask decent questions.

Though like I said in a different thread, I am using Recaptcha on different sites and haven't had a single spam registration. One site is just sitting wide open (not even using the latest version) and uses recaptcha for human verification with no issues today.

Spammers Getting Around Image Verification

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment