XRumer
Encyclopedia
XRumer is a Windows
blackhat SEO
program that is able to successfully register and forum spam
with the aim of boosting search engine rankings
. The program is able to bypass security techniques commonly used by many forums and blogs to deter automated spam, such as account registration, client detection, many forms of CAPTCHA
s, and e-mail
activation before posting. The program utilises socks and http proxies
in an attempt to make it more difficult for administrators
to block posts by source IP and features a proxy checking tool to verify the integrity and anonymity of the proxies used.
In addition, the software can avoid the suspicions of forum
administrators by first registering to make a post in the form of a question which mentions the spam product ("Where can I get...?"), before registering another account to post a spam link which mentions the product. The side effect of these innocent-looking posts is that helpful forum visitors may search on a search engine (e.g. Google) for the product and themselves post a link to help out, thus bolstering the product's Google stats without falling afoul of forum posting policies. The software is also capable of avoiding detection by making posts in off-topic, spam and overflow sections of forums thus attempting to keep its activities in high activity low content areas of the targeted forum.
Xrumer is capable of posting to Blog and guestbooks in addition to its main role as an automated forum posting tool, it can also create forum profiles complete with signature in an attempt to boost search engine rankings without alerting forum administrators with any off topic forum posts. The software is also able to gather and decipher artificial intelligence such as security questions (i.e what is 2+2?) often used by forums upon registration. Since the latest version of XRumer, the software is capable of collecting such security questions from multiple sources and is much more effective in defeating them.
Hrefer is also included. This software is used to automatically parse results from search engines including Google
, Yahoo, Bing
and Yandex
for forums and blogs that can then be used as a target list for the main XRumer application.
According to The Register
, as of October 2008, XRumer can defeat CAPTCHAs of Hotmail
and Gmail
. This enables the software to create accounts with these free email services, which are used to register in forums that it posts to. XRumer also posts slowly initially, in an attempt to avoid detection by posting unnaturally fast. Between 2009 and 2011 Xrumer no longer recognized Hotmail and Gmail captcha's due to a change in captcha format. Users of Xrumer could only defeat such captchas utilizing external human captcha services.
XRumer by default fills in every password field on a page, including those that are hidden. This has been discussed as a method of detection and blocking.
There is a helpful resource, "www.stopforumspam.com" which references reports of forum spam by username and IP address. If a user/IP has appeared in the lists at stopforumspam.com, it is highly likely that it is a black-hat user of XRumer. Common defensive actions by webmasters are to institute IP based posting bans on entire class C ranges of IP addresses used by the spammers.
The spam messages in a forum typically take the form of "link spam" which will often be included in older topics & private messages (PM's) leaving the newer threads and posted messages "clear" of apparent spam. Sophisticated spammers will copy posts from other areas of the site, giving the appearance of a valid, on-topic reply. The best clue that it is a spammer is that the links in the user profile are completely unrelated to the forum topic, and the posted messages, while seemingly within the general topic of the forum, will be non-sequiturs and out-of-place within the topic thread. Alternatively, the spammers post generic "I am excited to begin posting and contributing here." messages that are content-neutral.
The damage caused to forums is classified in several areas: first, and foremost, the admin time to clean the forum. Second, the server bandwidth to accommodate the spam postings, third, the storage requirements at the forum server for the spam messages that are devoid of content, and fourth but perhaps the most important, the lowering of the information-to-noise ratio of the forum, which diminishes the value of the forum, skewing usage/active user statistics used to determine advertising rates.
. Support for creating e-mail accounts in an automated fashion on Hotmail
and AOL
have been completely removed. The technique employed by XRumer to bypass the CAPTCHA
protection in Gmail and mail.ru is Averaging. A captcha is a challenge-response test frequently used by internet services in order to verify that the user is actually a human rather than a computer program. Commonly, captchas are dynamically created images of random numbers and/or letters. These images are distorted in some way so that the human eye can still recognize them but with the goal to make automatic recognition impossible. Captchas are used e.g. by freemail services to prevent automatic creation of a huge number of email accounts and to protect automatic form submissions on blogs, forums and article directories.
Averaging is a common method in physics to reduce noise in input data. The averaging attack can be used on image-based captchas if the following conditions are met:
The predominant distortion in the captcha is of noise-like nature.
It is possible to extract a series of different images with the same information encoded in them.
