Monday, February 8, 2010

Delete This Account! It Was Created By A Forum Spammer!

Hello.

I am Random Digilante.

I have been maintaining some forums on the Internet for many years now. As with many forums on the internet, the one which I maintain comes under very regular attack by a program known as XRumer. Some people might not think the word _attack_ is appropriate here but I think it is.

XRumer is an automated forum-spamming program (Wikipedia entry) which performs the following annoying and unwelcome functions:

a) Automatically try to register to a large number of forums, using a list of forums that the XRumer user provides.
b) It expects the forums to have very lax security, and to allow the new registrant to complete the registration themselves, by clicking on a link in an email they receive.
c) They automate the creation of that link, and auto-complete the registration. No human being ever needs to even see the email. It happens only by software.
d) Once the registration is successful, they begin spamming the forum using the XRumer program and posting a large number of messages that are promoting fake products, porn sites, child porn and other things that the forum spammer is attempting to promote using your forum which he doesn't own. (If the content of these automated postings is porn, especially if your forum has nothing at all to do with porn, that XRumer user is also in violation of profanity and obscenity laws.)

You should know that there are other programs like this one, but XRumer is very popular with spammers, and I think must be the cheapest one as well. By allowing new registered users to be the ones to complete their registration, and by letting them set very simple passwords, you are asking for a spammer to flood your forum. If you received my message, your forum meets all of the above description. If you received two, that means many, many spammers know this about your forum.

The XRumer program follows a recognizable number of steps. On my forum, it always visited one thread first on the forum so it could create a new user session. After that it visited a series of registration forms, and then tried to visit a confirmation page to complete the registration. I think it did all of this inside of one second per account, and that they maybe also figured out a way to decode the confirmation linking code.

Before I made my forum's registration process to be the new more manual process to try to protect it from this activity, and especially before I made the new user password requirement much more complex (longer, with letters, numbers and punctuation) this resulted in many (dozens) new and unwanted accounts being registered every couple of days, and it became a maintenance problem over time.

So maybe one year or so ago, I decided to do something extra on top of just making the registration process a little more difficult but also secure: I began looking for patterns in the registration process, and then to log the users who did this very often using an automated process that I creatde myself. Some interesting statistics came from that.

First of all some XRumer operators always register from the same IP's. I assume these users are actually amateurs because it makes it very easy to identify which ISP they are performing this annoying activity from, and so also very easy to report them. However, as you could guess, quite often those IP's are located in countries like China, Pakistan, Russia, Ukraine, Romania, Estonia and a number of other Eastern European countries which means it is not likely that the ISP's will take any action regarding this abuse. (So far a very small number have, but that is an exception always.)

Other higher volume XRumer users also use botnets to perform a VERY large number of automated registrations, meaning that what we see is the same email, userid, session and other data coming in from a large number of geographically different IP addresses. (China, Minnesota, Montreal, Bahamas, Panama, China, etc.) These are much harder to block, but I still capture this data and eventually block them completely from my forums.

I decided to take some direct action against a number of these attackers in some very specific ways. By looking up IP ranges and blocking either an entire ISP's netblock of IP addresses, or by blocking a series of individual IP addresses, which finally began to slow the traffic of these attempted registrations. But I still see 20 to 30 or more every single day. It has never been zero.

In each case, complaint reports were sent to the appropriate ISP's and in only a very small number of cases, these XRumer operators were disconnected from their ISP's, since this type of automated, repeat registration can be legally considered a type of attack, since it's attempting to gain access to a system which is otherwise not allowing this type of activity to take place on the corresponding forum, etc. Many ISP's have some very specific wording relating to what is or is not an attack, and in some cases, an XRumer run will fall under that.

Well recently I also decided to take EVEN STRONGER action!

I began slowly taking over over a few of the email accounts of anyone who performed these registrations. (Yes, idiot spammers use very stupid passwords like "123456", "qwerty" and "letmein".)

I know that sounds extreme, and is ethically questionable (but so is forum spamming using botnets) but the results were interesting.

In most cases, they only use either Gmail or Mail.ru as their email host for registering these accounts. In some cases they use Chinese hosted webmail like 163.com or mail.cn. Others use only Russian email services like Yandex.ru.

So I would go in and take over the account once it was verified (using some very easy Google searches) that these were only registered to be used in conjunction with XRumer forum spamming.

By "take over" I mean that I would guess the password for the email account, gain access to the email account, change the user information, change the password, add a new signature, and create a "vacation message" that would automatically be sent in reply to any message the account received from that moment forward.

My new name:

"Forum Spammer"

My new signature:

"I am a forum spammer! This account should be deleted immediately!"

My new vacation message:

"This email address was created solely to register automatically at thousands of forums for the purposes of spamming forums like yours. Remove my account and any other account registered with my email address!


[Update] Based on comments on 3 June, 2010, new sig and message are:

Signature:
Subject: Delete This Forum Account [specific accountname]! It Was Created By A Forum Spammer!
http://randomdigilante.blogspot.com/

New Message:

Subject: Delete This Forum Account [specific accountname]! It Was Created By A Forum Spammer!

This email address was created solely to register automatically at thousands of forums for the purposes of spamming forums like yours. I have taken over this email address and created this autoresponder because it spammed a forum I own which is only there to capture these automatic registrations. Remove the forum account associated with this email address and any other account registered with this email address!

You should also consider making the password requirements for your forum much more stringent so that idiots who create accounts like this one can't use your forum to advertise their stupid, dangerous products.

Sincerely,

Random Digilante

http://randomdigilante.blogspot.com/

These messages will be sent when a spammer's email account I took over receives the automatic "Thank you for registering" message, meaning that the forum administrator will instantly be notified that the account being used was a botnet or XRumer account, and hopefully they will take some actions to stop this account from remaining in their system.

In many cases that has worked, and the accounts are banned. This is a good sign. (See the comments below. Many forum operators were unaware of this, and noticed that they did actually have a number of these spammer accounts.)

To date I have taken over a total of 70 email accounts for this purpose, and each of them had registered to anywhere from 4,500 to way, way over 135,000 forums, only for the purposes of spamming one or another fake product or porn site in violation of the rules of all of the forums they registered to and in many cases in violation of law. (Lots of porn, lots of pills.)

I know this has had a damaging effect on the spammers who do this, because after a while the email accounts become suddenly disabled. (I only check those sporadically. I have no need for a spammer's email account.)

This is also a good sign because it means they had to start all over again and possibly create new domains and other things to start their new forum spamming.

I know I'm also not alone in taking this action because I've also seen similar messaging - but not my own messaging - from further accounts which have tried to register using the same automatic methods.

Now lately I can see that some forum operators and administrators have noticed some of these messages, and were not sure what to make of the message they got from the accounts I modified.

I put this blog together so that the public can know: you should secure your forums!!


  • Don't allow just anyone to register and have active accounts immediately! Your forum will very fast be infested with XRumer operators within a matter of hours or days, and you will never be able to keep up with the huge, huge volume of automated registrations.

  • Make it so your password settings are complex. At least 8 to 10 characters long, using upper and lower case letters, numbers and some punctuation.

  • Don't automatically approve new members. Make them go through a verification process, and if possible make that process something you have to initiate.

  • Don't assume that just because you allow the new user to click on a link in an email that is auto-sent to them that they're a human being. As I say the software does this step all on its own.



Why is that important?


  • Imagine that suddenly one morning you wake up to hundreds of complaints that pornography has been posted all over your cooking and baking forum! Or worse: your teenage daughter's videogaming forum.

  • Imagine that suddenly your forum is full of ads linking to fake pill sites or other completely fake or dangerous products!

  • Imagine that suddenly you have any number of exploits and malware installations being hosted on your forum.

  • Guess who will be contacted by police if child porn is posted to your forum? This has happened to a few partners of mine last year!



So If you received my messages, and hopefully you found this blog I made, you know now that I am serious about educating about forum spamming using botnets and especially about the criminals who don't care who they piss off by this automated forum registration.

You should take this warning very seriously. This is not going to stop unless everyone takes these simple steps at the registration point to stop the criminals who do this annoying and illegal activity.

And yes I do know that what I do is also legally grey area but nobody was stopping this activity, and based on responses this has been helpful to some.

Truly

Random Digilante

[Edited 4 June, 2010 based on comments from recipients of my messages to improve clarity why I do this.]

172 comments:

  1. S'alright, but not faultless. It replies to required-authentication-step emails as well as welcome messages, meaning that it thinks it's registered successfully even when it hasn't.

    Nice job though.

    ReplyDelete
  2. I try to keep up and delete spammers, I run 2 nice forums and maintain them..why would you want to mess up my hard work,,you say you have forums, so you know what we mean!..BE NICE!
    Thanks...

    ReplyDelete
  3. Hey
    I got one of your messages and I just wanted to say thank you. I'm communicating with the developers of a Wordpress community plugin we use to try and deal with this. I've also adjusted security until the plugin is updated.
    Your post was really informative. Fortunately all posts and forum posts are moderated.
    Many of the spam memebrs have 'X3 31xx series' in their biographical info, what's that all about?
    Ellie

    ReplyDelete
  4. Hi.. I received your email yesterday about my forum being taken over. Fortunetly that forum was long dead and no one ever used it. I ended up deleting the forum but thank you for the heads up anyway.

    ReplyDelete
  5. Just got one of your emails. My friend, you really need to reword the text of it! It can be easily misread as though you're saying that you have taken over the *forum* and not that you've taken over the *email address*.

    Your exact wording:

    This email address was created solely to register automatically at thousands of forums for the purposes of spamming forums like yours. I have taken it over and created this autoresponder.

    You say "I have taken it over". What is "it"? The email address or the forum. After getting unnecessarily worried that you may have taken over my forum, I see that you have simply taken over some spammer's email address.

    Also, in my case I'm running a phpBB forum and your email does not inform me of the phpBB username, just the email address. I'm not sure if this account is truly active or in a "waiting for manual activation" mode (I changed my phpBB settings a long while back so that users have to email me separately and request manual activation since I was getting so many spammer auto-registrations).

    ReplyDelete
  6. Very creative! I got this as a reply to a forum
    authorization rejection message that goes out automatically to rejected accounts.

    I'm noticing a rise in these attempts too, so something needs to be done on my end.

    ReplyDelete
  7. I just received one of your messages for the first time.

    My forum is set to require that I manually approve registration requests, and your auto-responder was triggered based on the "registration unapproved" e-mail sent to the offending account.

    So, thanks to your unrequested meddling, I not only get to delete dozens of "new account request" e-mails from spammers every day, but will presumably soon have to delete the corresponding spam your auto-responder sends after I reject a request. Thanks so much.

