Detecting XRumer
 

Our dating site has been getting hit pretty hard with profiles created by XRumer. I wouldn't care so much if they weren't so shitty ;-)

Is there a way to detect XRumer? I'd like to be able to autoblock as soon as we start seeing the profiles come in.

Like most will say
No point in investing $XXXX, in a golden solution sold by security-pushers

It looks like that's the way we'll be going, I was just hoping someone might have a decent blocking solution or detection solution so we can write our own blocker.

check out stopforumspam.org for latest XR IPs and used emails...

as someone above posted, the only efficient and smart way is to post a some specific questions and answers...and change/ modify them from time to time

Ferus suggestion sound quite fine to me,questions which can be answered by human only usually do the trick

The solution we use (not a dating site):

We create a hidden field named "email" and we generate the field name for the real email address on-the-fly. Most automated softwares will fill in the hidden field and won't know how to handle the real email field. The beauty of changing the field name per page load makes sure people can't just manually update their software. We use a combination of hash and time stamp. Works well for us ...

That is quite a nice solution. Simple. Wish I had thought of that :thumbsup


.

:thumbsup:thumbsup

Captcha does not work, for a penny people will type it out. Only use Q/A and get creative.

Ooh, that is a nice elegant solution!

Hi SykkBoy.
Would HTaccess work here?

>>>Winners WIN because they NEVER GIVE UP!<<<

this :thumbsup

we used to do hidden field technique but very simple way.
create a hidden field name it email and check serverside.
if filled then its bot else human.

but yours looks pretty interesting., theres one downside i can think of , is that , people have to retype email at every visit.

another way use javascript to hide field

Well considering that this is a registration form, the user should essentially only be filling this form in once so "every visit" shouldn't really be an issue.

Yep. I'm using the similar method on my sites since 2003. BTW, another good solution is to encrypt your signup form with JavaScript. It will stop 99% of spamboats that automatically searching for forms at your webpages.

Also you can generate a special token (using the visitor's IP for example) and set it as a cookie when your registration form was visited. Then just check it when the form will be submitted. I was using this method long time ago to protect against so-called referrer spoofing. AFAIK this method is still being used by many high-trafficking websites like Pinterest.

Edit: Course ANY protection can be compromised but not by XRumer or regular spambots. The one will need to create a special software to bypass your protection. For example, this my WP plugin allows to automatically pin the post images to various pinboards including pinterest.com, sex.com and many others: http://www.cyberseo.net/xpinner/

:pimp

wont this stop ppl from joining if their javascript is disabled ?

Almost all sites now require JavaScript, so I don't see a problem with that. Even this board won't work as it should w/o JavaScript. Not even mention all these new responsive sites.

I like this, thanks

Also, going to test out the Q/A
captchas are pretty much useless and will just piss of actual users (although they're probably used to them by now)

we're also working with dynamic membera area/login pages.

Yeah i get pissed every time when i see monstrosity known as re-captcha.