Saturday, July 11, 2009

Devastated by a Link-Spam Tool?

If you own a blog, a forums, or are a webmaster of a social-interaction (web 2.0) site... you're going to want to read this.

Hell hath no fury like a blog comment spam engine unleashed upon your site(s). Trust me, I know.

As I was digging through my comment spam which now numbers in excesses of 1,000 spam comments/day on my "Following the White Rabbit" blog I noticed something. In the spam flood I would occasionally get an advertisement for the spam engine that created the mess. Interesting, I though - let's see how bad this thing is. Little did I know that what I was investigating was one of the nastiest, ugliest things I've ever laid eyes on as a "good guy" in information security.

The tool is called "X-Rumer" and it's developed and maintained by a Russian Federation-based organization that is known as "BotMaster Labs" -a fitting name to be sure. X-Rumer is a highly-effective tool which can very quickly over-run even the most hardy blogs, forums or other Web 2.0-style media sites.

What really started to open my eyes wide when I looked at X-Rumer 5.0 "Palladium" is the ability to breeze through CAPTCHAs... it's incredible how many different types of CAPTCHA systems this tool can break using its internal automation. Not only can it breach a CAPTCHA but also many of the more advanced pictocode types of systems (for example, identifying the picture of a non-smoking sign among other signs). Palladium treads the line of SPAM carefully by condering itself as a "correct spam" engine - which is interesting enough in that it generates fake responses, and text for the links that is drops into comments and posts.
X-Rumer is an incredible feat of code development... and sadly it's not used for the good of mankind - but for other nefarious purposes... most commonly link-spam. You don't want to have to square off against a tool like this - because odds are you'll lose. The only effective tool against something like this is reCAPTCHA (but it's rumored that even that will be broken by the tool soon). Not only can this tool auto-register itself on sites where registration is necessary, but it's also content-sensitive! If your blog is about football, there are link-spam comments that are tailored to football, so evading spam-detection engines is almost a certainty.
If the forum has more than one category, the software chooses the one most suitable for the message, otherwise it sends the message to off-top, flame sections or the like, and in case those do not exist - to the most visited category on the forum.
This juggernaut is impressive, for a piece of nasty software that's sole purpose is to spread links and ... spam... to the world of Web 2.0.

Why in the world would I write about it? Because you need to know what you're up against - and why your blogs and forums keep getting spammed even though you have registration turned on and human verification on too... you just can't stop a determined spammer... money continues to drive these people and until we (sheeple) stop clicking their links they'll continue to be at it.

Good luck.


Anonymous said...

take this as a comment from someone who owns and uses xrumer on a daily basis, even if you sheeple stop clicking the link spam it wont stop us using it. we can bait google soooooooo nicely with it that its funny. if you have some other nice tools built to go with it, sapping 100k+ uniques/day out of google with it isnt terribly difficult, plenty of ways to monetize traffic...

welcome to the dark side, whitehats have very little chance to win against all of this, oh, and technically you can use plugins with xrumer already and you can connect it up with (one of many such services) to handle the recaptcha's through that if you really want to hit some higher quality sites that dont get as much spam...

blackhat wins this round, how will whitehat respond? minimum wage laws in indian and the like countries that do the manual captcha processing for us for next to nothing? LOL!

Rafal Los said...

@"Anonymous" - I know who you are :) ... and sadly we've had this conversation a bunch of times.

Thanks for the reality check.

Tom Brennan said...

Xrumer Intel

Anonymous said...

thats an old version, its better than that these days... by a lot

Anonymous said...

i figured people here might not really understand the level that xrumer can goto from what people are responding with so heres something to give you an idea

i have a low end (by my standards) server that i run xrumer on, core2quad, 4gig of ram, 100mbit connection, this box is even in the good ol us of a, sits on a nice connection and has very low latency to all the big sites out there, now depending on where im posting to and how hard iv got xrumer cranking, i can set it upto 1000 threads posting spam links to sites and it just chunks away and does its thing without me babysitting it

now consider that it has support for loading in projects in an xml format, build the project in xml, build a link list out of a database, rsync these over on a scheduled job, use the builtin scheduler to pick which project to be working on and have it rotate projects each xx often... oh hey, i just automated it even more...

now how many posts can i get at 1000 threads? in the order of 1000's per minute, and that includes handling email validation and captcha breaking

remember, this is just a windoze box and a lowly core2quad, its nothing special, hell, it only has an 80gig hdd in it

now consider that i can also use it in a post and respond mode, i can post a question to the forum then answer the question myself (yes both posts done by xrumer) with a delay between them

'has anyone found any good sites to find blah'

'yea, try'

takes about twice as long to do but the stick rates are a lot higher, suits some projects, not others

now combine all of the above with the fact that in the last 24hrs iv grabbed over 2million urls out of google that are fresh for the spamming and they are being added to the database of links that i have constantly and that i wrote some of my own code to categorize each site into its own niche so i only post on related sites to not piss google off so much

i could go on for hours here about how much it can do and what i can do with it but basically you cant defend against a tool like this with how much power it has

oh and i didnt even touch the mass pm aspect of it either, want to pm every single user of a forum with your competitors site? no problem, vbulletin sites also tend to email the contents of the pm so you will end up with your url making it to someones inbox as well...

its a powerful tool once you know how to use it right and its just 1 of many such pieces in my toolkit...

Nick Owen said...

Perhaps it is time for anonymous two-factor authentication as a captcha:

Rafal Los said...

@Nick Owen: Now... that's brilliant. Maybe it's worth investigating more!!