XRumer
This article needs additional citations for verification. (April 2012) |
Stable release | 18.0.1 Elite
/ 26 January 2019 |
---|---|
Preview release | 5.0
/ 1 October 2010 |
Operating system | Microsoft Windows |
Available in | English, Russian, Czech, German, Polish |
Type | Automated forum/blog/guestbook posting Tool |
License | Proprietary |
Website | [1] |
XRumer is a piece of software made for spamming[1] online forums and comment sections. It is marketed as a program for search engine optimization and was created by BotmasterLabs. It is able to register and post to forums (forum spam) with the aim of boosting search engine rankings. The program is able to bypass security techniques commonly used by many forums and blogs to deter automated spam, such as account registration, client detection, many forms of CAPTCHAs, and e-mail activation before posting. The program utilises SOCKS and HTTP proxies in an attempt to make it more difficult for administrators to block posts by source IP and features a proxy checking tool to verify the integrity and anonymity of the proxies used.
In addition, the software can avoid the suspicions of forum administrators by first registering to make a post in the form of a question which mentions the spam product ("Where can I get...?"), before registering another account to post a spam link which mentions the product. The side effect of these innocent-looking posts is that helpful forum visitors may search on a search engine (e.g. Google) for the product and themselves post a link to help out, thus bolstering the product's Google ranking without falling afoul of forum posting policies. The software is also capable of avoiding detection by making posts in off-topic, spam and overflow sections of forums thus attempting to keep its activities in high activity low content areas of the targeted forum. However, there are other platforms used to spam to which includes website comment spam.
Method of operation
XRumer is capable of posting to blogs and guestbooks in addition to its main role as an automated forum posting tool. It can also create forum profiles complete with signature in an attempt to avoid alerting forum administrators with any off topic forum posts. The software is also able to gather and decipher artificial intelligence such as security questions (i.e. what is 2+2?) often used by forums upon registration. Since the latest version of XRumer, the software is capable of collecting such security questions from multiple sources and is much more effective in defeating them.
Helper program Hrefer is also included. This software is used to automatically parse results from search engines including Google, Yahoo, Bing and Yandex for forums and blogs that can then be used as a target list for the main XRumer application.[citation needed]
According to The Register, as of October 2008, XRumer can defeat captchas of Hotmail and Gmail. This enables the software to create accounts with these free email services, which are used to register in forums that it posts to.[2] XRumer also posts slowly initially, in an attempt to avoid detection by posting unnaturally fast. Between 2009 and 2011 XRumer no longer recognized Hotmail and Gmail captchas due to a change in captcha format. Users of XRumer could only defeat such captchas utilizing external human captcha services.
Defenses
Webmasters of topical forums face an ongoing battle against XRumer software, users of which are almost always in violation of forum terms of service, and/or have no interest in the actual forum topic. The users of the software have created an entire industry whose sole purpose is to protect internet sites against users of XRumer. Forum administration tasks against XRumer are often a constant, daily effort, which include identifying new user accounts that are from XRumer users, deleting posts/threads created by the software, and deleting/disabling the user accounts.
The easiest method to defeat Xrumer is to simply require the first post of any new forum member or blog poster to be approved before it can appear. There are several resources that help block forum spam, which reference reports of forum spam by username and IP address. If a user/IP has appeared in the site's lists, it is highly likely that it is a black-hat user of XRumer. Common defensive actions by webmasters are to institute IP-based posting bans on subnetworks used by the spammers.
The spam messages in a forum typically take the form of "link spam" which will often be included in older topics and private messages (PMs) leaving the newer threads and posted messages "clear" of apparent spam. Sophisticated spammers will copy posts from other areas of the site, giving the appearance of a valid, on-topic reply. The best clue that it is a spammer is that the links in the user profile are completely unrelated to the forum topic, and the posted messages, while seemingly within the general topic of the forum, will be non-sequiturs and out-of-place within the topic thread. Alternatively, the spammers post generic "I am excited to begin posting and contributing here." messages that are content-neutral.
The damage caused to forums is classified in several areas: first, and foremost, the admin time to clean the forum. Second, the server bandwidth to accommodate the spam postings, third, the storage requirements at the forum server for the spam messages that are devoid of content, fourth, the alienation and irritation about seeing spam by the forum community, fifth, the offense to innocent forum members if their posts are mistaken as spam or their accounts suspended in error for suspected spamming, and sixth but perhaps the most important, the lowering of the information-to-noise ratio of the forum, which diminishes the value of the forum, skewing usage/active user statistics used to determine advertising rates.
E-mail Account Creation
As per the latest update to XRumer 7 the software is able to automatically register e-mail accounts on mail.ru (Russian IP addresses only) and Gmail. Support for creating e-mail accounts in an automated fashion on Hotmail and AOL have been completely removed. The technique employed by XRumer to bypass the CAPTCHA protection in Gmail and mail.ru is Averaging. A captcha is a challenge-response test frequently used by internet services in order to verify that the user is actually a human rather than a computer program. Commonly, captchas are dynamically created images of random numbers and/or letters. These images are distorted in some way so that the human eye can still recognize them but with the goal to make automatic recognition impossible. Captchas are used by free-mail services to prevent automatic creation of a huge number of email accounts and to protect automatic form submissions on blogs, forums and article directories. As of November 2012, Xrumer has once again cracked Recaptcha, and is able to successfully post to Forums/Blogs that use it.
Averaging is a common method in physics to reduce noise in input data. The averaging attack can be used on image-based captchas if the following conditions are met:
The predominant distortion in the captcha is of noise-like nature. It is possible to extract a series of different images with the same information encoded in them. Averaging of a series of images can be used to improve image quality (reduce distortion, or improve signal-to-noise ratio, so to say) of captchas and hence to make them more easily recognizable by OCR (optical character recognition) systems.
The fact that noise and payload behave differently on "reload" is exploited. This allows the program to separate them and hence defeat the captcha without the need for a sophisticated algorithm.
References
- ^ "Xrumer: The Spammer's Toolkit". Symantec. Retrieved 23 March 2018.
- ^ John Leyden (3 October 2008). "Spam swine break next-gen CAPTCHAs: Hotmail, Gmail and kitchen-based checks all neutered". The Register. Retrieved 17 October 2008.
External links
- Brian Krebs (8 January 2007). "Scary Blogspam Automation Tools". Washington Post. Archived from the original on 12 January 2012. Retrieved 13 January 2007.
- "Malware targets bloggers". ITweb. 3 August 2007. Retrieved 30 August 2007.