homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
Forum Library, Charter, Moderators: rogerd

Community Building and User Generated Content Forum

Here is how to protect your forum from XRumer
at least for now.

 7:39 am on Dec 31, 2009 (gmt 0)

If you run a forum using some off-the-shelf software, then you've probably noticed a lot of new registrations (and posts) from this forum spam software.

Most of them use a 10-character password, like "sFueJHf5if".
If your software doesn't hash password then it will be easy to spot.

But here is a way to weed out those registrations. It works for now. Since it seems to be able to beat captcha, there is one trick you can use to disable the registration.

Create an extra password field on your registration page and hide it using css property "display:none;".

On your registration page, you would normally have something like:

<input ...>
<input ...>
<input type="password" name="password">
<input type="password" name="password_confirm">

With two password fields to make sure the user doesn't make a typo. That's pretty much a standard.

Add a hidden div, so your form would look like:

<input ...>
<input ...>
<input type="password" name="password">
<div style="display:none;">
<input type="password" name="passwordzz">

<input type="password" name="password_confirm">

And on the server side, disable all registrations that have "passwordzz" filled out.

You can use any name, as long as the type of the input is "password".

It looks like XRummer fills out all fields in a form that have type "password" with identical random value.

Normal users would have "password" and "password_confirm" filled out, but "passwordzz" would be blank.

Registrations by XRummer would have all three fields filled out.

At least as of 12/31/9 it seems to be working.

In the future, it would be a good idea to randomize the names of your password inputs and include 10+ of fake ones hidden by the display property. That would make it harder for the authors of XRumer to make an update that would deal with it. If that fails, try using the "class" to hide the fields and set the display property in the external css file. That will make parsing and working it out a much harder task for the programmers of XRumer.

Also, as shown in the example above, it's best to "stick" the hidden password field in between the two real ones, not at the end of the form. It doesn't matter now, but could help in the future.



 2:19 am on Jan 2, 2010 (gmt 0)

Thanks, bcc1234. I've used the hidden field trick on other site forms, too. Bots programmed to complete all fields will be nicely trapped that way.


 9:36 am on Jan 2, 2010 (gmt 0)

If your software doesn't hash password then it will be easy to spot.

From a security stand point I'd be concerned about that. Someone successfully hacking into the database is going to have easy access to those passwords and since so many people use same username and password everywhere.....

The trick you describe has been used quite extensively in the past. My concern with it is if someone is using text reader with no CSS support? I know you used to be able to simply set the form field to hidden:

<input type="hidden" name="website">

This might have been specific to phpbb2, If I remember you modified the stock registration that allowed for a website URL which all the bots would fill out. Any registration with the website URL filled in could then have the IP or email auto banned or registration rejected.

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved