Hi all,
Respect to you k for this site.
Gonayete.

What?

lol?

http://www.msfn.org/board/?showtopic=86489

This is starting to scare me.

Heheh, feeling stalked LLXX?

Well, if the poster is a non-native English speaker, welcome to the board.

However, what does a Spam-Bot smell like?..

Reverse this:

- IP address of the poster is a Washington DC, USA Internet service provider

- The Timezone the poster registered under is (GMT-12:00) Eniwetok, Kwajalein

Eniwetok and Kwajalein are atolls of the Marshall Islands. Kwajalein is the site of an American military base and has been used for missile defense testing since the 1960s. Eniwetok, along with the island of Bikini, are the sites where U.S. nuclear testing took place between 1946 and 1958. The islands remain uninhabited today because of nuclear contamination.

Since it seems unlikely this person really lives in that timezone, a random spam-bot choice of Timezone might be indicated.

- Registration email address of poster begins with respect@

That's a little too much respect.

Am I crazy? Tell me Gonayete.

Looking at the other posts it seems that the only thing that changes in the post wording is that letter.
Is she referring to Woodmann
and Kayaker ?
or is that a random generator of messages
Actually if you google "Gonayete", this character appears to have registered into a LOT of very dissimilar forums around the net, including:

political prisoners defense forum,

The shrine of Insanity . . .

And Yes, at the Design Community forum, Gonayete expressed her respect for a, y and k in separate postings

One other thing,

This bot has the same registration date on all the forums.

Many, many forums - seems that someone is testing a spam bot that's capable of spoofing registration screening.

SiGiNT

Being Reversers, I think this little gem deserves a little inspection.
At a first Google of the term yesterday there was absolutely no results, but it seems the index now shows 381 results as of this posting for "Gonayete". I've looked through most of those results, and it seems we here at RCEF are the first one to notice this. At the other sites, either the topic is deleted, or they try to interact with her.

If by "spoofing registration screening" you mean the CAPTCHA image, those have been broken very easily with advances in OCR technology.

Actually, the idea of an automatically registering and posting forum bot has been viable for quite some time, what I think is that this is the first time someone actually decided to put the plan into action.

Well, no CAPTCHA has been employed here yet. Not saying it isn't possible. We just haven't activated that part of the Registration yet. We are in the process of installing GD, along with updated software for the server, and today I updated the software for the Forums themselves.

Most of our "commercial" "Bots" have, in fact, been real people registering and then posting commercial advertisements. Not much a CAPTCHA system can do to stop that. One method which does work, but it is annoying to new registered users, is to Moderate all posts until the poster reaches some determined number of Posts. That's what is implimented on Exetools, but it means a whole lot more work for the Admin, meaning me, and some annoyance by the new members. But, at least it does lessen the number of Posts which do not quite follow the Posting Rules.

Please be on the look out for anomolies in the operation of the new version and start a Thread in the Off Topic is anyone notices anything "strange." Most everything seems to be working as it should, but there are many new features in this new 3.6.3 version and we haven't checked out all the new options in the AdminCP yet.

Regards,

Exactly. When I first googled for the name there were 0 hits, which is why I gave a small benefit of the doubt that the poster might be real, or at the very least a troll.

I've been looking at the vBulletin registration templates and it seems that we (or any forum admin) could make our own "home-grown" registration verification which might fool such a bot. What gave me the clue was its behaviour with the TimeZone setting. This setting is a combo-box, normally its default selection should be Timezone -5, set by the Administrator as a global option. This happens to be the 8th selection in the combo-box list. The bot however overrode the default selection (even as a normal registrant might), but chose the 1st selection in the combo-box list.

Now I don't know how a bot really works, but I assume it must blindly tab through the reg routine controls (checkboxes, edit controls, comboboxes, possible Image Verification controls, etc.) and select or fill in what it deems necessary to complete the registration. Most forums are probably fairly similar, i.e. name editbox, then password and email editboxes to be filled in twice, etc.

For some reason this bot may have tabbed through the Timezone combobox and selected the 0th entry.

