Spam Bots and CAPTCHAs

Have you ever heard about XRumer? Even if not, you face with it every day. It’s that industry-leading program which delivers spam messages to your forums and blogs. XRumer is a wonderful piece of software. Unfortunately, it fights on the dark side.

Anyway, it’s always interesting to learn more about people behind great software. Recently I found an interview with Aleksandr Ryanchenko (“botmaster”), the author of XRumer. Translation to English is below. Thanks Aleksandr Nikolayev (“square”) for interviewing!

(more…)

Many people, including me, believe that security by obscurity gives a false sense of security. Any security tool must be available in source code, even to bad guys. But Advanced Textual Confirmation (ATC) is encoded. Why?

It’s all about the business. If I deliver the tool as is, some “alternatively smart” programmer can copy/paste the code in a few minutes and start selling the clone. This is my worry: “alternatively smart” programmers.

To satisfy those who are against security by obscurity, I’m diclosing the ATC internals is this post. Warning: to understand the text in full, you have to be a web programmer.

(more…)

Sometimes there is nothing more satisfying than giving a bad guy a dose of his own medicine. That was undoubtedly the idea behind the “Spamper” phpBB2 MOD that was ultimately removed from the phpbb.com and phpbbhacks.com sites shortly after it was posted by its author.

(more…)

True Story:

I became so irritated from using phpBB2 Advanced Visual Confirmation, which ended up causing me more trouble that it was worth, that I finally did something about it.

After thinking that I had wrapped a spammer-proof wall of security around my forum, I discovered that spammers were having an easier time decrypting my captcha images than my authorized members were. In fact, I often ended up having to manually register new users who I thought weren’t smart enough to decipher the image that was sitting right there in front of their face. It was only after I tried (and failed) to register one particular user 5 times that the truth hit me:

When it comes to default captcha decoding skills: Computers win, humans lose.

(more…)

Recently I analyzed HotScripts.com section “PHP :: Scripts and Programs :: Security Systems”. Looking through the all 9 pages, I identified 5 categories:

* CAPTCHAs,
* crawler protection,
* login, users, groups, roles, rights, authentification,
* data encryption,
* PHP and HTML source code encryption.

As one expects, the biggest category is “CAPTCHAs”. But how to select the best one?

(more…)

While poking around the Internet I came across this article about ways to stop PHPBB spam. In it the author talks about 2 tools he believes everyone running a phpBB board needs. What’s nice about the article is that it isn’t a cleverly disguised plug for these products. Instead it’s an independent review so you can be sure these products really work.

(more…)

(Continued from part 1.) Gather around Generals, I have hot intelligence straight from the high-tech weapons arsenal. The tide of the War Against Forum SPAM is turning.

With CAPTCHA, Spam Blacklists, and other low-grade weapons allowing the front lines of our defenses to be overrun, a new anti-SPAM weapon has hit the battlefield and initial reports are quite favorable.

(more…)