    ReplyDelete
  8. I just got one of your messages!! THANK YOU!! I didn't get it automatically, though... I had sent an email asking the person (who appeared borderline legit) to confirm that he was in fact trying to get access to our fan group forums for the purpose of joining the planning... and that's when I got your message. THANKS AGAIN!!

    ReplyDelete
  9. Digilante rocks. I manually approve or reject all applicants to my forum but I like to see people like yourself doing what you do. People who object to what you are doing probably are doing some form of spamming themselves and that's why they sent bad comments. Yeah, there's an ethical grey area here somewhere but it's a very minor infraction in the face of a major attack-- and I do agree with you, attack is an appropriate word. It's probably not a lot, but my forum's going to be a year old in August and I have manually deflected nearly 1000 spammers since its beginning. Thanks again.

    ReplyDelete
  10. I don't understand. Responsible for Equality And Liberty (R.E.A.L.) are not spammers. We are a human rights group promoting universal human rights of equality and liberty. Why would you attack us? What have we done to you? We feel pity for your hatred and attack on us. Choose love, not hate. Love Wins.

    ReplyDelete
  11. Thanks for what you're doing -- it all helps.

    ReplyDelete
  12. What I find interesting is that one of the members on the website I administer recieved this email, however, my website doesn't even have a forum.

    ReplyDelete
  13. You keep registering on our Sycophant Hex forum, but see, we don't activate users unless they follow specific instructions on the site. The rest are purged every 6 months, so you can really stop trying to register.

    ReplyDelete
  14. Hey thanks for the tip... helped us clean up one of our forums. Good luck in all you're work and keep it up. The Internet needs more White Hat's like yourself.

    ReplyDelete
  15. SH..

    and anyone else that thinks this page was by the spammers.. re-read it...

    The author, has altered the spammers account, to tell you you are being spammed. He is not the spammer..

    Without his action, the spammer would STILL send tyou the same amount of signups, and would still try and post.. andf would still be a spammer..

    this way you are being told its happening.

    I am truley thankfull you did this.

    I am a subscriber to an email spam reduction idea too, which also costs nothing, but tryes to encorage anti spam, via email which is here.. http://www.mysparehours.com/?q=node/13

    ReplyDelete
  16. It would help if you were more educated. My forum reply to your bogus email address was not an approval onto the forum. You still would need to be manually added based upon your response to that email sent. Instead of pretending you are here to save the world, why don't you get yourself a life and stop being an asshole? YOU ARE AS BAD AS A SPAMMER... MAYBE WORSE. Shame on you, disgusting creature.

    ReplyDelete
  17. I know you're trying to be helpful, but you're really just creating another problem. Your approach counts any kind of response as a successful registration. For every one forum you might help, you're hurting dozens more. Please stop.

    ReplyDelete
  18. thank you for comments, and this reminds me that i never turned on manual comment moderation. of all things :)

    @scott: you said the following which I am taking seriously:

    "You say "I have taken it over". What is "it"?"

    It is the email address of the spammer.

    "The email address or the forum."

    The email address.

    "After getting unnecessarily worried that you may have taken over my forum, I see that you have simply taken over some spammer's email address."

    this is correct.


    "Also, in my case I'm running a phpBB forum and your email does not inform me of the phpBB username, just the email address."

    i need to clarify this thing.

    when i take over a spammer's account it is because they have one forum of mine in their list of forums that they ****always**** spam. the whole process is automatic from their end. they obviously still do not know which forum because i still see lots of fake / auto registrations every day. if they were smart they would remove my forum, but they don't. (we are talking about spammers so you can draw some conclusion.)

    when i take over email account i place my auto-response message because that way any "successful" registration will result in my message being sent to the reply-to address the forum administrator or owner has set. as we can see from most of the comments here, the message is getting through: set up your forum so that no new accounts are automatically allowed to be entered into your forum database.

    "I'm not sure if this account is truly active or in a "waiting for manual activation" mode (I changed my phpBB settings a long while back so that users have to email me separately and request manual activation since I was getting so many spammer auto-registrations). "

    if your registration still allows basic passwords but THEN makes this manual process the norm, that is not good enough. they won't stop trying to auto register at your forum. if you received my message, that is possibly only the one account that had this process. if you received more, that means your current process is still ineffective. only full-manual approval of new registrations will stop spammers. they know this. they also know that 99% of forums on the internet do not do this process. this is why they continue.

    reason i do this is because a large number of these idiots are spamming porn to forums visible by children or underage. that is disgusting and none of the forums i tried to contact before doing this ever stopped it or removed accounts. my takeover approach is only successful way.

    i will change my out going message to be more clear to say i took over email address only. thank you @scott.

    rd

    ReplyDelete
  19. also I will try to include the forum username which was registered for purposes of spamming from now on in my auto response. thank you.

    rd

    ReplyDelete
  20. Please stop doing this. You are wasting our time. The response you received was not an approval, you still needed to manually respond to it. You did not "get into our forum," you need to educate yourself more on how things work before you try to play the Knight in Shinning Armour. Please stop doing this, you are a sore and a disease worse than spammers.

    ReplyDelete
  21. Thanks for your automated email.

    Actually my forum auto-generates passwords and emails them to the registrant's email address. That has eliminated pretty much all the spammers that my forum used to suffer from when I had people select their own passwords (as most of the spammers use fake email addresses anyway). So even though I have a lot of them in the user database, they never activate their accounts and hence don't post anything.

    Best regards,

    Paul.

    ReplyDelete
  22. Keep your shit up cocsuker and I might end up at your home. Or, I'll find out which websites you operate and I'll hack them... Game on biatch!

    ReplyDelete
  23. To folks complaining you got a Random Digilante reply when you actually sent a message rejecting a forum registration:

    Spammers don't monitor the email addresses they use to sign up. (They can create the correct confirmation URL on their own, using the forum software's predictable pattern, without receiving your email.) They won't stop trying to register just because you rejected them.

    The only reason to send a rejection is if you think there is a small chance it really was a legitimate signup, and you want to extend that person the courtesy of telling him you have mistaken him for a spambot.

    So the two possibilities are
    1. You're 100% certain it's a spammer. No need to reply to tell him he's rejected. He won't read it. Block all further registration attempts from that user.
    2. You're not 100% certain and think you may be rejecting a legitimate user. Send a rejection notice, and if you get a Random Digilante reply, your suspicions are confirmed. You needed information, and you received it. Now you can block all further registration attempts from that user.

    ReplyDelete
  24. "ricky" you are missing the point.

    the software these spammers use AUTOMATICALLY DO THIS FUNCTION!

    simply leaving the completion of registration up to a user clicking on a link in an email they receive: the software they run DOES THIS ON ITS OWN! the only way to stop this activity is to manually approve new accounts. that mean don't let the user approve their account. they have to prove they are human by answering you specifically via an email from them to you, period.

    it appears that you are sadly uninformed about just how these spammers work. that is why i do this. your reply shows me: you don't clearly understand why this is a problem. the accounts i take over have auto-registered at thousands of forums, usually to spam them with porn. based on your reply, you are okay with that. the software completes the registration because it knows how to complete the link that is emailed to the new member. i am not making this up. i'm sorry you are "annoyed" but your current stance is to just let more spammers auto-register at your forum.

    ReplyDelete
  25. i would like to point out the threat made against me by what is more obviously a spammer who does this

    "Anonymous said...

    Keep your shit up cocsuker and I might end up at your home. Or, I'll find out which websites you operate and I'll hack them... Game on biatch!"

    it was made today (4 June, 2010) at 1:19pm forum time.

    this is the kind of person who thinks your forum is theirs to spam all day long every single day, and if you try to stop him from doing this activity, this is what he says to you.

    do you see why it is important to stop these people? they are really scum.

    ReplyDelete
  26. Don't worry I've dealt with this problem already; ranging from a custom CAPTCHA (which I rewrote) to other ways of reducing the spammers.

    The problem however is I can't remove the profile you are referring to as unfortunately you don't tell me the username and there are thousands of users registered on the forum!

    ReplyDelete
  27. If you are the administrator of your forum, which I think you would be, nearly every forum's admin console lets you search for an account by their email address. Search on the address you got the auto-response message from. If you can't figure out where to do this search, leave a followup comment with your email address and I'll followup seperately from this blog. (And will not publish your comment.

    ReplyDelete
  28. Thanks a lot for your help! I do received 5-10 spam registration by day. As an admin, I have to approve new registration. Every week I just delete all the spam registration but is is becoming a maintenance problem. I think we should really fight back on this. I am behind you on this!

    Thanks again!!

    R.

    ReplyDelete
  29. You sent me an email to let me know about a spammer. The spammer was deleted already on my end - recognizing it as a spammer and NEVER was a member. The spammer attempted to register but did not complete the process before it was caught on my end and removed. Therefore your email was not helpful AND it was confusing because the language in the paragraph sounded like you had taken over my forum/it. I suggest ONLY sending the email to forum admin IF the email account receives a WELCOME email. :)

    Its a great idea - but one that needs some tweaking.

    ReplyDelete
  30. I received one of your messages, it came in response to our registered but not yet activated message auto generated by our server on registration. ALL registrations here are manually checked and verified before validation. It became neccessary just before I became Admin, the measures in place I have put there to try to control things. Im considering a block list of IPs - strangely I am getting unconnected attempts on ICQ to add spammers to my list... NO Way!

    ReplyDelete
  31. Lots of new comments on this weekend. more people seem to get the message at last.

    "Its a great idea - but one that needs some tweaking."

    i agree but it was only thing I could do easily. each account i take over has usually at least 4,000 - 5,000 auto-registrations underway. auto-resonder is easiest way to get the message to forum operators quickly.

    if enough people start to get message then the need to keep doing this will disappear. fact that i get threats now means this may be finally hurting the effectiveness of this type of spam in a small way.

    thank you for comments!

    rd

    ReplyDelete
  32. A real spammer will not ever reply to you. Real spammers are laughing that you think this is going to do anything.

    At least create a "do not bother list" so I can add my site to it. I'm getting one of your false positive "DELETE THIS ACCOUNT" emails every day and I suppose I might start getting more.

    PLEASE STOP THIS NONSENSE.

    ReplyDelete
  33. Random Digit... if you're as effective as you think you are, don't you think you'd have a lot more than just 30-some comments in the span of 4 months? Please setup a no-contact list so those of us who are getting repeatedly annoyed by your false positive emails have some way of opting out of this nonsense.

    ReplyDelete
  34. BTW, I keep getting your emails because your bot is trying to signup for an email newsletter...not because they've managed to register for a forum. Your bots never get confirmed either and therefore aren't even getting added to the newsletter.

    ReplyDelete
  35. Well done mate, your hard work is appreciated.