OK, let's say we create our own "anti-bot" verification by creating a new combobox that must be properly selected for registration to be successful. For example a label that says "Choose the 5th entry in the following combobox". The number could be anything, it could even be a rotating variable based on the day of the week. Or you could require matching a number or character to a correct combobox (or checkbox or radiobutton) entry.

There's no way a bot could "read" the label text to know which combobox entry to select, or even that it should be doing something other than following a generally standard registration procedure.

The standard ImageVerification package uses an editbox. If, like LLXX says, a bot could use OCR to read the image all it has to do is enter that into an editbox. Forcing a combobox selection as I outlined would seem to be a quirk not as easily detected to a trolling bot.

The main drawback to this idea I can see is that a non-native English speaker might also have a hard time understanding what is expected from them to complete the registration. If they can't read the "Choose the 5th entry.." text they won't now what is required. I'm sure we could still make it user-friendly but bot-unfriendly though.

Any other Confuse-a-Cracker, er Confuse-a-Bot ideas?

Kayaker

Howdy,

What you are suggesting is very close to what Searchlores uses.
In order to submit or post, you have to answer a certain question.

For instance the current question is something like what is two plus one.
The answer should be in the form of a word.

Woodmann

Some recent discussion/ideas about this subject:

http://isc.sans.org/diary.php?storyid=1836

I kind of think the origin and the terminology used is interesting, the computer chosen for this bot was either on or near a US military facility, first assumption would be someone's personal PC, but if you've been keeping track of minor news items, you would know that it's been reported that the Chineese are constantly trying to hack various US government systems, the wording and sentence structure would indicate that it's been written by someone oriental - makes my paranoid mind think it's not just a lone got-no-life teenager playing around - I moderate on a couple of boards that have been autospammed, but it was usually confined to that board or that one and a couple of related boards, the scope and speed of this one is kinda scary if you consider it's possibly a test of a tecnological approach - possibly with the intent of spreading mis-information at some later date.

SiGiNT

Went back and checked - here is an almost identical "attack" - difference is the registration date and the post are not the same - and the post includes a link complete with an image, not easy to do on that board.

http://www.padmasters.com/showthread.php?t=640 ("http://www.padmasters.com/showthread.php?t=640")

Moral of this story:
Don't make lame posts on our board, or within days you will be the subject of a CIA investigation, for suspected government conspiracy, espionage and god knows what else.

Like I said "paranoid mind" , now off to some ufo investigation!

SiGiNT

Holy fucking shit!!!

@sigint33:

I'm now starting to think this is not the work of one individual, but the result of hacking teams competing against each other for the number of sites they can register at in a certain time period. Reminds me of

http://en.wikipedia.org/wiki/SEO_contest#Nigritude_ultramarine

Howdy,

Nice scoop LL.

188,000 for this one that showed up at Padmasters today - can't redirect you, it's already been trashed - also contained links - operative theory - trying to rack up points on Google Adsense - anyway the poster was - KilkaSerko

Now back to the ufo's - after I RE something, 1 a day keeps me happy

SiGiNT

Hmm... I've been doing a little bit of Internet investigation on what exactly the variable in the generation of the phrase "Respect to you %c" was based on. If it was indeed random, we would expect approximately equal numbers of results for searching that string for each letter. The search query was '"Respect to you %c" + Gonayete' The results speak for themselves.

a: 128
b: 58
c: 41
d: 66
e: 160
f: 81
g: 55
h: 60
i: 56
j: 104
k: 58
l: 58
m: 145
n: 45
o: 42
p: 102
q: 55
r: 76
s: 40
t: 962
u: 47
v: 101
w: 42
x: 50
y: 124
z: 74

Hmm... human or rand()? It doesn't look that random to me, especially the huge peak at "t"...

Maybe the letter has some relationship to something the bot sees when it first appears. Remember that the "Title" of the Thread is " Respect to you 'w'", while the content of the Post is "Respect to you 'w'"!

There's another variable to keep you awake for awhile longer.

So, do you want to check how ofter such a pattern repeats, i.e. Title of the Thread with one letter and Post with another letter? And what is the relationship, if any, between the first letter and the second letter.

Do I hear the theme from "The Twilight Zone" playing in the background???

Regards,