close ad
Help us test the new Databridge BETA with MySQLi support
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Stop Spam - 2018

Thread began 6/18/2018 10:13 am by Steve | Last modified 7/16/2018 2:12 pm by Ray Borduin | 59 views | 5 replies |

Steve

Stop Spam - 2018

Hello,
re-Captcha from Google is no longer viable.
Honey Pots also fail.

These days there are applications like XRumer that spammers use to bypass our usual anti-spam code.
You can see from the attachment that reCaptcha was fully bypassed in sending this spam from one of our forms.

My latest attempt added a $_SESSION value on the sites home page and only submit the email sending and form submission IF the Session was present. But this causes issues if a linked page is used to enter the site and then the Contact form is used. And it does not work as the attached successful email / form submission was from a contact page that should have been secured by the session check.


Current screens on the email that went through are to make sure it's a page POST and the home page Session is present.
Next screen if the from email is fro, and address that ends in @mail.ru <- this actually works
Lastly the HoneyPot is that our comments field is not the actual comments field and if there is a value present do not allow passage.

php:
<?php if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_SESSION['loadCount']))  { 

    
// post and session set from home page so do check
    
$emailCheck substr($_POST['email'], -8);
        if (
$emailCheck != "@mail.ru") {  
?>
<?php 
if($_POST['comments'] =='' ) { ?>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST")     {  //WA Universal Email
  
$Email = new WA_Email("waue_Contact_1");

...
...



Thinking those of us in the WA Community are not that large so we should be able to create a more unique environment that hacker programs would not catalog. Granted, I've seen the XRumer program noted as bypassing thousands of know form traps.

Next tests are breaking WA_Email.php or the email template pages using the $_SESSION values presence or not.

If anyone else has any working methods, please post them so we can all benefit. Especially those spams where people are contacting our Customers and noting how they would like to improve a websites SEO or Design.. That's getting personal when their trying to take away our Customers...

Sign in to reply to this post

Jamie

thats interesting Steve and thanks for updating. Have been using a simple honeypot on sites and noticed that this had also been failing a lot over the last couple of months.

Will start on the hunt for some viable alternative...if I come across will definitely post here

Sign in to reply to this post

Steve

xrumer is the one that I believe is doing the most damage. I saw some posts come in where the knuckleheads trying or using the software forgot to change some of the defaults so the message included reference to xrumer.

https://xenforo.com/community/threads/xrumer-16-0-spam-now-targeting-hidden-fields-honeypots-core-antispam.125685/

Sign in to reply to this post

Steve

We really need to get this one sorted (as a group) as I don't believe I am the only one getting hit by more and more spam set in our forms.

Here is the general background to date:
1) Forms getting hit by auto posting bots.
2) Unable to block their attacks with any of the usual methods (Google reCaptcha, Honey pots, creating customs $_Sessions or Variables)

I believe the source is the programs xRumer and xEvil as these are touted as having the capacity to get past anything in their path.

Here is the content of one of our form posts where they advertised these softwares capabilities:

7-12-2018   |   11:26 AM PDT
name: Shaylagok
email: sheilamaximovna@yandex.com
Topic: 3
comment: Incredible update of captcha solving package "XRumer 16.0 + XEvil 4.0":
captchas solving of Google (ReCaptcha-2 and ReCaptcha-3), Facebook, BitFinex, Bing, Hotmail, SolveMedia, Yandex,
and more than 8400 another types of captchas,
with highest precision (80..100%) and highest speed (100 img per second).
You can use XEvil 4.0 with any most popular SEO/SMM software: iMacros, XRumer, GSA SER, ZennoPoster, Srapebox, Senuke, and more than 100 of other software.

Interested? You can find a lot of impessive videos about XEvil in YouTube.

FREE DEMO AVAILABLE!

See you later ;)


http://XEvil.net/
whoIP: 93.170.187.182



Personally, I think we (the Web Assist Community) should be able to stop these as we are a smaller sub-set of the hackers software targets.


So far I have tried the following:
1) Create a custom hash value and only process the form IF matching values are found.
The idea is that the software could be bypassing our form page and going directly to the processing pages.
2) Google reCaptcha
They (Blackhats) can get past this no problem and I am using the latest version from Google.
3) Honey Pots
Generate a text field that is not shown to humans (either positioned far off page or using css display:none). IF there is a $_POST value matching that field it can be determined as originating from a Bot and do not allow Insert or Send Email code to execute.
4) Home page created Vars - Create a $_SESSION value on the sites home page and only allow form processing IF the Session value is present.
The idea is that most humans will not enter a site on the Contact Form page but rather get there from the home page. This also fails to stop the Bots.

What else can we do? The only saving grace for the bulk of my sites is they have yet to be found by the bots. But this is changing on a daily basis and we (webmasters) are being expected to stop these attacks.

Anyones successful results in stopping spam would be helpful to the Community.

Sign in to reply to this post

Ray BorduinWebAssist

Are you sure the email is getting sent from that page? With all of that security on it and still getting spam I think it is likely that you have another page somewhere without the security they are actually using to send the email and bypassing your security somehow and not actually getting through it.

Sign in to reply to this post

Steve

I agree that seems likely but it is the only contact page and on a relatively new site. Granted the Hash example in not present but the current filters are:

php:
<?php if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_SESSION['loadCount']))  { 

    
// post and session set from home page so do check
    
$emailCheck substr($_POST['email'], -8);
        if (
$emailCheck != "@mail.ru") {  
?>
<?php
    
// honeypot - actual is "comment" (no s).
    
if($_POST['comments'] =='' ) { ?>
<?php 
if ($_POST["Topic"] == 1) { ?>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST")     {  //WA Universal Email



$_SESSION['loadCount'] is set on the home page only (though I will likely remove this as it too broad and we do expect people to come to the site from other landing pages).

The @mail.ru does work but is not the only source of fake posts

Honeypot fails

and the pages form is wrapped in a Google reCaptcha


I've gotten to the point of only allowing the email aspect to send if the SelectList choice is #1 since their pattern of posts targets selections value >1

Yet as seen in the attached screen today we received another post (but it was not emailed to the Customer or myself) which also allows us to confirm the page being targetted.

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...