    ReplyDelete
  36. "Random Digit... if you're as effective as you think you are, don't you think you'd have a lot more than just 30-some comments in the span of 4 months?"

    the comments on this blog only started in the past four months. responses within forums where i had successfully taken over the email accounts of these spamming idiots started well over a year ago, and emails to me asking for assistance number in the low thousands. i have directly assisted several *hundred* of forum operators to fix their forum's password requirements. merely counting the comments on this blog is not a good measurement. do some searches for phrases in the email message i set up as auto-response. you find many, many pages of positive responses and mentions of forum moderators improving their security. that was the point. the automated emails stop when that happens because your forum won't send an email automatically, since the average forum spammer uses low security to register, and they assume your security is also low. that forum spammer's account will not be automatically created, and no email will be sent.

    "Please setup a no-contact list so those of us who are getting repeatedly annoyed by your false positive emails have some way of opting out of this nonsense."

    we are talking about (so far) over 200 email accounts where this has been set up. it's a vacation message.

    many of you call this "nonsense". you fail to realize that so many forums allow this activity even when it promotes porn to sites which primarily have minors as their audience. that should concern you. i know this is annoying, but allowing these forum spammers to continue this abuse is criminal, not only annoying.

    ReplyDelete
  37. i also like to point out that many, many forum spammers promote the wide spread selling of stolen credit card data and identity theft. is that just "nonsense" also? forum operators who allow lax security and low-complexity passwords = helping criminals. that is worse than "annoying" or "nonsense".

    ReplyDelete
  38. Kindly turn off your script. You are spamming others with your automated messages. I am not going to respond to unsolicited emails from someone called "random digilante" claiming that certain accounts are spammers. If they are, they will make themselves known, either through spam posts or spam signatures, and they'll get cleaned up. So please, stop spamming, or at least post the IP address from which your script runs so that I can block it from our site.

    ReplyDelete
  39. i am bored deleting your emails, guy

    all these emails are for unconfirmed accounts, i have NO spam on my forums, but i now have to delete your emails.

    ReplyDelete
  40. "Kindly turn off your script."

    It is not a script. It's an autoresponder from the free-email provider of the email address I took over.

    You are spamming others with your automated messages.

    No: the original spammer is, by continuing to re-register at your forum. this is usually either gmail or mail.ru. Ban the username and that activity stops. i can't be more clear about this. the only reason you get the message is because your password complexity is still set low enough that the username gets accepted.

    "I am not going to respond to
    unsolicited emails from someone called "random digilante"
    claiming that certain accounts are spammers.

    you just did!

    "If they are, they will make themselves known, either through spam posts
    or spam signatures, and they'll get cleaned up."

    that may be true for ONLY your forum but if you do a search for the usernames i've taken over you find hundreds of thousands of forums have not done this. this is why i do this! the majority of forums are not being diligant about spamming forum usernames.

    "So please, stop spamming, or at least post the IP address from which
    your script runs so that I can block it from our site."

    it is not a script! you could ban all registrations frmo mail.ru and that will probably kill off the majority of this activity, or you could do what i have been saying all along: ban the usernames that are tied to these email addresses from registering again. this is a part of ever forum software on the internet!

    you are so busy being angry at my activity that you're ignoring the actions i am telling you will make it harder for *any* forum operator to keep registering at your forums.

    1) Make the requirement for passwords to be longer than they currently are and contain more complex character sets
    2) add any of the addresses you get my message from to your ban list.

    i understand that you are angry but you should be much more angry that this problem still exists after four years.

    the only time you receive my message is when your forum software auto-approves a registration tied to one of the addresses i have taken over. why can't you just read what i say?

    ReplyDelete
  41. i am bored deleting your emails, guy

    "all these emails are for unconfirmed accounts"

    which means you are still setting password setup to be too low. these spammers always use simple, simple passwords. your forum allows that and auto-enters them - even though you still have a manual step to finally approve them

    it is good that you are manually doing that last step but that still means you're making your forum an obvious target for spammers in the meantime. if you just (like i keep saying!!) raise the complexity of the acceptable passwords, not only do my messages stop showing up, but spammers stop targeting your forum.

    "i have NO spam on my forums, but i now have to delete your emails. "

    again: good for you, and you have my apology for the annoyance. but take a look at this:

    http://bit.ly/9rHZIw

    http://bit.ly/bjtO1a

    these are forums which don't do what you do. these are now plainly full of postings from forum spammers like the ones i take over which are advertising the sale of credit card and identity information.

    there are literally millions of these all over the internet. that is not a guess. that is fact.

    there are others posting porn to forums visited largely by minors. millions.

    i tried contacting these forums to get them to pay any attention - for years - and they don't. so i do this now, and as you can see, this is the only thing that has raised the attention of these forum operators and their hosting companies.

    good for you that you take care of this. sorry that you are annoyed, but you do know (because i keep repeating this in these comments) what to do to fix it.

    i am sick of forum spammers. i would sooner be angry at forum spammers than the fact i have to delete an email i can make a filter for, or can remove completely just by improving the password security of my forum. you can be angry at me all you want but it should worry you more that these criminals still get away with this activity every day

    ReplyDelete
  42. You would be a lot more convincing if you peddled your crap only at sites which actually had forums.

    You recently registered at one of my sites - which has a manual approval process, has never hosted a forum and does not allow user-generated content of any kind - and sent us 18 of your shitty emails to tell us about it. This makes you far and away the worst spammer we've had this month.

    So, respectfully, fuck off and die.

    ReplyDelete
  43. Thanks for the concern.
    I will look into you suggestions.
    I have been aware of XRuner for some time.
    I have been checking registered users through
    http://www.projecthoneypot.org.

    RL

    ReplyDelete
  44. The Admin has left a new comment on your post "Delete This Account! It Was Created By A Forum Spa...":

    "You would be a lot more convincing if you peddled your crap only at sites which actually had forums."

    why do you not read? I am not doing the spamming, the forum spammer is. I set up an autoresponder when i took over his account. when THE SPAMMER tries to do something using that email address, using his spamming software, and you have an automated reply for everything the spammer does, you get my autoresponse.

    "You recently registered at one of my sites"

    which you don't tell me which site. and again: not me, the idiot spammer who refuses to remove your site from his list of sites to perform these automated registrations.

    " - which has a manual approval process, has never hosted a forum and does not allow user-generated content of any kind - and sent us 18 of your shitty emails to tell us about it."

    so what does this tell you about your setup then??

    the spammer has probably been using a variety of accounts to join whatever service you run - which you again didn't tell me so i could research it - and only because i managed to take over this spammers account and provide a notifier are you aware of it. this means that your site (whatever it is) has likely been included on a list which is owned by at least several hundred spammers.

    do you see what i am trying to tell you? this notification means that your setup is allowing anyone to just join freely, and that includes this spammer. if you have a manual process *after* this automated email process, that is not stopping this abuse from continuing.

    you could drastically change this by changing how people can join your site, but again: YOU NEVER TOLD ME WHICH SITE! and you didn't provide any means of contacting you.

    "This makes you far and away the worst spammer we've had this month."

    again i say: you mean the forum spammer. once i set up the autoresonder, any action he takes where an automated email is sent will get my message. that is 100% initiated by him, not me. i have no idea who he is other than Russian or Ukranian scum. you're just seeing the residual effect of what he gets away with every day.

    "So, respectfully, fuck off and die."

    why not instead of swearing on my blog you actually review your existing processes since clearly more than one spammer is aware that it is weak.

    if you would read the notice i have regarding commenting you would clearly see that you could tell me with your comment:

    - what site you run
    - which email address you received my message from
    - how to contact you about it

    and i could investigate it without publishing your offensive comment. you for some ridiculous reason choose not to do this and just whine and swear. why not be more proactive and tell me? honestly!

    ReplyDelete
  45. Ohh okay, now I get it. Thank you.
    Yes I do keep a simple log in, due to having live support numbers on my site I wanted to make everything as easy as possible.
    Your point is taken.

    ReplyDelete
  46. Hi,
    Just wanted to thank you for putting up this blog and your initiative to help other webmasters to control the spamming.

    ReplyDelete
  47. Random Digilante, I understand exactly what an auto-responder is, appreciate what your reply is all about and ... I still consider your email as spam.

    I think you're a bit arrogant in thinking that your way is the best. There are many ways of dealing with spammers and the one we use is far more effective. We let them create as many accounts as they want and then delete all accounts that haven't made a "quality" post within a certain period. That has proven a far more effective way of dealing with the idiots than trying to stop the registrations in the first place. Some very large forums have started adopting the methods we use at experienced-people.net.

    Test it out if you wish. Register an account and try to spam (in a thread, in your signature, in your profile, or anywhere else) and you'll find it doesn't work.

    So for people like us your constant autoresponders are more annoying and disruptive than the spammers themselves.

    ReplyDelete
  48. Clinton:

    "I think you're a bit arrogant in thinking that your way is the best."

    where did I ever say that my idea is "the best way"? I did not ever say that. instead my opint was that doing this was the only way to tell other, much less cautious operators of thousands of forums: you are providing free advertising to criminals.

    i understand that you are not among these people. you have my apologies. if the othe thousands of forum and blog operators would wake up (and many, many have as i have mentioned) then this would not have been necessary.

    every day i see another several thousands of forums featuring not just one or two but literally thousands and thousands of postings all promoting the sale of stolen credit cards. it's good that yours is not one of them. the only way i ever had anyone actually pay any attention of any kind is when i started this autoresponder method.

    it is not the best, believe me i know, but it is the only one that worked.

    sorry you thought i said it was the best / only way. i did not.

    ReplyDelete
  49. Random: I just wanted to add my thanks for your message. I have received exactly *one* of your auto-responses, so I guess my site isn't a major target (yet).

    But I had noticed my forums getting slower and wondered why. It turns out I had several thousand fake account creation attempts cluttering up my database. Akismet marked all of them as "bozos", so they were not able to complete registration and post. I ended up using SQL commands to delete the bogus sign-ups. I'm still getting 20-50 a day, but they're all getting caught.

    Anyway, I appreciate your auto-response message that clued me in to the problem.

    One easy way to spot the spammers - All of the ones I've had gave the same string for user name and location. If you're running a forum and find an account where these match, odds are very high it's an auto-generated account and should be deleted.

    Corey

    ReplyDelete
  50. Thank you :)
    I just received one of your messages.
    I have my forum set so that I have to approve new members manually and I had only just declined the new application when I got your message!
    You are doing an awesome job!
    J x

    ReplyDelete
  51. "By allowing new registered users to be the ones to complete their registration, and by letting them set very simple passwords, you are asking for a spammer to flood your forum. If you received my message, your forum meets all of the above description."

    Not at all. It may simply be that my forum gives the spammer the impression they are in control. In fact, when I received your email, it was the first I had heard of that particulate spammer, as my system had deleted his account automatically.