Averaging of a series of images can be used to improve image quality (reduce distortion, or improve signal-to-noise ratio, so to say) of captchas and hence to make them more easily recognizable by OCR
(optical character recognition) systems.
The fact that noise and payload behave differently on "reload" is exploited. This allows the program to separate them and hence defeat the captcha without the need for a sophisticated algorithm.
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
blackhat SEO
Search engine optimization
Search engine optimization is the process of improving the visibility of a website or a web page in search engines via the "natural" or un-paid search results...
program that is able to successfully register and forum spam
Forum spam
Forum spam is the creating of messages that are advertisements, abusive, or otherwise unwanted on Internet forums. It is generally done by automated spambots.- Types of spam :...
with the aim of boosting search engine rankings
Search engine optimization
Search engine optimization is the process of improving the visibility of a website or a web page in search engines via the "natural" or un-paid search results...
. The program is able to bypass security techniques commonly used by many forums and blogs to deter automated spam, such as account registration, client detection, many forms of CAPTCHA
CAPTCHA
A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a person. The process usually involves one computer asking a user to complete a simple test which the computer is able to generate and grade...
s, and e-mail
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
activation before posting. The program utilises socks and http proxies
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
in an attempt to make it more difficult for administrators
SysOp
A sysop is an administrator of a multi-user computer system, such as a bulletin board system or an online service virtual community. It may also be used to refer to administrators of other Internet-based network services....
to block posts by source IP and features a proxy checking tool to verify the integrity and anonymity of the proxies used.
In addition, the software can avoid the suspicions of forum
Internet forum
An Internet forum, or message board, is an online discussion site where people can hold conversations in the form of posted messages. They differ from chat rooms in that messages are at least temporarily archived...
administrators by first registering to make a post in the form of a question which mentions the spam product ("Where can I get...?"), before registering another account to post a spam link which mentions the product. The side effect of these innocent-looking posts is that helpful forum visitors may search on a search engine (e.g. Google) for the product and themselves post a link to help out, thus bolstering the product's Google stats without falling afoul of forum posting policies. The software is also capable of avoiding detection by making posts in off-topic, spam and overflow sections of forums thus attempting to keep its activities in high activity low content areas of the targeted forum.
Xrumer is capable of posting to Blog and guestbooks in addition to its main role as an automated forum posting tool, it can also create forum profiles complete with signature in an attempt to boost search engine rankings without alerting forum administrators with any off topic forum posts. The software is also able to gather and decipher artificial intelligence such as security questions (i.e what is 2+2?) often used by forums upon registration. Since the latest version of XRumer, the software is capable of collecting such security questions from multiple sources and is much more effective in defeating them.
Hrefer is also included. This software is used to automatically parse results from search engines including Google
Google
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
, Yahoo, Bing
Bing
Bing is a web search engine from Microsoft.Bing may also refer to:* An onomatopœia of a bell sound* Bing cherry, a variety of cherry* Bing , Chinese flatbread* Bing , a German company that manufactured toys and kitchen utensils...
and Yandex
Yandex
Yandex is a Russian IT company which operates the largest search engine in Russia and develops a number of Internet-based services and products. Yandex is ranked as 5-th world largest search engine...
for forums and blogs that can then be used as a target list for the main XRumer application.
According to The Register
The Register
The Register is a British technology news and opinion website. It was founded by John Lettice, Mike Magee and Ross Alderson in 1994 as a newsletter called "Chip Connection", initially as an email service...
, as of October 2008, XRumer can defeat CAPTCHAs of Hotmail
Hotmail
Windows Live Hotmail, formerly known as MSN Hotmail and commonly referred to simply as Hotmail, is a free web-based email service operated by Microsoft as part of its Windows Live group. It was founded by Sabeer Bhatia and Jack Smith and launched in July 1996 as "HoTMaiL". It was one of the first...
and Gmail
Gmail
Gmail is a free, advertising-supported email service provided by Google. Users may access Gmail as secure webmail, as well via POP3 or IMAP protocols. Gmail was launched as an invitation-only beta release on April 1, 2004 and it became available to the general public on February 7, 2007, though...
. This enables the software to create accounts with these free email services, which are used to register in forums that it posts to. XRumer also posts slowly initially, in an attempt to avoid detection by posting unnaturally fast. Between 2009 and 2011 Xrumer no longer recognized Hotmail and Gmail captcha's due to a change in captcha format. Users of Xrumer could only defeat such captchas utilizing external human captcha services.
