XRumer

XRumer is a search engine
optimization program, created by
BotmasterLabs, that is able to
successfully register and post to
forums (forum spam ) with the aim
of boosting search engine rankings.

The program is able to bypass
security techniques commonly used
by many forums and blogs to deter
automated spam, such as account
registration, client detection, many
forms of CAPTCHAs , and e-mail
activation before posting. The
program utilises SOCKS and HTTP
proxies in an attempt to make it
more difficult for administrators to
block posts by source IP and
features a proxy checking tool to
verify the integrity and anonymity
of the proxies used.

In addition, the software can avoid
the suspicions of forum
administrators by first registering to
make a post in the form of a
question which mentions the spam
product ("Where can I get...?"),
before registering another account
to post a spam link which mentions
the product. The side effect of
these innocent-looking posts is
that helpful forum visitors may
search on a search engine (e.g.
Google) for the product and
themselves post a link to help out,
thus bolstering the product's
Google ranking without falling afoul
of forum posting policies. The
software is also capable of avoiding
detection by making posts in off-
topic, spam and overflow sections
of forums thus attempting to keep
its activities in high activity low
content areas of the targeted forum.
However there are other platforms
used to spam to which includes
website comment spam.

Method of operation
Xrumer is capable of posting to
blogs and guestbooks in addition to
its main role as an automated forum
posting tool. It can also create
forum profiles complete with
signature in an attempt to avoid
alerting forum administrators with
any off topic forum posts. The
software is also able to gather and
decipher artificial intelligence such
as security questions (i.e. what is
2+2?) often used by forums upon
registration. Since the latest version
of XRumer, the software is capable
of collecting such security
questions from multiple sources
and is much more effective in
defeating them.

Helper program Hrefer is also
included. This software is used to
automatically parse results from
search engines including Google ,
Yahoo , Bing and Yandex for forums
and blogs that can then be used as
a target list for the main XRumer
application. [citation needed]
According to The Register, as of
October 2008, XRumer can defeat
captchas of Hotmail and Gmail. This
enables the software to create
accounts with these free email
services, which are used to register
in forums that it posts to. [1]
XRumer also posts slowly initially,
in an attempt to avoid detection by
posting unnaturally fast. Between
2009 and 2011 Xrumer no longer
recognized Hotmail and Gmail
captchas due to a change in
captcha format. Users of Xrumer
could only defeat such captchas
utilizing external human captcha
services.

Defenses
Webmasters of topical forums face
an ongoing battle against XRumer
software, users of which are almost
always in violation of forum terms
of service, and/or have no interest
in the actual forum topic. The users
of the software have created an
entire industry whose sole purpose
is to protect internet sites against
users of XRumer. Forum
administration tasks against
XRumer are often a constant, daily
effort, which include identifying
new user accounts that are from
XRumer users, deleting posts/
threads created by the software,
and deleting/disabling the user
accounts.

The easiest method to defeat
Xrumer is to simply require the first
post of any new forum member or
blog poster to be approved before it
can appear.
There are several helpful resources
that help block forum spam, notably
Stop Forum Spam ,
"www.keypic.com" and
"www.botscout.com", both of which
reference reports of forum spam by
username and IP address. If a user/
IP has appeared in the lists of
either of those sites, it is highly
likely that it is a black-hat user of
XRumer. Common defensive actions
by webmasters are to institute IP
based posting bans on entire class
C ranges of IP addresses used by
the spammers.

The spam messages in a forum
typically take the form of "link
spam" which will often be included
in older topics & private messages
(PM's) leaving the newer threads
and posted messages "clear" of
apparent spam. Sophisticated
spammers will copy posts from
other areas of the site, giving the
appearance of a valid, on-topic
reply. The best clue that it is a
spammer is that the links in the
user profile are completely
unrelated to the forum topic, and
the posted messages, while
seemingly within the general topic
of the forum, will be non-sequiturs
and out-of-place within the topic
thread. Alternatively, the spammers
post generic "I am excited to begin
posting and contributing here."
messages that are content-neutral.
The damage caused to forums is
classified in several areas: first, and
foremost, the admin time to clean
the forum. Second, the server
bandwidth to accommodate the
spam postings, third, the storage
requirements at the forum server for
the spam messages that are devoid
of content, fourth, the alienation
and irritation about seeing spam by
the forum community, fifth, the
offense to innocent forum members
if their posts are mistaken as spam
or their accounts suspended in
error for suspected spamming, and
sixth but perhaps the most
important, the lowering of the
information-to-noise ratio of the
forum, which diminishes the value
of the forum, skewing usage/active
user statistics used to determine
advertising rates.

Automated e-mail account creation
As per the latest update to XRumer
7 the software is able to
automatically register e-mail
accounts on mail.ru (Russian IP
addresses only) and Gmail. Support
for creating e-mail accounts in an
automated fashion on Hotmail and
AOL have been completely removed.
The technique employed by XRumer
to bypass the CAPTCHA protection
in Gmail and mail.ru is Averaging. A
captcha is a challenge-response
test frequently used by internet
services in order to verify that the
user is actually a human rather than
a computer program. Commonly,
captchas are dynamically created
images of random numbers and/or
letters. These images are distorted
in some way so that the human eye
can still recognize them but with
the goal to make automatic
recognition impossible. Captchas
are used by freemail services to
prevent automatic creation of a
huge number of email accounts and
to protect automatic form
submissions on blogs, forums and
article directories. As of November
2012, Xrumer has once again
cracked Recaptcha, and is able to
successfully post to Forums/Blogs
that use it.

Averaging is a common method in
physics to reduce noise in input
data. The averaging attack can be
used on image-based captchas if
the following conditions are met:
The predominant distortion in the
captcha is of noise-like nature. It is
possible to extract a series of
different images with the same
information encoded in them.
Averaging of a series of images can
be used to improve image quality
(reduce distortion, or improve
signal-to-noise ratio, so to say) of
captchas and hence to make them
more easily recognizable by OCR
( optical character recognition )
systems.

The fact that noise and payload
behave differently on "reload" is
exploited. This allows the program
to separate them and hence defeat
the captcha without the need for a
sophisticated algorithm.

Source: wikipedia