    I applaud your intentions, but please don't assume you are the first to take on forum spam, and that the rest of us need teaching.

    Chris

    ReplyDelete
  52. The other (minor) mistake that you appear to be making (unless I am misunderstanding your email) is assuming that the spammer uses the same username. This is often untrue.

    Thus the email I have from you says:

    "Delete This Account! [orumerf] It was created solely to spam forums and blogs. Delete the forum account associated with this email address. -- Sincerely -- Random Digilante -- http://randomdigilante.blogspot.com/"

    suggesting the "specific accountname" is orumerf.

    In fact, the email address you were using - sda213ad213swd1@aol.com - had created an account on my forum (which my own precautions had taken care of, but with a user of eofruma.

    So I think including the specific accountname in your email is less than useful, as it will only confuse people. The email address is the important information.

    I would also explain with more detail in the email, rather than the terse message you currently use. Something like:

    "Dear forum administrator,

    Until recently this email account has been operated by a forum spammer, who has used it to register with, and then spam, multiple forum systems. I believe you may have been visited by this spammer, and would suggest you delete any account that has been created using the email address [email address]. If you have already detected this exploit, then congratulations!"

    Apologies for posting anonymously, but I no more want my name added to more spamlists than you do!

    Chris

    ReplyDelete
  53. Chris:

    "I would also explain with more detail in the email, rather than the terse message you currently use. Something like:"

    that is an excellent alternate message.

    honestly i can't believe some of the ridiculous threats made against me simply for trying to alert total newbie forum operators that their forums are overrun with spammers. I knew i ran the risk of annoying some of the more knowledgable forum operators, but they are all seemingly unaware that they could just modify their forum settings so that they do not send out an automated message in the first place! the fact that they refuse to make serious changes to how their forums are set up is not my fault. forum spammers rely on the fact that you are not knowledgable about these things and this is why they succeed.

    also to all of you forum owners who insist on commenting on this blog "anonymously", you are not helping your situation one bit. I am routinely ignoring anyone who comments anonymously. if you want my help, identify yourself! I'm not a bloody mind reader!

    rd

    ReplyDelete
  54. Interesting concept. I just picked up your e-mail ahead of going to forum and looking through the 12 new members that are awaiting manual approval this morning. I am daily having to manually check and then probably delete all 12. I normally ban offenders by ip address rather than e-mail - but perhaps e-mail is where I should concentrate.

    I use the stop forum spam database (http://www.stopforumspam.com) to manually check for spammers. I just discovered a mod for my SMF based forum which will do that for me automatically - and am considering installing.

    I do occassionally find that the e-mail address is not in the database but the ip-address is.

    I do have a fairly simple requirement for passwords, that is something I will probably discuss with my fellow adminstrators, but I also have a Captcha check

    The interesting thing I see from your blog is that the spammers are using TOTALLY automated software. Obvious really but I never really thought it through - it does mean that they can get past the Captcha check.

    One good way to disrupt such people is to teergrube them - hold on to the tcp connection for as long as possible so they cannot move on as fast to the next connection. If I understand you correctly, the spammers can calculate the automated mail authentication code that the forum sends out.

    What if (and I am thinking on the fly here) I changed the forum "ban" function from one which sent out an error message to one which delay for the maximum possible time my host will allow (probably about 30 seconds)

    ReplyDelete
  55. Alan, these are all good suggestions. The opint of why i'm doing this experiment is more to alert those who have no idea about the stopforumspam website. They are clueless about properly securing their forums. In the past four weeks I have alerted several web hosting companies who were providing hosting to forums which were not only 100% forum spam in content, but that content was specifically about selling stolen credit cards. I'm talking tens of thousands of postings throughout the entire forum. Very clearly an operator of a forum like that simply does not have the first clue about why forum spamming is bad for their site, but worse than that, they're actually facilitating a criminal act. That can mean that they are held as responsible as the thousands of criminals who post to their forum.

    Perhaps in finding this site through my automated messages, they'll also finally read all the comments which suggest other options.

    rd

    ReplyDelete
  56. Hi there - I just emailed you back from an alert you sent me a while ago but after reading a few comments here, I'm not sure if it will reach you, so I will repeat here. Firstly, thank you for what you are doing, it is hugely appreciated and, from what I can see, a thankless job. So, thank you, I see why you are doing it and really admire you for it. However, having said that, when I got your email, I ignored it as it looked like spam in itself. Huge mistake - we just found out our forum was hosting a massive porn site. Oops. So I recalled the email you sent and realised that is the message that was coming across. Please can the message perhaps be changed for idiots like myself to something like: "The above forum has been hacked without your knowledge and is now either hosting illegal activities or producing spam. Please investigate it and either remove or secure your forum."

    Thank you once again and we'll definitely not be doing something as stupid again. (You never know though).

    ReplyDelete
  57. On my forum we've banned *@gmail.com If anyone wants to register using gmail because they have no other we temporarily remove the ban and then when they've registered put it back on. Ugually in the few hours it's open we get several other gmail registrations.

    It's a real pain, and even if what you are doing does cause me to get extra emails from the auto responder, I support anyone who is fighting back against these scum.

    Thank you

    ReplyDelete
  58. I receive many messages from spammers trying to access the company forum. It got so bad we had to stop allowing anyone through at all. Eventually we set it up so you had to directly e-mail us with your username and tell us to activate the account. Before then we got 2-3 spammers per minute, and probably still do, though the e-mails have been auto-archived.

    I had no idea how to stop them. However, if it's as simple as extending the password limit to at least 8 characters, adding in capitols and numbers as a necessity, perhaps we can stop auto-archiving the notifications.

    Thanks for doing this. I was rather surprised when I got the e-mail, and it's nice to know how these guys are managing to get passed the measures already taken.

    I don't care if this is deemed illegal, you shouldn't stop, it'll help many people.

    ReplyDelete
  59. I just wanted to say THANKS RD. YOU ROCK. These spammers sh#t me to tears. I really appreciate your vigilance. Keep it up, put a dent in their black hat methods. Fight fire with fire. They'll always find a way, if webmasters don't take the precautions to beef up their security, but if more people were pissed off and actually took action, we'd be in a better virtual space.

    Good job. Love yer work Mate. ;)

    ReplyDelete
  60. Nice one :) What you do would, in the UK, be totally illegal - but I for one don't care :))

    However, FYI:
    a) My blogs require email authentication & *then* I have to manually approve as well. That way I don't waste my time on accounts with email addresses that don't authenticate - the related blog accounts are automatically deleted after a week.

    b) The bots they're using now often register with complex passwords. So, just making it difficult for your real users (and yes, I know they should be using complex PWs anyway :) has no effect on the spammers.

    c) I get an average of about 3 or 4 spam signups a week & clear them out every few months - no biggie.

    ReplyDelete
  61. You are awesome! Your hacked accounts have bounced back to me, but luckily users have to activate the email, so I know they tried to get it, and are probably on my db, but not active. Keep up the awesome work! You save a lot of us a lot of work that most don't know how to do (going on the offensive against spammers)

    ReplyDelete
  62. RANDOM DIGILANTE = SPAMMER = IP BLOCKED LIST

    Congratulations, you idiot!!!!

    ReplyDelete
  63. Thanks for your help.

    ReplyDelete
  64. Hi.
    I got your email BUT I have no such user, no such email, no match on any part of the info you supplied, no record of any attempts at creating new users, accounts, comments or posts anywhere even remotely near the timestamp on your email. In fact, your email is the closest I have come to being spammed since installing CAPTCHA over 6 months ago.
    So ... Why/How did I get an email from you?
    Thanks

    ReplyDelete
  65. Anonymous: (why did you post anonymously? I mention many times that this will make sure I generally don't respond. *sigh*)

    If you send a new comment - which I won't publish - and include your email address and the email address from where you got my message, I can tell you what the username was that tried to register.

    rd

    ReplyDelete
  66. Thank you very much for this ideas :)

    ReplyDelete
  67. I had heard of XRumer, but thought my forum was redirected to the home page. Thanks again! Keep fighting the good fight.

    ReplyDelete
  68. Hey there, congrats on the good work. I also got one of your e-mails but I manually activate each and every new account. The spam on our french-czech community amounts to 2000 bogus accounts over 3 months, so that would be over 20 spam accounts per day. It's a pain in the a** to manually check the username/e-mail combination and see if they sound legit, but the moment I saw porn spam passed thru the lousy phpBB captcha, I decided to make the fight personal. Nevertheless, thanks for the interesting reading.

    ReplyDelete
  69. I got your email. As I manually approve all new registrants, my forum does not get spammed.

    However, I do get 20 to 30 new spam registrants every day, so anything that gives the spammers some hurt back is fine with me.

    ReplyDelete
  70. dear anonymous commenter who asks very detailed questions but provides no means for me to reply directly to you: help me out here. I can't reply to the detailed questions you are asking unless you provide me an email address - any email address - to send the answers to. I'm not publishing your comment. I want to provide you a far more specific answer because you are missing several key points about how to stop this activity completeley.

    rd

    ReplyDelete
  71. An interesting approach, thanks for what you are doing. I've been running my first forum for a little over a year now, and got my baptism by fire WRT forum spammers early on. I only received my first auto-responder message with your info today. We're pretty low volume for now, probably less than 10 a week, but I've noticed a growth trend. What I have been doing is requiring all new users to activate through a captcha block - but before they even get the activation message, I check the IP address (European, and Asian IPs = dead giveaway, all IPs are checked at stopforumspam.com), look for odd usernames, and examine gmail addresses with a microscope. If they fail any of my tests, they go into the ban list and are deleted. Borderline registrations get placed on a non-posting ban until they can convince us that they are real, but so far none have. So far it's worked for me, and is not very time consuming given our low volume. Keep it up, you are getting the word out and that is what it helping!

    ReplyDelete
  72. Hmm, I'm following this up with another message, because, if you have actually tried to "take over" emails at www.actionsoft.com, then STOP! I am a legitimate business who spams no one, and certainly doesn't ever spam anyone's forums. If you have taken over any part of my site, please know you have attacked a good person who has NOT SPAMMED ANYONE.

    ReplyDelete
  73. Okay, I re-read your latest email, and the newest wording is much better. Now that I've read your blog, I finally understand what the email is saying.

    Here's the deal: my forum at www.actionsoft.com/forums/ does indeed let anyone register easily, but it requires them to post in a special category, where they can only make one post, in order to get "approved". Forum admins then determine who the real humans are who want legitimate access to the forums, and "upgrade" them from newbie status (1 post only) to complete access. This approach has worked quite well.

    However, since a spammer can still register an account at my forums, apparently I will continue to get emails from you, every time you take over an email address from someone who tried to spam my forums. I guess, knowing that you're one of the good guys, I can put up with these emails... However, they are not helpful or necessary to me. There is no point for me to take the time to log into the forums and delete the account the spammer created, as it's a dead account anyway, and there are SO MANY spammers out there, this would be a waste of time with no point. As such, I could just set up a Mail rule to route emails to you to the trash can... I guess that's what I should do?

