Skip to main content
XRumer is a Windows blackhat SEO program that is able to successfully register and forum spam with the aim of boosting search engine rankings. The program is able to bypass security techniques commonly used by many forums and blogs to deter automated spam, such as account registration, client detection, many forms of CAPTCHAs, and e-mail activation before posting. The program utilizes socks and http proxies in an attempt to make it more difficult for administrators to block posts by source IP and features a proxy checking tool to verify the integrity and anonymity of the proxies used.
In addition, the software can avoid the suspicions of forum administrators by first registering to make a post in the form of a question which mentions the spam product ("Where can I get...?"), before registering another account to post a spam link which mentions the product. The side effect of these innocent-looking posts is that helpful forum visitors may search on a search engine (e.g. Google) for the product and themselves post a link to help out, thus bolstering the product's Google stats without falling afoul of forum posting policies. The software is also capable of avoiding detection by making posts in off-topic, spam and overflow sections of forums thus attempting to keep its activities in high activity low content areas of the targeted forum.

Xrumer is capable of posting to Blog and guestbooks in addition to its main role as an automated forum posting tool, it can also create forum profiles complete with signature in an attempt to boost search engine rankings without alerting forum administrators with any off topic forum posts. The software is also able to gather and decipher artificial intelligence such as security questions (i.e what is 2+2?) often used by forums upon registration. Since the latest version of XRumer, the software is capable of collecting such security questions from multiple sources and is much more effective in defeating them.

 Hrefer is also included. This software is used to automatically parse results from search engines including Google, Yahoo, Bing and Yandex for forums and blogs that can then be used as a target list for the main XRumer application. 

 According to The Register, as of October 2014, XRumer can defeat CAPTCHAs of Hotmail and Gmail. This enables the software to create accounts with these free email services, which are used to register in forums that it posts to. although, XRumer posts slow initially, in an attempt to avoid detection by posting unnaturally fast. Between 2009 and 2011 Xrumer no longer recognized Hotmail and Gmail captcha's due to a change in captcha format. Users of Xrumer could only defeat such captchas utilizing external human captcha services. but now, XRumer by default fills in every password field on a page, including those that are hidden. This has been discussed as a method of detection and blocking




Defenses

Webmasters of topical forums face an ongoing battle against XRumer software, users of which are almost always in violation of forum terms of service, and/or have no interest in the actual forum topic. The users of the software have created an entire industry whose sole purpose is to protect internet sites against users of XRumer. Forum administration tasks against XRumer are often a constant, daily effort, which include identifying new user accounts that are from XRumer users, deleting posts/threads created by the software, and deleting/disabling the user accounts.

 There is a helpful resource, "www.stopforumspam.com" which references reports of forum spam by username and IP address. If a user/IP has appeared in the lists at stopforumspam.com, it is highly likely that it is a black-hat user of XRumer. Common defensive actions by webmasters are to institute IP based posting bans on entire class C ranges of IP addresses used by the spammers.
The spam messages in a forum typically take the form of "link spam" which will often be included in the user profile, leaving the thread posted messages "clear" of apparent spam. Sophisticated spammers will copy posts from other areas of the site, giving the appearance of a valid, on-topic reply. The best clue that it is a spammer is that the links in the user profile are completely unrelated to the forum topic, and the posted messages, while seemingly within the general topic of the forum, will be non-sequiters and out-of-place within the topic thread. Alternatively, the spammers post generic "I am excited to begin posting and contributing here." messages that are content-neutral.
The damage caused to forums is classified in several areas: first, and foremost, the admin time to clean the forum. Second, the server bandwidth to accommodate the spam postings, third, the storage requirements at the forum server for the spam messages that are devoid of content, and fourth but perhaps the most important, the lowering of the information-to-noise ratio of the forum, which diminishes the value of the forum, skewing usage/active user statistics used to determine advertising rates.

Automated e-mail account creation

As per the latest update to XRumer 7 the software is able to automatically register e-mail accounts on mail.ru (Russian IP addresses only) and Gmail. Support for creating e-mail accounts in an automated fashion on Hotmail and AOL have been completely removed. The technique employed by XRumer to bypass the CAPTCHA protection in Gmail and mail.ru is Averaging. A captcha is a challenge-response test frequently used by internet services in order to verify that the user is actually a human rather than a computer program. Commonly, captchas are dynamically created images of random numbers and/or letters. These images are distorted in some way so that the human eye can still recognize them but with the goal to make automatic recognition impossible. Captchas are used e.g. by freemail services to prevent automatic creation of a huge number of email accounts and to protect automatic form submissions on blogs, forums and article directories.
Averaging is a common method in physics to reduce noise in input data. The averaging attack can be used on image-based captchas if the following conditions are met:
The predominant distortion in the captcha is of noise-like nature. It is possible to extract a series of different images with the same information encoded in them. Averaging of a series of images can be used to improve image quality (reduce distortion, or improve signal-to-noise ratio, so to say) of captchas and hence to make them more easily recognizable by OCR (optical character recognition) systems.

This article is not about an especially clever way to defeat a captcha. Instead, what is exploited here, is the fact that noise and payload behave differently on "reload". This allows to separate them and hence defeat the captcha without the need for a sophisticated algorithm.
  
