Monday, February 8, 2010

Delete This Account! It Was Created By A Forum Spammer!


I am Random Digilante.

I have been maintaining some forums on the Internet for many years now. As with many forums on the internet, the one which I maintain comes under very regular attack by a program known as XRumer. Some people might not think the word _attack_ is appropriate here but I think it is.

XRumer is an automated forum-spamming program (Wikipedia entry) which performs the following annoying and unwelcome functions:

a) Automatically try to register to a large number of forums, using a list of forums that the XRumer user provides.
b) It expects the forums to have very lax security, and to allow the new registrant to complete the registration themselves, by clicking on a link in an email they receive.
c) They automate the creation of that link, and auto-complete the registration. No human being ever needs to even see the email. It happens only by software.
d) Once the registration is successful, they begin spamming the forum using the XRumer program and posting a large number of messages that are promoting fake products, porn sites, child porn and other things that the forum spammer is attempting to promote using your forum which he doesn't own. (If the content of these automated postings is porn, especially if your forum has nothing at all to do with porn, that XRumer user is also in violation of profanity and obscenity laws.)

You should know that there are other programs like this one, but XRumer is very popular with spammers, and I think must be the cheapest one as well. By allowing new registered users to be the ones to complete their registration, and by letting them set very simple passwords, you are asking for a spammer to flood your forum. If you received my message, your forum meets all of the above description. If you received two, that means many, many spammers know this about your forum.

The XRumer program follows a recognizable number of steps. On my forum, it always visited one thread first on the forum so it could create a new user session. After that it visited a series of registration forms, and then tried to visit a confirmation page to complete the registration. I think it did all of this inside of one second per account, and that they maybe also figured out a way to decode the confirmation linking code.

Before I made my forum's registration process to be the new more manual process to try to protect it from this activity, and especially before I made the new user password requirement much more complex (longer, with letters, numbers and punctuation) this resulted in many (dozens) new and unwanted accounts being registered every couple of days, and it became a maintenance problem over time.

So maybe one year or so ago, I decided to do something extra on top of just making the registration process a little more difficult but also secure: I began looking for patterns in the registration process, and then to log the users who did this very often using an automated process that I creatde myself. Some interesting statistics came from that.

First of all some XRumer operators always register from the same IP's. I assume these users are actually amateurs because it makes it very easy to identify which ISP they are performing this annoying activity from, and so also very easy to report them. However, as you could guess, quite often those IP's are located in countries like China, Pakistan, Russia, Ukraine, Romania, Estonia and a number of other Eastern European countries which means it is not likely that the ISP's will take any action regarding this abuse. (So far a very small number have, but that is an exception always.)

Other higher volume XRumer users also use botnets to perform a VERY large number of automated registrations, meaning that what we see is the same email, userid, session and other data coming in from a large number of geographically different IP addresses. (China, Minnesota, Montreal, Bahamas, Panama, China, etc.) These are much harder to block, but I still capture this data and eventually block them completely from my forums.

I decided to take some direct action against a number of these attackers in some very specific ways. By looking up IP ranges and blocking either an entire ISP's netblock of IP addresses, or by blocking a series of individual IP addresses, which finally began to slow the traffic of these attempted registrations. But I still see 20 to 30 or more every single day. It has never been zero.

In each case, complaint reports were sent to the appropriate ISP's and in only a very small number of cases, these XRumer operators were disconnected from their ISP's, since this type of automated, repeat registration can be legally considered a type of attack, since it's attempting to gain access to a system which is otherwise not allowing this type of activity to take place on the corresponding forum, etc. Many ISP's have some very specific wording relating to what is or is not an attack, and in some cases, an XRumer run will fall under that.

Well recently I also decided to take EVEN STRONGER action!

I began slowly taking over over a few of the email accounts of anyone who performed these registrations. (Yes, idiot spammers use very stupid passwords like "123456", "qwerty" and "letmein".)

I know that sounds extreme, and is ethically questionable (but so is forum spamming using botnets) but the results were interesting.