    P.S. I initially didn't click on your blog link, because I thought your emails were simply more spam... They appeared to be from someone who would likely try to sell me something -- try to sell me protection from having my forums hijacked. I know however that my forums are safe, therefore the "this account has been taken over!" message seemed like nonsense to me -- the type of thing a typical spammer would say. And I generally NEVER click on links in spam messages... I don't want to support them in any way. Just something to keep in mind.... your emails can easily be misunderstood and seem to be spam themselves.

    ReplyDelete
  74. Just one more note of clarification, to explain how I initially misunderstood your emails...

    "This email address was created solely to register automatically at thousands of forums for the purposes of spamming forums like yours."

    This statement made me think that you had somehow thought that *my website* (www.actionsoft.com) was spamming other forums, and therefore you were claiming to have taken over *my* email address. You've made this wording somewhat clearer in subsequent messages, by listing the email address of the true spammer, but I'm not sure it's still clear enough.

    ReplyDelete
  75. Vern:

    I will take your advice and revise it further. it's gone through many changes since last year.

    Thanks for comments

    rd

    ReplyDelete
  76. Thank you, Random- we've instituted a tighter system for approving new accounts on our website. & forum .
    You rock!

    ReplyDelete
  77. I also misunderstood your email at first. Now I've seen your blog, I'm very grateful for what you're doing. Pity vbulletin isn't paying attention to you and making their forum harder to spam.

    ReplyDelete
  78. Well, you are on slashdot.

    You should be getting lots of exposure now :)

    Keep up the good work!

    ReplyDelete
  79. Got any suggestions on blocking forum spammers other then Captcha and questions? They still seem to get through.

    I've blocked a few IP's on the server site with the .htacess

    Right now I manually approve each new forum member, its a pain but what else can I do?

    And my site was banned from Google Ads and ofcourse google doesnt say why, just that my site was a risk to their partners. All i can think of is that we block isps with our .htacess due to spamming.

    ReplyDelete
  80. I'd just like you to know that now that you have made yourself public, and I have evidence of you hijacking accounts on my forums (which caused NO END OF ISSUES,) that I'm about to find you, and press charges for unauthorized access of my resources, plus sue you.

    Your ability to spot spam accounts is extremely sub-par, and I got sued for you hijacking someone's e-mail account linked to one of my forums.

    Your incompetence and failure to use proper logical deduction and notifying appropriate authorities, fueled by your own vigilante attitude, has cost me money and I am coming after you to get compensation. I hope you've got enough to cover what I lost in my lawsuit, doubtful as it is, as I lost several hundred thousand dollars in clientele over your vigilantism. It also ended up defaming my character "This person snoops your e-mail accounts!"

    Son, you're about to learn a HARD lesson in why vigilantism isn't the way to do things. Minimum punishment will be sending you into bankruptcy, maximum will be jail time.
    I know who you are, I know where you live. Expect me, my lawyers, or the police. I haven't decided which method of ruining your life to use, yet.

    By the way, your captcha is weak. Try animated image files, vigilante 'script kiddie' without a clue.

    ReplyDelete
    Replies
    1. Posted "anonymously"
      Doesn't mention which forum he runs.
      I don't investigate any forums but my own (how could I? Where did I say I did this?)

      Also: this comment was posted in 2010. I hadn't followed up on this until 2016. I saw no lawsuit, and no attempt to contact me.

      This guy is a liar, and a coward.

      Sorry you got sued but I had nothing to do with it at all. That would be obvious to everybody, especially in a court of law.

      Random Digilante.

      Delete
  81. For those who think Random Digilante (RD) is spamming their servers/lists/forums, let me re-state what's going on.

    1) The spammer sets up a dummy email account to automate registrations.

    2) When the dummy email address attempts to register at forums operated by RD (his honeypots), he notes the offending eddress.

    3)In some cases, RD then accesses the dummy email account established by the spammer.

    4) He modifies the signature and autoresponder text on the dummy email account.

    5) You receive an autoreponder message from from the dummy email account that is signed by RD. This means a dummy email account received a message from your domain (e.g., a registration confirmation, a request for manual confirmation, a digest message, or a newsletter), forum, or mailing list. Some of these dummy accounts may be registered in forums that don't allow posts by some members, but that still gives the dummy account (and ultimately, the spammer) access to the content of the site.

    6) You may either A) ignore the autoresponder message, B) gripe about RD's actions and argue that you already have a manual confirmation process, or C) block the dummy eddress that generated the autoreponder and take other steps to improve your site's security. If your site auto-replies to the RD autoresponder, I can see how that would be a headache, because it would create a perpetual loop. [RD, do the autoresponders give you the option to have them reply only once to each eddress?]. The fact remains, however, that even if you have a manual registration process, your site/server can still receive multiple registration messages from the same dummy email account over a series of days, weeks, or months. Those recurring registration attemps are being generated by the spamming software, and not by RD.

    Now could RD have simply gone into the compromised dummy email accounts and closed them? Sure, but how would it have helped? The actions he chose (setting up the autoresponders) seem to have allowed him to raise awareness about this issue, and he provides sound advice for dealing with it.

    To reiterate in closing, if you are getting multiple autoresponder messages signed by RD, it is because your site is receiving messages or registration attempts generated by spamming software that is coming through a dummy email account. While you might not agree with his methods, I don't believe there's any reason to be angry with him. He's just making you aware that these junk accounts are trying to weasel their way in.

    ReplyDelete
  82. Unfortunately, the auto-response could be used as an attack too. If forum admins blacklist members based on this autoresponder, then think how easy it would be for someone to kick someone else off such a forum. All they need to do is spoof the auto-response from the rival member's email address. Perhaps what you need is a static page or something that lists email addresses you've taken over already. Then forum admins can tell if the email really came from an account you took over, or was spoofed by an imposter. There might be an even better solution, but that's all I can think of at the moment.

    ReplyDelete
  83. Interesting. I was working on starting a forum but put it off since almost every single member that joined was a bot.
    I do recommend you clarify that automated message, at least putting in a link to this page.

    ReplyDelete
  84. It's pretty ironic how poor the reading comprehension of so many of these forum administrators (that have made negative comments on this blog entry) is. You guys run discussion forums, right? With words? That you read? * sigh *

    Anyhow. Thanks for your efforts, digilante guy. It's nice to see someone caring and taking action amidst so much apathy.

    ReplyDelete
  85. Next step... rooting the fuckers and boning their systems.

    Or wait, is that just my train of thought. >=)

    ReplyDelete
  86. As an owner of several forums I know the problem of spammers all too well.

    Had no idea there was someone quietly helping me stem the tide of these scum, and for that I can't thank you enough.

    Keep up the excellent work.

    Cheers
    Ash

    ReplyDelete
  87. Thanks for your work. Although I do not own a forum, I appreciate it.

    I think it would be helpful if you made another post detailling what forum admins can do to make their forums safer - with an explanation why each setting helps.

    ReplyDelete
  88. Hello slashdot and free internet press readers.

    This was an unexpected large response.

    An anonymous commenter sent me many recommendations for revising the outbound auto-response message that is used for each account I overtake. He / she had this question:

    "if you have gained access to the spam accounts, and are so certain of their illegitmacy, why not just delete them?!
    I think I know the answer, but i think you should perhaps state it openly."

    The answer is: Because not all email providers allow an email account to be deleted, especially the Russian ones. (Mail.ru is the most commonly-used free email provider these spammers use. They probably do so for this reason.)

    Since that is the case, I knew that deletion was not always going to be possible.

    One commenter on slashdot also asked this question:

    "But isn't his method going to stop working once the spammers start creating more complex and unique passwords for their email accounts?"

    The answer to that is "not completely, no".

    Mail.ru, yandex.ru and many other non-north american free email providers don't allow for the same complexity of passwords as most forum software would allow. PHPBB is so far the most secure, allowing you to customize the password to be from 8 - 12 characters long, and it *MUST* contain uppercase, lowercase, numeric and punctuation. Both Yandex.ru and Mail.ru would fail on that one. Gmail would not. Yahoo might (I haven't tested all of these.)

    Another comment said this:

    "Forum spam is best solved with good forum software."

    Clearly this is not true at all. The majority of the forums I see these spammer hitting, they *are* using "good" forum software, but the operators of the majority of these forums are not being moderated properly by anybody, and they are FULL of these spammer postings. The spammers know this. This is the biggest reason I started this, to get the word out to these unresponsive forum operators. As the comments here show (and this doesn't include many hundreds of email conversations I have had with people who chose to comment here without being anonymous): many, many of them were finally woken up to how to secure their forums, something nobody else was informing them of previously.

    Forum spammers and "blackhat SEO" is the new "spam". It's a scummy way to "advertise" and it completely pisses off the online community at large. It's also used primarily to promote illegal activity or products. I figure it is better to do something about it instead of just letting it keep going. I think the recent debate on slashdot has at least brought that point forward.

    thx

    rd

    ReplyDelete
  89. Man, instead spending your time to play cop you should earn money or something... I bet you only get a very small percentage of spammers. Most will use proxies so you cant get them. And when you deleted their mailaccount it doesnt care them. Why should it? They would create a new account when they start new spamming. So I dont see why you think that would be a problem for them.
    The only chance to fight them is making the registering hard and unique! So unique that it doesnt make sense to change xrumer only for that one forum.
    That you didnt manage to do this and instead starting a war with nearly zero effect... I really dont understand you...

    ReplyDelete
  90. Anonymous posted a bunch of questions based on no understanding of what I'm doing

    "Man, instead spending your time to play cop you should earn money or
    something... I bet you only get a very small percentage of spammers."

    That is not true. I have causeed several (more than 15 so far) to stop doing this altogether, mostly from Ukraine.

    "Most will use proxies so you cant get them."

    huh?! Proxies have nothing to do with this.

    "They would create a
    new account when they start new spamming. So I dont see why you think
    that would be a problem for them."

    I know I'm a problem for them because in the past two years I've assisted just over a thousand forums in getting this activity completely off of their forums. Which was the point. I've also seen the number of forums which were successfully allowing these fake registrations drop from 70 thousand down to around 17 thousand.

    Some do what you say, yes. But many of them have quit.

    "The only chance to fight them is making the registering hard and
    unique! So unique that it doesnt make sense to change xrumer only for
    that one forum.
    That you didnt manage to do this and instead starting a war with
    nearly zero effect... I really dont understand you..."

    What war?

    You obviously don't read. I have done this. That is not why I keep doing this. I keep doing it because there are tons of very unskilled forum operators who don't know this! That was the whole point! They need to be made aware that they are part of the problem. My forum is no longer the issue: it's the tens of thousands of others who don't bother to use any security at all. Spreading the word has helped that a lot, and you can see this in most of the comments posted above.

    I'm not "playing a cop", and this has had way way more than "zero" effect. All of this takes very little time. I don't see what your problem is (aside from a lack of ability to read carefully.)

    rd

    ReplyDelete
  91. Thank you for this work. Just made me aware of an old wordpress Blog with hardly any Security on the signup. It might be a grey area, but please keep this work up!

    ReplyDelete
  92. I like your blog. However, the color contrast makes it very difficult to read. It will be easy on the reader if you change the colors.

    Nice article. Very useful. I got one of your emails. Thanks!

    ReplyDelete
  93. Thanks for the heads-up on the registrations. Not to worry though, my forums are set to require human approval of accounts. I have a set of criteria that weeds out 100% of the spammers: unless I know the registrant, the account request is approved, but locked into a no-permission 'spammer' group (no posting, no IM, no email). Saves the problem of spammers re-using the same accounts. It also lets me track re-visits per spammer. Nice email message though, glad to see I'm not the only one getting these idiots trying to spam my forums....

    ReplyDelete
  94. Thanks for the alert message. I mass delete all accounts that have auto registered on my forum, as it is by invitation only and I know who is going to apply to join because they have a real name and I (or another member known to me) know/s them. I can recognise their email address then manually approve their application. However, the deletions process is still a bit of a pain so I've made the application criteria more stringent. Thanks :)

    ReplyDelete
  95. To the anonymous poster who said
    "RANDOM DIGILANTE = SPAMMER = IP BLOCKED LIST"

    duh!

    RD is not emailing you. The autoreplies are coming from the email account the spammer set up. I'm not sure what IP you think you should block. If you have gotten more than one autoreply, then the spammer is probably registering at your site over and over with the same email address. I'm sure RD would be quite pleased if you blocked "his" email address, since it isn't his, IT'S THE SPAMMER'S! And if you block all emails from that originating IP address, which is likely a Russian free email address service, you'd block even more spammers, but you still wouldn't block RD, because IT'S NOT HIS EMAIL ACCOUNT.

    ReplyDelete
  96. THANKS FOR YOUR MAIL. You are right. I've never been attacked but it would be easy for a robot to register. I've blocked self-confirmation for the time being as I am planning top rewrite the site.

    I noticed a lot of details... you used my IP address & replied to my gmail directly.

    ReplyDelete
  97. It would be nice if the email you sent out says what web site you are referencing. I am the web host admin for about 300 web sites and from what you sent there is no way to tell what site you are talking about.

    ReplyDelete
  98. Just received one of your emails for the first time. Interesting approach, but you really need to specify some more information. The address you sent the email to is responsible for dozens of forums and other registrations systems, possibly hundreds. I have literally no clue which system you are talking about, and I certainly don't have time to go through all of them. Perhaps if you at least included the text of the email to which your bot is replying, that would help, or the email address from which the registration confirmation came.

    I also think the email could be more clearly worded to explain that it is not really *from* the From address. I had to read it several times to figure out what exactly was going on, and it was nearly deleted as spam itself. I think it will be lost on a lot of people for whom English is not their first language.

    ReplyDelete
  99. interesting I do not even run a forum.
    So you actually spammed my admin adress for the website. thanks alot. btw my passwors are generated with at least 12 keys. So I take this as spam. And if I read all comments here, I am not the only one

    ReplyDelete
  100. If your website is a wordpress, joomla or drupal site: you are still set up in such a way that you're still allowing first-step registrations to occur, meaning your password complexity is still not strong enough. That is still part of the problem.

    By the way: I don't choose the sites that receive these. The spammers do. I just set up the autoresponder. When they try to register at your site, and your site is still lax enough that it allows the (unapproved) account to get entered into your database, that still means that your site is a ripe target for these idiot spammers.

    Your site is very clearly one that is being used by XRumer spammers. This should still concern you.

    rd

    ReplyDelete
  101. Believe it or not, a lot of us already deal with forum spam.

    My forum does this painlessly and automatically, without me having to bother about it, or wade through lots of messages.

    I do not need to receive emails from you, telling me to delete accounts I have already dealt with.

    ReplyDelete
  102. Randomdigilante, thanks for the notification.

    ReplyDelete
  103. Cheers, dude. You are doing a great thing.

    Gaz

    ReplyDelete
  104. I turned automated registration off. My first board is titled "How to register" and basically says, "If you want to register send me an email at ...". Not one automated bot "new user registration" since.

    ReplyDelete
  105. I have read whole of the comments and I can;t figure out the remedy to block new registrars. Of course you can use admin's activated account but ... spammers can omitt it. Very simply. Also bot software are more intelligent than you think. Of course it is still programme but on the second side is also good admin.

    My board is closed for new people - but it is not very good for me :(

    War against spammers is very very difficult :(

    ReplyDelete
  106. Hi! Got your email today, at first I was a little sceptical (I've had so much spam recently, an unsolicited email from a spammer's email address was bound to make me wonder what was going on), but once I'd done a few google searches into what you do, I took a look around your site.
    I think it's great what you're doing, maybe there is hope for the human race yet!

    Joe, ML

    ReplyDelete
  107. If what you are doing is what the message received from you says, thank you.

    ReplyDelete
  108. << the only way to stop this activity is to manually approve new accounts. that mean don't let the user approve their account. they have to prove they are human by answering you specifically via an email from them to you, period. >> Apparently you have no idea what it's like to run a large web forum. What you describe is completely ludicrous. Imagine if gmail or yahoo ran their business that way, they would need to hire a room of 100 data entry clerks to keep up with the flood of requests.

    In my opinion it's YOU who is attacking my forum. I've had two cases of spammers in the last two years and they both lasted about 15 minutes. Most of my time dealing with the subject of spammers concerns disabling these stupid accounts you create on my site.

    Please take my site off your list. I don't need your help.

    ReplyDelete
  109. Another anonymous commenter:

    "Please take my site off your list. I don't need your help. "

    Why aren't you reading what I say?

    It's not MY "list". When you receive that message, it's because you are STILL allowing registrations with simple passwords, meaning that a confirmation email goes out. That's bad security. I have no control over what these spammers do, only what their email account does once I take it over.

    Why this doesn't concern you more is baffling.

    rd

    ReplyDelete
  110. While I can appreciate your efforts, your bot didn't check to see if my site has a forum at all. I don't have a forum on my site, or any other means for spammers to post anything on my site. The worst any spammer could do is buy something from me. And OMG how horrible would that be! ;)

    ReplyDelete
  111. Thanks so much for doing what you do. I wish there were more people like you that take action - fight fire with fire, I say! Kudos!

    ReplyDelete
  112. Some of us make our own decisions on how we wish to run our websites. As it stands, we don't have a spam problem with our settings, and if we do, we prefer to manually deal with that problem. How we run our website is none of your responsibility, yet you are attempting to make it. Now all that happens is I get one more spam email from your auto-responder telling me that you know better than I do. Policing the internet is not your job.

    I appreciate the sentiments, but disagree entirely with your approach.

    ReplyDelete
  113. Regardless of what people think of your methodology, the fact remains that if you were able to do this, others were or will be able to also. Thanks for bringing this to my attention. This falls squarely in the "squeaky wheel" category.

    ReplyDelete
  114. Gmail dumped your email into the Spam folder, which I find hilarious. Because, seriously, your email is more stupid than it is anything else. An email is not some key to anything, it's just a string of letters, and complaining about this shit just proves how stupid you are. I bet you bitch and moan and threaten whenever a bunch of bounce messages come through because some spammer decided to use your email address as filler. Piss into the wind, it'll be just as effective.

    ReplyDelete
  115. This seems to be the norm of any mass produced/installed web app.

    The spammers want volume, and tools like xrumer or autopligg are built for it.

    With some of the forums I operate, I've disabled the auto signup and have left a message to use a contact form and send preferred username/pass details.

    The best way to combat this, if you're in a position to, is have your own software created.

    It seems a number of sites have also had registration completed through a sort of light box layer. I probably have the terminology wrong - an example is registration at digg.

    ReplyDelete
  116. some one help i own a domain of which i just sent out a email update and christmas wishes etc and none of them got sent and i got some stupid spam letters back from this domain name, im not spamming im just using my forum for what it supposed to be used for...

    what do i need to do to fix this

    ReplyDelete
  117. "some one help i own a domain of which i just sent out a email update
    and christmas wishes etc and none of them got sent and i got some
    stupid spam letters back from this domain name, im not spamming im
    just using my forum for what it supposed to be used for...

    what do i need to do to fix this"

    You received the message because your forum allows accounts to auto-register themselves, making your forum a prime target for spammers.

    To stop it from continuing, delete any account which used the email address which responded with the alert message. (Why is this not obvious?) Also strongly consider reading up on securing your forum overall. Don't allow new registrations to confirm themselves.

    rd

    ReplyDelete
  118. On behalf of the Gilbert and Sullivan Society of Victoria, thank you for taking over spammers' email accounts. I came here in response to one of your vacation replies, and was wondering how it had been done. Keep up the good work! Thank you!

    ReplyDelete
  119. Just wanted to make an update on my situation.

    Had to add a new forum to upgrade to the latest one and decided to leave the old one to see what happens. So far every single spam bot has immediately jumped to the old forum and attempted to sign in there, leaving the new one clean. As an extra precaution, however, new members must post in a specified "guest" section of the forum to prove their humanity by asking us to approve their account.

    As I said, to this day we have not had a single spammer on our forums, and the old one keeps taking the heat. I still get messages sending me here once in a while from the old forum, and it lets me know I'm doing things the right way.

    Thanks again for providing this service that was desperately needed.

    ReplyDelete
  120. I got an email from you warning me about my site security and spammers. Thats cool BUT what the hell are you doing scouring forums for security flaws? dodgy you are me thinks. Otherwise give me a reason why you are doing this eh?

    ReplyDelete
  121. "Thats cool BUT what the hell are you doing scouring forums for security flaws? dodgy you are me thinks."

    Again: read what I wrote! I don't scour anything! Honestly you people, is it any wonder that your forums are overrun with spammers? You have no idea how to secure your forums, I set up a system that alerts you, and you fail to read any of it!

    My experiment ended a long time ago. Any new messages are from long-ago hijacked accounts.

    If the lot of you would just set your security settings to require a longer, more complex password, this would end. I've said this something like 30 times in these comments.

    As long as unskilled hobbyists are operating forums, they will continue to be overtaken by predominantly Russian or Ukrainian forum spammers. This doesn't appear to concern any of you. I don't know why none of you take it seriously. You are assisting criminals. I'm trying to alert you to that fact and you're inoring it.

    rd

    ReplyDelete
  122. So you are trying to "protect" people from spammers on their forums, while you yourself spam their inbox with your website. Ok, that makes sense. Spammer is spammer, regardless if you "think" what you are doing is right.

