Faking a poll result, the spammers view

by Peter Young on October 20, 2010 · 10 comments

This is a guest post from Paul Madden (aka @seoidiot – and one of the nominees for most influential) further to the fun and games from last weeks automated voting. These weren’t done particularly well, so as a result we thought we would get in the experts for next time …. :)

Some of you may know that I have a slightly dodgy past as far as spam goes so it was no great surprise when people blamed me for gaming the poll. I find that offensive and I am saddened that you would think that of me. So did I game it?

Well yes of course I did, Pete wouldn’t have expected any less. The difference with me is I wont do it in a way that causes your server problems and I wont do it to win, I did it simply to point out the vulnerability of the voting method used. So I have been asked to share with you the thought process and code that allowed the poll to be gamed so you too can game polls, sorry I mean so you too can avoid being gamed on your own polls.
As soon as I saw Pete had a poll running I took a look at the source of the page and heres what I found: -

<div id=”polls-9″>

So Pete is using WP-Polls to run his poll. OK well lets have a look at how that system prevents vote rigging…
Just a note, always prevent me from browsing to your plugins directories to confirm the plugin is in place – http://www.holisticsearch.co.uk/wp-content/plugins/wp-polls/

(If you add ‘Options All -Indexes’ to your .htaccess file you will stop me doing this easily)
It appears that it simply places a cookie on your machine and prevents posting from the same IP again and again. Here is the handy cookie view in Chrome (Preferences > content settings > show cookies and other site data)

2010-10-16_0911

Nice how Google help you spam things sometimes isn’t it ;)

So what we need is a method to hold a cookie and a way of using lots of IP’s

Step forward cURL and PHP once again!

So with cURL you can set all sorts of things like the user_agent and accept cookies and spoof pi’s. Ideal for us. Now it would have taken about half an hour to code up something to do the task for us but in our case there was already a script I had that does the job. You can find it here:

http://www.criticalsecurity.net/index.php/topic/32474-wordpress-wp-polls-post-data/

OK so all we need now is to tell this script what the poll id is (`name=”poll_id” value=”52″` from the source of the page) and who we want to vote for (65 was my option in the vote, again found in the source). Then we will upload this script to one of our servers and get ready to play. Normally you could use proxies to do this (Tor or a service like http://www.yourprivateproxy.com/ would work well) but as we are ‘blind posting’ we don’t need a proxy at all.

What? How does that work?

OK so if you are posting and getting back information with cURL you have to use a proxy as if you spoof an ip the information will get returned to that fake IP. If we are simply posting to a form though we can do that with a fake IP.

One note of warning, the real IP will still be there if you look at the raw log files I think. We are simply telling the server that we are forwarding from a fake IP using the line: -

Make a fake IP up
2010-10-16_0928

Telling wordpress what IP we are from
2010-10-16_0929

So now we have all we need to spam the vote, we simply do it in little bursts of votes over an extended period (http://www.seoidiot.co.uk/projected-cron-jobs/) and if we wanted to we could quickly extend this script to check who was winning the vote before voting itself and then make sure we always stayed just above them. In this case I would worry that Mr Naylor might also have done that and it would become an arms race pretty quickly..

Some notes on doing this in a way that doesn’t hurt the site in question. Don’t post 1000 votes at a time (one or two have done this -> editor;), don’t just vote for yourself (couple of people have done that -> editor), don’t write a follow up post explaining how to do it (Whoops)

Disclaimer – Following Paul’s advise above is done so at your own risk. Holistic Search and Paul do not accept any responsibility for any actions you may take as a result of reading the above post

Google+ Comments

{ 9 comments… read them below or add one }

Nichola Stott October 20, 2010 at 9:08 am

Paul – thou art no idiot ;-)

Dan Taylor October 20, 2010 at 9:12 am

Who would have known that vote rigging would have been such an easy task?

I suppose for someone who has been in the game for a while thinking laterally to come up with the technique is now second nature :)

Now, to get nominated for something – any tips on that Paul?

Dan

Alex Minchin October 20, 2010 at 9:23 am

Love this perspective post, Paul (whoa, say that fast 5 times!) – I feel like I’ve dipped into the dirty world of blackhat for just a short moment!

Thanks for the read.

Alex

Peter Young October 20, 2010 at 9:27 am

Funny how reading or listening to something Paul does makes you feel like that :)

Sentiments from me as well Paul & thanks for the help

Elaine October 20, 2010 at 9:39 am

Wow – absolutely fascinating – don’t understand a word though! – but, then again, I also watch cookery programmes ….

SEOidiot October 20, 2010 at 10:29 am

Thanks All

Embrace the dark side people – its how you learn

@elaine – I watch cookery too :)

Bas van den Beld October 21, 2010 at 7:33 am

It’s definitely art what Paul does. The thing that always scares me the most is not how he actually does it, but how he thinks of it, wouldn’t get into my mind, my mind just doesn’t work like that :) . I’m happy to be on Paul’s side.

By the way: Paul, keep on ‘revealing’ those things, I think many of us can learn from this. (Including me)

Kev Strong October 21, 2010 at 7:43 am

Cracking post Paul. There’s just something gloriously tempting about gaming the system – especially when it’s so easy.

Bartjan November 1, 2010 at 10:35 am

And for people without any coding skills:
Install TOR, Web Developer Toolbar and a simple macro recorder. Now record changing IP adress (one click in TOR), copy URI to FF and press enter, click to vote, 2 clicks in web developer toolbar to delete domain cookies.

Set it to repeat and leave your computer on at night. Equals about 1 vote every 30 seconds ;)

Leave a Comment

{ 1 trackback }

Previous post:

Next post: