vBulletin forums hit by reCAPTCHA cracking spam bot

12 Jan 2011

Since the holidays ended, security vendors have been happily telling me that spam levels have dropped dramatically. The spammers, they say, have taken some time off.

That may well have been the case as far as email spam was concerned, but back in the real world -- which includes any business running a vBulletin forum for customer support -- things have been far from quiet. In fact, there's something of a spam crisis going on right now as it appears the bad guys have worked out how to crack the reCAPTCHA system that safeguards vBulletin-powered forum registrations from automated bots.

Google officially remains adamant that there is no problem with the reCAPTCHA system, which it operates. A Google spokesperson told PC Pro that it has "found reCAPTCHA to be far more resilient than other options while also striking a good balance with human usability".

However, the simple fact is that currently it seems to be as much use as an ashtray on a motorbike to anyone operating a vBulletin forum. In fact, it became pretty useless on 4 January when spammers apparently got their collective hands on a piece of software that circumvents reCAPTCHA and allows for a fully automated registration process. The bots have been busy, very busy indeed, ever since.

It seems to be as much use as an ashtray on a motorbike to anyone operating a vBulletin forum

A number of small businesses running vBulletin-based support forums have noticed a dramatic increase in the number of new member registrations during the past week. At first they were naturally quite pleased with this, until it dawned on them that the new members all hailed from Russia and had started to post spam of the worst possible kind (child porn and rape video links, for example). Over the weekend the software had obviously started to get more widely distributed as new member registrations turned up in volume from numerous locations around the world, all intent on posting spam.

For some, the forums provide more than just customer support, they actually are the business itself. For them, this has been a troublesome week, with huge demands on their resources both in terms of the bandwidth being used by the spammers and the manpower required to keep track of them and delete their accounts and their postings.

A Google source who did not wish to be quoted directly confirmed that the company had recently noted a higher amount of spam getting through on some forums, but insisted there was no evidence to suggest it was automated or impacting on larger sites.

On the front line

I disagree, having been on the front line with one such large site that was victim to an attack. The registrations came through at such a rate that it beggars belief to think it was anything but automated. Those registrations stopped dead when reCAPTCHA was eventually supplemented with an alternate method of validation, as instantly as flicking a switch. If the attack was not automated, and if humans were manually completing the registrations, adding another layer of verification would have made no difference.

Yet that same Google source insists the company modifies algorithms "rapidly to respond to new types of automated attacks" and any type of spam increase will not remain for long if it's bot-produced. The evidence suggests otherwise when one large forum was under attack from the 4th January until the 11th January, with hundreds and hundreds of automated registrations until an additional layer of validation was introduced. I'm not sure what the Google definition of rapid response is, but eight days wouldn't be mine.

What to do

Thankfully there is a relatively easy solution available, and it has proved to be 100% effective for those which have now implemented it: simply add the vBulletin Question and Answer Verification option into the registration process. This requires human thinking to be able to complete a registration, by asking a question such as "what colour was the white cloud?" or "what is the fourth word in this sentence?" for example.

To do this, enter your vBulletin Admin Control Panel and choose 'Human Verifications Options|Image Verification|Question & Answer|Save' then click on 'Add New Question' and save your question before clicking on 'Add New Answer' and then saving that.

Of course, if you just have one question and answer the spammers will soon get wise to it, so it's best to have multiple Q&A sets. Then, vBulletin will choose one at random to present as verification during the registration process.

I'm also advising clients to add another layer of protection at the same time by implementing the vbStopForumSpam plug-in modification, available for free to registered vBulletin license holders from the vBulletin site, which employs a RBL database approach to blocking known spam IP and email addresses. During the registration process it will then check the data against the known spammer list and reject it if there's a match.

Read more

Blogs