    ReplyDelete
  123. Random Digilante:
    I just received an auto-response too and I appreciate the effort you are undertaking. Every little bit helps, I always say. What really shocks me is the number of people here who are complaining AND are site administrators. Are there really that many clueless people out there? That's scary.
    Anyway, have you contacted any of the mail hosts for the hacked e-mail accounts? (like Google/Gmail, Yahoo, etc)? Just curious on what they can or cannot do.
    Thanks again and keep up the good work!

    ReplyDelete
  124. "What really shocks me is the number of people here who are complaining AND are site administrators. Are there really that many clueless people out there? That's scary."

    Yes there are, and yes it is.

    "Anyway, have you contacted any of the mail hosts for the hacked e-mail accounts? (like Google/Gmail, Yahoo, etc)?"

    I have contacted them previously, for years, and they did nothing, which is why I started this blog and this activity. Nobody was stopping any of this despite the fact it violates Gmail's, Yahoo's, Hotmail's, etc. terms of service, and none of the forum operators would ever respond. This blog and the auto-responders I've put in place have been the only things that got a successful result, even though it doesn't fix everything (obviously.)

    rd

    ReplyDelete
  125. GOOD KARMA FOR YOU AND YOUR FAMILY!!!!!
    THANKS FOR YOUR EFFORTS AND TIME TO DO THIS.
    ----

    SPAMMERS DESERVES TO BURN FOREVER IN HELL, THEIR SONS, FAMILY, AND THE SONS OF THEIR SONS OF THEIR SONS.

    ReplyDelete
  126. Thank you, good sir. There has always been the occasional spambot that registered, maybe one every few weeks, but over the last two or three weeks, I've been getting between 5-20 per day, and had no idea what to do about it. Just now I got your automated message, so I changed the password requirements and installed reCAPTCHA instead of just the regular captcha. Hopefully this helps. It's been a few hours now and there's been nothing, so that's already an improvement. Again, I say thank you my friend!

    ReplyDelete
  127. Secondly, the amount of people on here who seem to think that it's you creating spam accounts baffles me. I was a little confused when I read the email, but your site clearly explains that you aren't spamming sites, you're taking over the email accounts which spam sites. All you're doing is alerting administrators to flaws. No offense to these people, but if they cannot understand this fact, they shouldn't be running a website.

    ReplyDelete
  128. I'm not a forum owner, but I am a forum moderator and I am in charge of my forum's registration, because of these spammers. I got an email from one of the former spam accounts and I just wanted to say thank you for what you do. I now have a better understanding of what I'm up against and what I can do to fight it, because of your blog. Arigato gozaimasu, Digilante-san. ^ ^

    ReplyDelete
  129. Thx for you infos.

    ReplyDelete
  130. Thanks for information .. i owe you a beer ;-)

    ReplyDelete
  131. Thanks, i have been wanting to incorporate stopforumspam.com in a forum but the current phpBB modes are either huge or appallingly bad.
    I did a new simple a nicely implemented mod, just need to add a feature for it to automatically add ip's and emails to the ban list for caching, before i release it.
    So fare it is stopping about 40 registrations a day on my forum, and deleted 325 existing accounts. Lucally it has been extramly rare that a spammer managed to login and post any thing.

    ReplyDelete
  132. I just wanted to say thanks for what you're doing - it was a big help.

    Carlos

    ReplyDelete
  133. You are receiving this comment because your auto-responses are no better than spam, and I personally consider them the same.

    Highly-complex passwords of mixed case and different types of characters are not inherently more or less secure than easy-to-remember passwords. Requiring a complex password merely to attempt to stop automated registration is pointless, as all automatic-registration programs need to do is include a random password generator with "complex password" rules.

    Forums are supposed to be easy to register on. However, manual activation is a viable solution to the problem you pretend to be trying to fix. Users should not have to jump through hurdles in order to communicate with other denizens of the Internet.

    ReplyDelete
  134. Thanks RD, I appreciate you. I've already implemented many of your suggestions and will see how much they help. I had already been blocking large blocks of IP's in trouble areas like china.

    Zarggg, you're a jackass. Complaining about someone who's doing you a favor... what a bitch move. God fucking fobid you get something useful in your e-mail inbox for a change. More complex passwords are FAR more secure by their nature, whether or not it will stop automated registrations is definitely arguable though; I agree with you there. This guy is doing [us] admins a favor by rigging spammers e-mail accounts to notify forum admins of their fake registrations. Since the ISP's who let these spammers run rampant don't give a shit, this is a good help. While I agree it sucks to jump through hurdles to communicate, it's a necessary evil... kind of like e-mail itself in my opinion. Some forums take steps as simple as requiring you to not fill out any location or website info on initial registration, since the spam bots virtually always do this.

    ReplyDelete
  135. Thanks for doing this man!

    I got an email from opeookl032@aol.com and it said "Delete This Account! It Was Created By A Forum Spammer! -- This account was created solely to spam forums and blogs. Delete the forum account associated with this email address. -- Sincerely -- Random Digilante -- http://randomdigilante.blogspot.com/"

    My forum has gotten over 130 spam accounts, and as soon as i got this email, i checked my forum and all the accounts were gone! i banned the email address and checked the blog link and got to this.


    I would just like to say thank you for doing this for all of us forum owners.

    Sincerely, MeMan. (alternate username)

    Also, i'd maybe like to get in contact with you, PM me at my forum! http://clanct.forumup.us/

    ReplyDelete
  136. There is also one other way that helps out, simply change the validation email and break the link.
    Let the user copy and paste the registration line behind the first part of the url that you supply.
    Xrumer shall only follow the first part of the link, never copies the second part.
    The only thing you need to do is erasing accounts that are still in the validation area for more than a day.

    I also read something about adding a hidden password field that supposed to remain empty. The spambot adds information there, but humans can't see it, so they won't provide info there.

    ReplyDelete
  137. Interesting project, but I still don't get why you think password complexity has anything to do with it.

    Programs have no problem remembering complex passwords and from a quick check, it looks like the Russian sites encourage more complex passwords than most forums.

    ReplyDelete
  138. Password complexity is only one step of many. It's an important step though, because many (most?) of the forums these people spam have extremely low password complexity.

    The second part is not allowing automated self-completion of the registration of new members. This is why I put these notifications in place. It's been successful in terms of educating intermediate forum operators that they should take these steps.

    ReplyDelete
  139. Hey, i need help...

    Recently i have gotten 4 new spam accounts, 2 with sexual occupations and interests, one was named "Prostitute Samara". All 4 of them had encrypted websites and ICQ addresses.

    Anyway, same thing as last time, they left nothing in any of my boards... i have banned all 4 of them but am afraid that this will happen again.

    I have done everything except for make a more complicated password system, which i will do in a minute.


    Anyway, thanks, MeMan (Alternate username)

    ReplyDelete
  140. Doojer / MeMan: what do you mean "encrypted websites and ICQ"? Spammers are assholes, they'll definitely keep trying. Your porn spammer is not just targeting your site either. A quick google search pulls up several forums which are all overrun with forum spam.

    rd

    ReplyDelete
  141. Thanks for doing this Random Digilante. You are doing a great service. I just got one of those auto responder e-mails, which led me here. So, thank you. I will make the necessary adjustments to the forum.

    We have recently updated our forum and apparently, lost our spam MODs and/or some security features and didn't realize it until we started getting loads of spambots.

    I've been getting on average around 50 spam bots per day. Do you think it's good enough to require a 10 minimum character length for passwords that include letters and numbers? I really don't want to have to personally approve every new member. Our forum is small and I'm the only one doing it. I don't want to weed through 50 to 100 spambots a day.

    Anything to say about search engine “Bots”, “spiders” or “crawlers” ? I'm not sure if they're an issue or not.

    Would you please post your blog over at http://www.phpbb.com/community/index.php?sid=ece1d1d8b2bd59ad387d9e912ec97a31

    It sounds like they could use your help and experience.

    ReplyDelete
  142. I love the smell of toasted spammer in the morning. I like your style. All accounts on my web sites require approval to stop forum spammers.

    Recently I took over a spammers bot net, harvested lots of information and managed to have the issue get some high profile media attention.

    Check out krebsonsecurity dot com/2011/01/battling-the-zombie-web-site-armies/

    ReplyDelete
  143. RD,

    Thanks for your efforts in this area. I get more spam signups than real ones to my forum so any help is worthwhile. From an educational point of view this is a good idea too - judging from your comments, many forum owners don't fully understand the problem.

    Cheers, Roehampton

    ReplyDelete
  144. "Do you think it's good enough to require a 10 minimum character length for passwords that include letters and numbers?"

    Yes. At least until the spammers start adapting to that change.

    "I really don't want to have to personally approve every new member. Our forum is small and I'm the only one doing it. I don't want to weed through 50 to 100 spambots a day."

    The number of automated registrations that would get through the initial registration would be 1/100th of those that are attempting. I've assisted dozens of forum operators with this process and they all said it was vastly easier to manually approve the new members one the more complex password requirements were in place.

    If you're currently seeing 100+ forum spammers registering to your forum every day, you'll end up with 1 or 2 genuine ones per day once you make this password requirement more stringent.

    I'll take a look at the phpbb forum you posted.

    rd

    ReplyDelete
  145. "10 minimum character length for passwords that include letters and numbers"

    It didn't work for me. Spam bots still got through. Maybe I'll raise the stakes to 12 or 15?

    Would asking a question like "what's the first letter in the word..." work?

    Or that other thing I've seen that asks you to type in the two random words? They would both have to be installed from outside.

    Do you have any recommended links for those types of things to install on a phpbb forum?

    Preventing Spam
    http://www.phpbb.com/community/viewtopic.php?f=46&t=1861645

    Maybe the above phpbb forum creators would work with you to help create a new MOD against these spam bots?

    My phpbb forum is free so, I don't think it has all the same new registration verification options. At least not that I'm aware of. I switched over to admin activation for new accounts and I was getting all the spam bot e-mails asking to be activated. I had to delete them too, which was even more work than just deleting them at the forum. I get almost all of them using the "Baker Island time zone" - that's my indicator that it's a bot.

    ReplyDelete
  146. "It didn't work for me. Spam bots still got through. Maybe I'll raise the stakes to 12 or 15?"

    It won't stop *all* of them. (I never said it would.)

    I recommend from 9 - 12 characters, and it must have uppercase, lowercase, numeric and punctuation. That has solved it for most of the forum operators I've assisted. That plus don't allow them to self-confirm. Make it manual. That's what shuts the activity down further.

    rd

    ReplyDelete
  147. Hey, RD,

    You got a false positive on my site (from barbarasava AT aol DOT com). That spammer didn't make it in.

    The way I've successfully kept out all spammers for the last two months was by adding a step in the registration process where they had to add together randomly generated Roman and alphanumeric figures.

    e.g. 2 + VI =

    Since I put that in, none have managed to get in.

    ReplyDelete
  148. Not a bad option either. I'm glad it was a false positive (and again: apologies, I can't control when the spammer runs his XRumer attack, which is what causes the auto-responder if he gets through.) The issue still remains though: your forum is still triggering an email to the spammer. That's why you get the reply from that aol account. You may want to investigate the criteria that triggers the message to the new registrant in the first place. This is the goal of this experiment.

    rd

    ReplyDelete
  149. Hey RD,

    I'm glad I got your email. Had about 20 bot accounts in there, half of them actually posted something. The user had been registered on a forum that isn't even actively used anymore, so I disabled registration completely for the time being.

    I noticed an increased bot activity within the last months on another forum on the same server as well. There's a script running asking the user things about the board (e.g. "What's the name of this organisation?", "Where are we located?" etc.) before they can register and it sends me a message everytime a user fails the test. Oh and I still aprove them manually.

    Keep it up and many thanks!
    bl

    ReplyDelete
  150. As has been stated before, a more complex password will not help since it is trivial to write a complex password generation algorithm. As a matter of fact none of your suggestions seem to be able to reduce the administrative work load of dealing with forum spam. Having to manually accept accounts is more work than deleting the few that get through.

    But all this is moot, since someone has already solved this problem: stopforumspam.com has phpBBS mods that have entirely eliminated spam registrations on my forum.

    Unfortunately, a problem that was entirely solved has morphed into a problem of getting spam email from this account.

    ReplyDelete
  151. I got an email notifier too. Thanks so much, sir. You're a credit to the interwebs.

    ReplyDelete
  152. Uh...I don't run any forums. Why did I get this?

    ReplyDelete
  153. Anonymous (again! If you ask a question, provide a contact email. I won't publish your comment!)

    "Uh...I don't run any forums. Why did I get this?"

    Well you must run something: blog? email list? something else? The account that sent you the auto-responder was created solely to spam whatever property you do run.

    Comment again with an email address I can reach you at and provide me the email address that sent you the auto-response. I can't help you unless you tell me how to contact you.

    rd

    ReplyDelete
  154. Dude,

    Nice work. Thanks for doing this - it is greatly appreciated. :)

    Matt

    ReplyDelete
  155. Your registration was blocked by "Stop Forum Spam". Apparently many people don't think this service is helpful. You didn't get through and you never could have posted.

    http://www.stopforumspam.com/search?q=webmaster%40ilovethevault.com

    ReplyDelete
  156. got your email. and i had hundred of new user every day. I relish its software. your suggestions seem to be able to reduce the forum spam. for few day but it's increasing again. i think some how the spammer manage to to deal with this. my last effort is to manually approve new user

    ReplyDelete
  157. Thank you. I have deleted an entire forum, which I have not used anyway.

    ReplyDelete
  158. "You didn't get through and you never could have posted."

    That is actually not true. Just because the address and IP address are prsent in StopForumSpam does *not* mean these accounts don't regularly get accepted by thousands of forums. They most certainly do. Do a google search on that email address or any other that you receive the auto-response from. Here is only one example based on the email address you referenced. He was able to register no problem.

    In your case, maybe not, in which case: excellent. But as you can see, the operators of these thousands of others usually have absolutely no idea what StopForumSpam even is, or that it exists at all. They are the real problem.

    Slowly but surely it is these forum moderators I'm beginning to get through to.

    rd

    ReplyDelete
  159. ugh, nice idea but you create more spam trying to kill it. I have my forums set to manually approve new users, always have, always will.. When someone tries to register they are sent an auto email telling them what needs to be done to complete their registration (emailing me, and waiting for me to manually approve their account) that email telling them what they have to do for me to approve them then gets your auto responder. Highly annoying, and actually worse then spammers because I take no manual action on spammers, they are stopped automatically with zero time spent. Your auto response however takes time out of my day to delete.

    If you want to be the hero, then do it.. monitor all these email accounts you have owned manually, and send your spam notifying message manually. Don't force security conscious forum admins to waste more time deleting YOUR spam. This can be easily accomplished with a single Gmail account set to check and download all your owned spam accounts, label, parse for a CONFIRMED registered account, and auto send it to your main email. Then you can forward that, with your message to the forum admin. This would stop the issues of false positives, and give the forum admin more and much needed information on the spam account in question.

    Smarten up, or fade away.. your choice. If I receive another of your spam messages I will report you to your isp, your blog to your host, and the data within to the authorities. You have already posted enough information here (logged and archived so don't bother removing it) combined with server logs, and emails sent/received to have federal charges brought against you. I repeat.. smarten up, or fade away.

    ReplyDelete
  160. Yours is the first piece of spam we have ever appreciated, and thanks to your advice we have locked the forum down nicely.

    Regards,
    Colin Palfrey

    ReplyDelete
  161. Your email came at a good time, when my forum had been under a huge spam attack in recent weeks. I was deleting dozens everyday. I set the preferences to require new members to get their first post approved, then subsequent posts would not require approval, but I still had to delete 50-60 bogus accounts every day. On your advice, all new accounts have to be approved by me and it is easy to spot the real ones amongst fake ones, which have weird randomised names. All I do now is just deleted these requests for activation in my email inbox. Much quicker and easier.

    Here is keeping our forums spam-free.

    Christine Parker

    P.S. Just out of interest: I run an old perl based forum (the original script by Matt Wright) and we rarely get spam any more. Spammers seem to prefer php based forums.

    ReplyDelete
  162. I've gotten quite a few of your "Delete This Account! It Was Created By A Forum Spammer!" messages. At least they no longer lecture me on how to avoid spambot registrations--it seems you've shortened the message text.

    It seems your bot would be of more service if it only sent these messages when it actually got an account activated. So far, that's ZERO times on my forum, but I keep getting these messages.

    Jack

    ReplyDelete
  163. Jack Rogers: You probably got the shorter message because it was an AOL account.

    Also the point is not only to stop the accounts from self-activating. By setting stronger password requirements, you stop the account from ever being created even partially. The triggered email means that the spammer still created an account on your system. That's wasteful and a time consuming thing to clean up. Why don't you simply increase the complexity of the password for any new users?

    rd

    ReplyDelete
  164. Thank you so much for this information! I've not received an e-mail yet but I'll be looking forward to the day I do. :D

    P.S. I use the Stop Forum Spam mod on my website and according to the log it produces it's stopped Xrumer at least twice. It doesn't solve all spam problems, but it has taken a serious bite out of it.

    ReplyDelete
  165. Hi Random Digilante,

    I've run a forum for well over 4 years now with little spam. Then there were a few that got through. So I did what I imagine most forum admins do, I deleted them and posted a topic about how I apologize that there were "spam" PM messages sent to the members, and spam on the forum.

    Little did I know, that was one of the BIGGEST mistakes I could have made. Watch this video which comes from an xrumer retail site, and pause it around 0:52. Look on the middle right where it says "Priority Categories - Do only post if these categories exist", and where he types "spam" into the box.

    From what I can tell, xrumer looks for, as you say above, certain posts to spam, and then spams the hell out of your forum if a post containing that word exists. Since I've deleted the word "spam" from from EVERY page of my site, I've yet to be spammed again.

    So my word of advise to all forum admins, be careful what words you allow on your pages. Use the word censoring features of your forum software to change words like "spam", "spammer", or "hacked" to something like "$p@m" or "h@c%ed", or just remove the word all together. Having that word there is telling the spammers that your site is already vulnerable, because your already getting hit (which is why you or other members are posting about it).

    That's my two cents so far, and thanks, Random Digilante, for spamming my forum (as odd as that sounds). Reading this blog has taught me a few things, and alerted me to what these @$$holes are using, and how they are using it to spam us.

    On a side note, I would like to get a hold of a full version of that xrumer, to look at how it works a bit closer in a closed network. The demo version is too locked to learn much from. If anyone is willing to share a copy, please email me at my user name at h0t m@il _ com.

    Thanks,
    ElectricSquid

    ReplyDelete
  166. thank you for your informative posting ElectricSquid.

    I published your comment knowing that you included a link to xrumerlabs. I would like for their referring links to include this blog.

    The operators of xrumer generally are very unskilled and they often include forums whose sole purpose is to investigat and shut down forum spammers. it's the stupidest thing i've ever seen. But what do we expect from stupid spammers anyway.

    rd

    ReplyDelete
  167. ElectricSquid a+ h0+m&amp;!l * c0mJuly 9, 2011 at 8:14 PM

    LOL, it's like a spammer trying to spam the StopForumSpam website's forum. Talk about stupid :P

    On a side note for any forum owner, get yourself a mod for your forum software that uses the StopForumSpam database to check new registering members IP address and email address upon registration. The mod for SMF forums adds the to the awaiting admin approval purgatory. PhpBB just flat out denies them.

    Also, remove ALL members with 0 posts that are over 60 days old. A lot of them could be sleeper spammer accounts, made by spammers that are smart enough to create accounts while their IP address is still valid (not on a blacklist). Then 2 months latter they come back and spam your members through PM's behind your back were you can't see what's happening.

    Remove these zero post members, and you'll see a lot of this action from them stop.

    ReplyDelete
  168. I love what you're doing.

    Spammers are scum who waste everyone's time. What you are doing takes the fight back to the spammers, without compromising the speech rights of others.

    You are doing it the right way; everyone else is fucking it up.

    And yes, I have nearly 25 years of internet use at this point, so I am speaking from a position of experience.

    ReplyDelete
  169. i've begun to take over entire forum spam campaigns which i know is having a further damagaing effect to these spammers efforts to over run every forum they come across. i started doing this several months ago and i've yet to see the "seo" effect this would have. But it is removing the content they hoped many search engines would start gobbling up. seo as far as i'm concerned is bogus. the only thing that works is genuine content and this blog is a pretty good example of this. try searching for digilante. there used to be thousands of records for this in google but now this blog is #1. That only took a few weeks and that was back in December 2011. to see the other side, try searching for "stupid forum spammer". You'll get a sprinkling of results of accounts my team and i have modified. those are now also coming up #1 in google. none of the SEO terms the spammers had put in place get the results this forum spamming was supposed to provide.

    forum spammers are stupid.

    rd

    ReplyDelete

If you want to comment in order to contact me, please be aware that I do not automatically publish any comments. You can provide me with your contact email and I will reply to you in private and not publish this information. If you're as sick of forum spammers as I am, you probably understand why I'm doing what I do. Thx. RD