In most cases, they only use either Gmail or as their email host for registering these accounts. In some cases they use Chinese hosted webmail like or Others use only Russian email services like

So I would go in and take over the account once it was verified (using some very easy Google searches) that these were only registered to be used in conjunction with XRumer forum spamming.

By "take over" I mean that I would guess the password for the email account, gain access to the email account, change the user information, change the password, add a new signature, and create a "vacation message" that would automatically be sent in reply to any message the account received from that moment forward.

My new name:

"Forum Spammer"

My new signature:

"I am a forum spammer! This account should be deleted immediately!"

My new vacation message:

"This email address was created solely to register automatically at thousands of forums for the purposes of spamming forums like yours. Remove my account and any other account registered with my email address!

[Update] Based on comments on 3 June, 2010, new sig and message are:

Subject: Delete This Forum Account [specific accountname]! It Was Created By A Forum Spammer!

New Message:

Subject: Delete This Forum Account [specific accountname]! It Was Created By A Forum Spammer!

This email address was created solely to register automatically at thousands of forums for the purposes of spamming forums like yours. I have taken over this email address and created this autoresponder because it spammed a forum I own which is only there to capture these automatic registrations. Remove the forum account associated with this email address and any other account registered with this email address!

You should also consider making the password requirements for your forum much more stringent so that idiots who create accounts like this one can't use your forum to advertise their stupid, dangerous products.


Random Digilante

These messages will be sent when a spammer's email account I took over receives the automatic "Thank you for registering" message, meaning that the forum administrator will instantly be notified that the account being used was a botnet or XRumer account, and hopefully they will take some actions to stop this account from remaining in their system.

In many cases that has worked, and the accounts are banned. This is a good sign. (See the comments below. Many forum operators were unaware of this, and noticed that they did actually have a number of these spammer accounts.)

To date I have taken over a total of 70 email accounts for this purpose, and each of them had registered to anywhere from 4,500 to way, way over 135,000 forums, only for the purposes of spamming one or another fake product or porn site in violation of the rules of all of the forums they registered to and in many cases in violation of law. (Lots of porn, lots of pills.)

I know this has had a damaging effect on the spammers who do this, because after a while the email accounts become suddenly disabled. (I only check those sporadically. I have no need for a spammer's email account.)

This is also a good sign because it means they had to start all over again and possibly create new domains and other things to start their new forum spamming.

I know I'm also not alone in taking this action because I've also seen similar messaging - but not my own messaging - from further accounts which have tried to register using the same automatic methods.

Now lately I can see that some forum operators and administrators have noticed some of these messages, and were not sure what to make of the message they got from the accounts I modified.

I put this blog together so that the public can know: you should secure your forums!!

  • Don't allow just anyone to register and have active accounts immediately! Your forum will very fast be infested with XRumer operators within a matter of hours or days, and you will never be able to keep up with the huge, huge volume of automated registrations.

  • Make it so your password settings are complex. At least 8 to 10 characters long, using upper and lower case letters, numbers and some punctuation.

  • Don't automatically approve new members. Make them go through a verification process, and if possible make that process something you have to initiate.

  • Don't assume that just because you allow the new user to click on a link in an email that is auto-sent to them that they're a human being. As I say the software does this step all on its own.

Why is that important?

  • Imagine that suddenly one morning you wake up to hundreds of complaints that pornography has been posted all over your cooking and baking forum! Or worse: your teenage daughter's videogaming forum.

  • Imagine that suddenly your forum is full of ads linking to fake pill sites or other completely fake or dangerous products!

  • Imagine that suddenly you have any number of exploits and malware installations being hosted on your forum.

  • Guess who will be contacted by police if child porn is posted to your forum? This has happened to a few partners of mine last year!

So If you received my messages, and hopefully you found this blog I made, you know now that I am serious about educating about forum spamming using botnets and especially about the criminals who don't care who they piss off by this automated forum registration.

You should take this warning very seriously. This is not going to stop unless everyone takes these simple steps at the registration point to stop the criminals who do this annoying and illegal activity.

And yes I do know that what I do is also legally grey area but nobody was stopping this activity, and based on responses this has been helpful to some.


Random Digilante

[Edited 4 June, 2010 based on comments from recipients of my messages to improve clarity why I do this.]