I’ve never been a strong writer but I wanted to start a blog to keep track of my thoughts as I progress through my many projects I start. I started Discord Spammer about 5 days ago in hopes of it making enough money to just get me by and it did. I pretty much only do Python and I started looking into Discord and it’s API. I’m going to share basic code snippets but not all my code for many reasons.
Step One — Registration
We needed to create a script to mass create accounts to bypass account-specific rate limiting. This is how I begin any account creator, I open up Inspect Element and click the Network tab. You’ll see very quickly they actually have an API Endpoint for registration and they’re using XHR requests and not a HTML form. This makes it easier for me to forge a request. Upon a valid request you will get an an api key / oauth token whatever you want to call it. This will allow us to bypass 3step or IP verification.
Step Two — Google NoCaptcha
If you send a request without the captcha_key paramter set you’ll just get a captcha-required error response. So I found 2captcha this is a service that provides a Google’s ReCaptcha NoCaptcha solver with 0 browser emulation by submitting only their Google ReCaptcha Public Key. It offers a 100% valid captcha rate due to the nature of NoCaptcha. Unfortunately in mass it’s a bit expensive. The $3/1000 captcha solves gets kind of ridiculous after awhile but it’s the only solution I can find without emulating a browser which I definitely don’t wish to do. The captcha solve times are also kind of long 30+ seconds, again unfortunate.
However they do offer a Python API library for their service. It didn’t seem to offer their new no-browser-emulation solving. So I just had to write a basic thing in aiohttp to do this.
Step Three — Username&Password
Now Discord allows you have any username you want due to discriminators, I haven’t seen a 5 digit discriminator so I just assumed you could only have 10000 of the same username, I may be wrong here but I don’t want all of my accounts to have the same username anyway so I used a basic line in Python to generate a string for the username as well with the password.
Step Four — Email Verification
Email verification! The most typical anti-botting mechanism ever. Fortunately for us and unfortunately for Discord. It’s not a problem in the slightest to bypass. Most of you may be familiar with the Gmail + and . trick. For example: your email can be: o.bnoxious@gmail.com or obnoxious@gmail.com and they’re the same thing. The + trick is also simple: obnoxious+medium@gmail.com will go to obnoxious@gmail.com. You can also combine these to do o.b.noxious+medium@gmail.com. I have about 20 gmails ready to go so the email for every account is a random selection of these dot tricked randomly and + tricked randomly selected to the username or a different randomly generated string.
The next part is actually verifying the email, this will be done by using Google’s IMAP server. I wrote code to log into every accounts IMTP and check for every single Discord Verify Email parse it for the verification URL parameter token and pass it onto my aiohttp requester. It is another basic API endpoint to verify your email.
As of right now, I’m unsure exactly how their verify system works because it will seemingly for no reason say that my token is invalid. Odd stuff. But it works at 70%+ which is good enough for me.
Step Five — IP rate-limiting
If you send tons of requests on the same IP their API will blacklist you for a time for abusing it. This is done because of rate-limiting. Thankfully our friends over at P2PProxies offer a really cheap 200k IP residential proxy pool with unlimited connections. We’re now using this to make accounts and verify them.
Spamming!
This is where we are actually going to discuss the spamming of Discord text channels. This was a tad annoying but bare with me.
Step One — How?!
I started out by using Google Chrome’s Inspect Element network tab post-login on Discord and it will show you that makes a few websockets. The frames for these are pretty simple. But I decided I wanted some real documentation so I headed over to the discord.py repository and found where they do the web sockets. I read their documentation on packets/sent and received by Discord and created my own function using asyncio and the websockets library to connect many accounts to Discord.
Step Two — Appearing Online
At first I assumed that we were going to just have to pipe messages down the web socket, but no no no! They send a new HTTP request every single message. I think this is kind of stupid. The websocket remains kind of pointless except showing that you’re online and you must be online to send a message on Discord. This makes me have to waste a bunch of CPU cycles to bot messages but it isn’t much of a problem. Below are the important packets, mainly IDENTIFY.
The IDENTIFY requires our oauth token from the registration request. Thankfully we save this in our account creator. We are now considered online!
Step Three — Joining the server and grabbing a CID
cid == channel ID
Below is the request sent to the API endpoint to get information on the guild or server and it will return the cid of the channel the invite link was made for. Usually the general channel.
Step Three — Messages!!!!
I did this one in inspect element, no need to read source code, really simple request. All you need to do is fill the message parameter and change the channel ID in the URL. I also added random characters after messages to bypass some basic anti-spam bots.
Hammer&Chisel — Anti-Botting&Security
WebSockets
- Does
nothave any IP or account rate-limting.
Captchas
- Captcha is 100% required on registration, not forced on email verification.
Email Verification
- I can gmail + and . trick, basic parsing can be done for the email, can force me into making my own mail server or proxy to another one.
Registration Endpoint
- This is an api endpoint, so it’s super easy to work with, no CSRF worries and a single request, a lot of other services will require a
GETthen aPOSTto grab tokens and stuff. This wont stop much but make it slower for scripts.
Conclusion
This sums my article, if you have any questions feel free to ask me over email. I sell my webpanel and 100% automated spammer over here. Quite cheap and fun. Thanks for reading. I’m always looking for work so please contact me if you need any done.