XRumer is trained to recognize new captchas 



Download, XRumer captchas

Features List

  • XRumer is trained to process new of engines
    • MyBB (new database with MyBB forums are stored in Links folder - LinksList id400.txt)
    • SLAED CMS
    • zenPHOTO
    • forumi.biz, forumb.biz, 1forum.biz, 7forum.biz etc
    • Amiro CMS
    • phpBB-fr.com, Solaris phpBB theme
    • shop-script
  • Significantly increased processing of SMF and phpBB3
  • Added new macros #trans...#notrans, increasing targeting several times
  • Login in process was fixed
  • The error "GIF Circular table ..." was fixed. It appear when getting incorrect picture of captcha
  • Increased the limit of attempts on annualized page (till 28 attempts)
  • Software was trained to solve new DLE captcha
  • The possibilities of macros #grabbed were extended. Now it's possible to use same variables like in #file_links macros (for example: #grabbed[S], #grabbed[N] и #grabbed[L])
  • Mode for logging time of parsing each link has improved. This option is used to analyze and to optimize a database. It can be enabled from xuser.ini file LogRuntime=1 in section [AdvOptions]. Gathered information about time spent to analyze each link, timeout, number of attempts to decode capthca etc. is stored in file \Logs\LogRuntime id*.txt. The aim of this mode is to optimize most “narrow” parts of program’s code and to increase final speed of posting.
  • Processing SMF engines was improved
  • Error "List index out of bounds" was fixed. This error appears in situation when option “Load avatar at profile editing” is enable but avatars are missing or are damaged.
  • Increased the success rate SMF engine by decoding special captcha from topic creation / reply form
  • Increased % of generated links to RLinksList for SMF
  • The GIFImage bug from anticaptcha module was fixed
  • Additionally was improved decoding of captcha SMF_Rotate
  • Error at saving/uploading of options for “Antispam” mode was fixed
  • XRumer was trained to new type of engine (shop-script.ru, example: cosmetic-pro.com.ua/product/opi-brights-nlb24-blue-my-mind-15-ml/reviews/). Also the software is trained to decode the captcha from this type of engine.
  • Process of editing and saving of profiles on IPB, MyBB, SMF
  • Bug of topic creation in non-existing category and with “Post ONLY if these categories exist – otherwise skip” option is enabled now is fixed. Now the topic will not be created if the category is not in list of priority categories.
  • improved information from threads monitoring window, now it’s possible to receive more detailed information about each thread.
  • Trained for posting in Amiro CMS (100% bypass of JAVA – protection for auto-posting), example of engine: - everyday.wmsite.ru/gostevaja-kniga, trezvost-super.ru/comment, but for better success rate it’s recommended to e used macros #gennick in Nickname filed of project.
  • XRumer can now bypass latest JAVA protection of phpBB engine (Examples: phpBB-fr.com, Solaris phpBB theme)
  • improved algorithm for bypass of JAVA protections
  • fixed some important bugs in work with RLinksList – according to this success rate for using this mode is increased
  • increased quality of content parsing for “AntiSpam” module from SMF engine.
  • improved work with MyBB engine, increased success rate of profile creation in it.
  • to XRumer was added tool “convert links to index” from Hrefer - MakeToIndex.ini; it’s used in “Links post processing”, so rules of converting of links to index can be changed in external .ini file (same as in Hrefer)
  • To MakeToIndex.ini was added rule for MyBB engine
  • XRumer can bypass now captcha from zenPHOTO engine (footprints of this engine - "Powered by zenPHOTO" "Add a comment")
  • In mail processing settings was added button “Download mails immediately” and settings for session duration time.
  • Fixed bug with email downloading at usage of RLinksList - mode
  • logo of XRumer was changed
  • Improved mechanism of collective learning of text CAPTCHA, so according to our test, from version 7.07 of XRumer, program daily will be collectively trained up to 1000 new text CAPTCHA’s, and according to this success rate will be higher with each day of usage.
  • New types of SFM engine captchas (with various fonts) was learned by XRumer OCR.
  • Fixed bug with creation of accounts on SLAED CMS engine.
  • Temporary is turned on logging of process of text CAPTCHA’s decoding to - Debug\TextCaptchas.txt file.
  • improved algorithm of decoding of text CAPTCHA’a
  • added hidden option ProfileMeansSuccess=1 (in file xuser.ini, section [AdvOptions]), by default it’s ON – if profile was created succeseful, but there is not enough privileges for topic creation (on may forums it’s forbidden for fresh registered users), link is added to Success log with comment “profile success created”
  • fixed posting of UTF-8 content on egines which uses by default UTF-8 or ISO-8859-1 encoding.
  • Now it’s possible selection of gender at profile editing, according to setting from Project.
  • For better index of profiles was implemented auto-prescription of birth date on the next day after registration: it is spelled out in xas.txt special macros [DAY_TOMORROW] and [MONTH_TOMORROW]
  • Memory leaks in several modules of XRumer are fixed
  • Creation of links to the profile is corrected
  • Added the possibility to disable the rating system for proxy / socks (option "Enable rating system *" in the proxy settings - through menu)
  • Bug with leak of memory in interface was fixed
  • "Postprocessing” tool improved to convert link with multiple "/./" into normal URL
  • List of User Agents was corrected (x_user_agent.txt)
  • Algorithm of captcha decoding for phpBB3 was improved
  • Bug with creation of RLinksList database was fixed
  • Improved logic of registration and logging on VBulletin
  • The restriction of number of rows in the list of resources at training of textual CAPTCHA module was removed.
  • During training of new textual captcha is created a service log for debug - Debug\TextCaptchasLearn.txt
  • In settings for email download was added new option “to not reduce number of threads at email downloading”
  • for macros #trans set up of "domain zone - langusge" can be made through external file Translate\ZoneLanguages.txt. Please report all founded bugs.
  • fixed bug with cache of file content of macros #file . If it’s needed to receive each time a new result about link it’s necessary to add in xuser.ini following line: URLLOAD_CASHTIME=0, and syntaxes of macros should be : #file="http://your_domainyour_page.php?rnd=#random[100000000..999999999]"

    ATTENTION : This can significantly reduce speed of posting!


Labels: