Stop Spam - 2018

Hello,
re-Captcha from Google is no longer viable.
Honey Pots also fail.

These days there are applications like XRumer that spammers use to bypass our usual anti-spam code.
You can see from the attachment that reCaptcha was fully bypassed in sending this spam from one of our forms.

My latest attempt added a $_SESSION value on the sites home page and only submit the email sending and form submission IF the Session was present. But this causes issues if a linked page is used to enter the site and then the Contact form is used. And it does not work as the attached successful email / form submission was from a contact page that should have been secured by the session check.


Current screens on the email that went through are to make sure it's a page POST and the home page Session is present.
Next screen if the from email is fro, and address that ends in @mail.ru <- this actually works
Lastly the HoneyPot is that our comments field is not the actual comments field and if there is a value present do not allow passage.

<?php if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_SESSION['loadCount']))  { 

    // post and session set from home page so do check

    $emailCheck = substr($_POST['email'], -8);

        if ($emailCheck != "@mail.ru") {  

?>

<?php if($_POST['comments'] =='' ) { ?>

<?php

if ($_SERVER["REQUEST_METHOD"] == "POST")     {  //WA Universal Email

  $Email = new WA_Email("waue_Contact_1");



...

...

Thinking those of us in the WA Community are not that large so we should be able to create a more unique environment that hacker programs would not catalog. Granted, I've seen the XRumer program noted as bypassing thousands of know form traps.

Next tests are breaking WA_Email.php or the email template pages using the $_SESSION values presence or not.

If anyone else has any working methods, please post them so we can all benefit. Especially those spams where people are contacting our Customers and noting how they would like to improve a websites SEO or Design.. That's getting personal when their trying to take away our Customers...

thats interesting Steve and thanks for updating. Have been using a simple honeypot on sites and noticed that this had also been failing a lot over the last couple of months.

Will start on the hunt for some viable alternative...if I come across will definitely post here

xrumer is the one that I believe is doing the most damage. I saw some posts come in where the knuckleheads trying or using the software forgot to change some of the defaults so the message included reference to xrumer.

https://xenforo.com/community/threads/xrumer-16-0-spam-now-targeting-hidden-fields-honeypots-core-antispam.125685/

We really need to get this one sorted (as a group) as I don't believe I am the only one getting hit by more and more spam set in our forms.

Here is the general background to date:
1) Forms getting hit by auto posting bots.
2) Unable to block their attacks with any of the usual methods (Google reCaptcha, Honey pots, creating customs $_Sessions or Variables)

I believe the source is the programs xRumer and xEvil as these are touted as having the capacity to get past anything in their path.

Here is the content of one of our form posts where they advertised these softwares capabilities:

7-12-2018   |   11:26 AM PDT
name: 	Shaylagok
email: 	sheilamaximovna@yandex.com
Topic: 	3
comment: 	Incredible update of captcha solving package "XRumer 16.0 + XEvil 4.0":
captchas solving of Google (ReCaptcha-2 and ReCaptcha-3), Facebook, BitFinex, Bing, Hotmail, SolveMedia, Yandex,
and more than 8400 another types of captchas,
with highest precision (80..100%) and highest speed (100 img per second).
You can use XEvil 4.0 with any most popular SEO/SMM software: iMacros, XRumer, GSA SER, ZennoPoster, Srapebox, Senuke, and more than 100 of other software.

Interested? You can find a lot of impessive videos about XEvil in YouTube.

FREE DEMO AVAILABLE!

See you later ;)


http://XEvil.net/
whoIP: 	93.170.187.182

Personally, I think we (the Web Assist Community) should be able to stop these as we are a smaller sub-set of the hackers software targets.


So far I have tried the following:
1) Create a custom hash value and only process the form IF matching values are found.
The idea is that the software could be bypassing our form page and going directly to the processing pages.
2) Google reCaptcha
They (Blackhats) can get past this no problem and I am using the latest version from Google.
3) Honey Pots
Generate a text field that is not shown to humans (either positioned far off page or using css display:none). IF there is a $_POST value matching that field it can be determined as originating from a Bot and do not allow Insert or Send Email code to execute.
4) Home page created Vars - Create a $_SESSION value on the sites home page and only allow form processing IF the Session value is present.
The idea is that most humans will not enter a site on the Contact Form page but rather get there from the home page. This also fails to stop the Bots.

What else can we do? The only saving grace for the bulk of my sites is they have yet to be found by the bots. But this is changing on a daily basis and we (webmasters) are being expected to stop these attacks.

Anyones successful results in stopping spam would be helpful to the Community.

Are you sure the email is getting sent from that page? With all of that security on it and still getting spam I think it is likely that you have another page somewhere without the security they are actually using to send the email and bypassing your security somehow and not actually getting through it.

I agree that seems likely but it is the only contact page and on a relatively new site. Granted the Hash example in not present but the current filters are:

<?php if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_SESSION['loadCount']))  { 

    // post and session set from home page so do check

    $emailCheck = substr($_POST['email'], -8);

        if ($emailCheck != "@mail.ru") {  

?>

<?php

    // honeypot - actual is "comment" (no s).

    if($_POST['comments'] =='' ) { ?>

<?php if ($_POST["Topic"] == 1) { ?>

<?php

if ($_SERVER["REQUEST_METHOD"] == "POST")     {  //WA Universal Email

$_SESSION['loadCount'] is set on the home page only (though I will likely remove this as it too broad and we do expect people to come to the site from other landing pages).

The @mail.ru does work but is not the only source of fake posts

Honeypot fails

and the pages form is wrapped in a Google reCaptcha


I've gotten to the point of only allowing the email aspect to send if the SelectList choice is #1 since their pattern of posts targets selections value >1

Yet as seen in the attached screen today we received another post (but it was not emailed to the Customer or myself) which also allows us to confirm the page being targetted.

Hi All,
interesting thread. I am curious if there has been any updates or new thoughts.