Stop xrumer from filling forms without having to use a captcha?

dsiomtw

New member
Mar 12, 2007
1,495
30
0
End of the rainbow
Anyone have any tips for preventing xrumer from filling out forms, without having to unnecessarily irritate my users with a captcha?

I swear, xrumer is irritating as fuck :2gunsfiring_v1::2gunsfiring_v1::2gunsfiring_v1:
 


Just a basic registration form - name, email and select a password. Don't know why these dumb asses are targeting my site as they can't post or do anything, but this site obviously got on some list or something...
 
welcome to my nightmare, I finally gave up and added a captcha where the "user" has to say what 2 numbers added together equals (e.g. 22 +31 =??) to submit the form, which is one kind of Captcha that xrumer seems to have trouble with. Unfortunately, some of my dumber visitors have trouble with it too... ;)
 
welcome to my nightmare, I finally gave up and added a captcha where the "user" has to say what 2 numbers added together equals (e.g. 22 +31 =??) to submit the form, which is one kind of Captcha that xrumer seems to have trouble with. Unfortunately, some of my dumber visitors have trouble with it too... ;)

^ This. Pretty much add a custom question to the end of your form.

"What is four plus 4?" 8
"What is Barack Obama's last name?"
"What is the color of a banana?"

Xrumer can't bust custom captchas unless the Xrumer user solves these one at a time, which 99.99% won't.
 
This is just off the top of my head and I'm not sure if it would actually work, but...

Add a new input field to your registration form, let's call this additional field "honeypot".

Hide it with CSS (display: none), so when humans submit the form this field will always be blank.

When Xrumer comes by, it will try to fill the field with something...then you know it's a bot and on the backend you can flag or automatically discard those registrations.
 
Yeah that is actually a good idea and it should work unless xrumer is smart enough to look for and ignore this kind of thing. I'll give it a try and report back.
 
Yeah that is actually a good idea and it should work unless xrumer is smart enough to look for and ignore this kind of thing. I'll give it a try and report back.

If it does ignore it, you could take an additional step and in your html code keep the CSS normal. Then add some javascript that sets the display to none.

I thought of one more idea too. Instead of having a submit button like this:

<input type="submit" name="submit" value="Sign up!" />

Replace it with something like this:

<button onclick="document.formname.submit();">Sign Up!</button>
 
^ This. Pretty much add a custom question to the end of your form.

"What is four plus 4?" 8
"What is Barack Obama's last name?"
"What is the color of a banana?"

Xrumer can't bust custom captchas unless the Xrumer user solves these one at a time, which 99.99% won't.

Slightly off topic...

The best (and simultaneously most tedious) one of those variants I've seen was for turntable.fm registration (not a forum) where you had to answer the question: "who would win in a wrestling match, Lemmy or God?" and then embedded the youtube video below. You passed if you acknowledged it was in fact a trick question with the phrase "Lemmy is God"

[ame=http://www.youtube.com/watch?v=PLkPuu2PAzM]Who'd win in a wrestling match, Lemmy or God? - YouTube[/ame]
 
Actually the above idea with the javascript button wouldn't work, because xrumer doesn't need a submit button. It just sends a POST to whatever is in the "action" attribute of your form. So, now I have one more idea:

In your default code, set the form "action" attribute to some honeypot page. Then in the username form field, add an "onclick" attribute that changes the "action" attribute to the correct URL. Only humans would trigger the "onclick" attribute and thus the form would submit correctly. Bots would read your code and try submitting the form to the honeypot location.

Combine this with the CSS thing I guess.
 
Fucking Xrumer. I'm having the same problem as well. I'm having this problem with my reviews area. Thing is Xrumer always tries to post the form without setting any star values. So I just check for stars=0 and then I don't post the form. I've stopped the spam from appearing to my regular users, what I'm concerned about is the fact that my site is constantly being hit by Xrumer. Before I blocked Xrumer from posting I logged some of the IP's its using and they are all different. Anything I can do?
 
Will this work since it won't see the form statement in the html , or will it figure it out through the js?

in html
<script type="text/javascript">submit();</script>
<input type="submit" name="submit" />
</form>

in javascript
<script type="text/javascript">
function submit () {
document.write('<form action="process.php" method="post">')
}
</script>
 
it's a custom script? Just change the form names to jibberish and move on with your life. XR relies on "facts" like the page name & phrases on the page to realize where in the spam process it is. More importantly for you, it also relies on having the same input/select/textarea/etc names in record so it knows to put the password in the input field named 'password'. If password field was named 'j9wsdf', xr won't even guess.
 
Just a quick follow-up, the simple solution is working for me so far. All I did was create a new field called something like ignoreme and hide it with CSS. If this field contains any data I toss the registration (actually it redirects to googlehammer just in case any of the xrumer users happens to check the redirect at some point)

LOL at the internet marketers hating on xrummer.

LOL at the retard who thinks you have to be douchebag spammer to succeed online.