XRumer by default fills in every password field on a page, including those that are hidden. This has been discussed as a method of detection and blocking.
Defenses
Webmasters of topical forums face an ongoing battle against XRumer software, users of which are almost always in violation of forum terms of service, and/or have no interest in the actual forum topic. The users of the software have created an entire industry whose sole purpose is to protect internet sites against users of XRumer. Forum administration tasks against XRumer are often a constant, daily effort, which include identifying new user accounts that are from XRumer users, deleting posts/threads created by the software, and deleting/disabling the user accounts.There is a helpful resource, "www.stopforumspam.com" which references reports of forum spam by username and IP address. If a user/IP has appeared in the lists at stopforumspam.com, it is highly likely that it is a black-hat user of XRumer. Common defensive actions by webmasters are to institute IP based posting bans on entire class C ranges of IP addresses used by the spammers.
The spam messages in a forum typically take the form of "link spam" which will often be included in older topics & private messages (PM's) leaving the newer threads and posted messages "clear" of apparent spam. Sophisticated spammers will copy posts from other areas of the site, giving the appearance of a valid, on-topic reply. The best clue that it is a spammer is that the links in the user profile are completely unrelated to the forum topic, and the posted messages, while seemingly within the general topic of the forum, will be non-sequiturs and out-of-place within the topic thread. Alternatively, the spammers post generic "I am excited to begin posting and contributing here." messages that are content-neutral.
The damage caused to forums is classified in several areas: first, and foremost, the admin time to clean the forum. Second, the server bandwidth to accommodate the spam postings, third, the storage requirements at the forum server for the spam messages that are devoid of content, and fourth but perhaps the most important, the lowering of the information-to-noise ratio of the forum, which diminishes the value of the forum, skewing usage/active user statistics used to determine advertising rates.
Automated e-mail account creation
As per the latest update to XRumer 7 the software is able to automatically register e-mail accounts on mail.ru (Russian IP addresses only) and GmailGmail
Gmail is a free, advertising-supported email service provided by Google. Users may access Gmail as secure webmail, as well via POP3 or IMAP protocols. Gmail was launched as an invitation-only beta release on April 1, 2004 and it became available to the general public on February 7, 2007, though...
. Support for creating e-mail accounts in an automated fashion on Hotmail
Hotmail
Windows Live Hotmail, formerly known as MSN Hotmail and commonly referred to simply as Hotmail, is a free web-based email service operated by Microsoft as part of its Windows Live group. It was founded by Sabeer Bhatia and Jack Smith and launched in July 1996 as "HoTMaiL". It was one of the first...
and AOL
AOL
AOL Inc. is an American global Internet services and media company. AOL is headquartered at 770 Broadway in New York. Founded in 1983 as Control Video Corporation, it has franchised its services to companies in several nations around the world or set up international versions of its services...
have been completely removed. The technique employed by XRumer to bypass the CAPTCHA
CAPTCHA
A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a person. The process usually involves one computer asking a user to complete a simple test which the computer is able to generate and grade...
protection in Gmail and mail.ru is Averaging. A captcha is a challenge-response test frequently used by internet services in order to verify that the user is actually a human rather than a computer program. Commonly, captchas are dynamically created images of random numbers and/or letters. These images are distorted in some way so that the human eye can still recognize them but with the goal to make automatic recognition impossible. Captchas are used e.g. by freemail services to prevent automatic creation of a huge number of email accounts and to protect automatic form submissions on blogs, forums and article directories.
Averaging is a common method in physics to reduce noise in input data. The averaging attack can be used on image-based captchas if the following conditions are met:
The predominant distortion in the captcha is of noise-like nature.
It is possible to extract a series of different images with the same information encoded in them.
Averaging of a series of images can be used to improve image quality (reduce distortion, or improve signal-to-noise ratio, so to say) of captchas and hence to make them more easily recognizable by OCR
OCR
OCR may refer to:* Optical character recognition, conversion of images of text into characters** The OCR-A font, designed to simplify character recognition** The similar OCR-B font* Transvaginal oocyte retrieval, a technique used in in vitro fertilization...
(optical character recognition) systems.
The fact that noise and payload behave differently on "reload" is exploited. This allows the program to separate them and hence defeat the captcha without the need for a sophisticated algorithm.
External links
- Stop Forum Spam Website dedicated to fighting forum spam
- projecthoneypot.org Tracking spammers
- http://www.triplespark.net/misc/captcha/ CAPTCHA Averaging method