AI Bots or Copy-Paste Spammers?

[feldon30]

Today I logged in to 3 examples of very odd posts on my forum in my moderation queue. Like many of us, I have the Registered usergroup set so that none of their posts are visible. Once I approve 2 posts by Registered members, they get promoted to Registered (Confirmed) and then they can participate without further approvals. This eliminates virtually all spam because spammers are generally unable to jump into a conversation and post relevant, on-topic replies. Sure, I get floods of 50+ Russian spams in the moderation queue every week, but a few clicks on Spam Cleaner and they're gone and my users never see it.

So take a look at these 3 vaguely legitimate but obvious gobbledygook posts:


This was in reply to a thread about updated tooltips on my website.



This was in reply to a 6 year old thread about the API my website uses.



This is in reply to a strategy thread about clearing dungeons to get a specific item.

I've had spammers try to write legitimate posts in various qualities of English to get past my approval process, but these seem different somehow.

 

[feldon30]

UPDATE: The 1st post was copy-pasted from a 2018 thread on a totally different forum:

FTL Patch 1.6.4 [Jan 25th Update] - Subset Games Forum

The 2nd post about the API is copy-pasted from a 2018 thread on a totally different forum:

SOAP API changes with 8.8.6 ? - Zimbra Forums

forums.zimbra.org

I'm unable to find the origin of the 3rd post.

 

[zappaDPJ]

I've seen a few of these myself but not recently. I always thought of them as a scrape and paste but I never really understand what purpose they're supposed to serve. Perhaps if they make it past moderation there would be a more meaningful payload posted at some later point in time

 

[DigNap15]

I am lucky in that I was able to stop the flow of "Russian" bots and scammers to virtually zero with a simple captcha

But I have seen a competitors site (unmoderated now) go from 500 members to over 10,000 in 4 weeks

Why do these Russian bots bother?
Even if they get accepted surely they would only be able to post one or two messages before a bona fide member would spot them and Report them

 

[Dragonchilde]

I always thought of them as a scrape and paste but I never really understand what purpose they're supposed to serve.

Perhaps if they make it past moderation there would be a more meaningful payload posted at some later point in time

Pretty much, yes. Think of them as "sleeper agents." They'll post initially "good" posts (without links) to build karma/trust/escape notice and then later they will either edit them to include links if possible, or may go on to include links in later posts. It's a clever way around some of the built-in tools that forums like Discourse have (where you're not allowed to post links until you've built a certain amount of trust) but they're clumsy enough that if the site is monitored by actual people, it's unlikely to succeed. I think they're pretty much going for zombie boards, tbh. I've had them escape notice in my old custom software and reactivate MONTHS later.

 

[Karll]

Even if they get accepted surely they would only be able to post one or two messages before a bona fide member would spot them and Report them

Some spammers don't bother with posting messages. Instead they just post links on their profile page. I had that problem for a while, until I made access to profiles members-only. I think that took away their incentive, or at least I haven't noticed any more of them since I did that.

 

[cdub24]

Once I approve 2 posts by Registered members, they get promoted to Registered (Confirmed) and then they can participate without further approvals.

I've thought about this but decided against it as I have users from all time zones. Don't want new legitimate users not to have their consent posted and then not responded to at 2am while I sleep.

Instead I have opted for a pretty expansive spam flag words list. This has caught 98% of spam. Occasionally a legit post gets snagged but it's rare.

Some spammers don't bother with posting messages. Instead they just post links on their profile page. I had that problem for a while, until I made access to profiles members-only. I think that took away their incentive, or at least I haven't noticed any more of them since I did that.

Yes. Only members can see profiles on my site too. This has helped.

 

[feldon30]

Pretty much, yes. Think of them as "sleeper agents." They'll post initially "good" posts (without links) to build karma/trust/escape notice and then later they will either edit them to include links if possible, or may go on to include links in later posts. It's a clever way around some of the built-in tools that forums like Discourse have (where you're not allowed to post links until you've built a certain amount of trust) but they're clumsy enough that if the site is monitored by actual people, it's unlikely to succeed. I think they're pretty much going for zombie boards, tbh. I've had them escape notice in my old custom software and reactivate MONTHS later.

Definitely have a problem with sleepers. When Spam Cleaner says "You cannot use Spam Cleaner against an account that has been registered for X months/years."

 

[rkins]

I have a captcha and a list of questions that make it hard for spammers to get in. If one does get past the questions I keep an eye on how many suspicious people get pat the questions and it becomes obvious they have been passing around a list of questions I shuffle and change them so it nullifies the list they make.
I check IP origination using iP2Location - if it looks fishy I may delete them. I them send/every applicant a questionaire email to their address to which they must reply to get approved. I have had people reply that they are in a specific country on vacation.
Anyway - sounds like a lot of work but I can go through the application list pretty quickly - checking IP and sending questionaire in about 20 secs each.

 

[DigNap15]

I have a captcha and a list of questions that make it hard for spammers to get in. If one does get past the questions I keep an eye on how many suspicious people get pat the questions and it becomes obvious they have been passing around a list of questions I shuffle and change them so it nullifies the list they make.
I check IP origination using iP2Location - if it looks fishy I may delete them. I them send/every applicant a questionaire email to their address to which they must reply to get approved. I have had people reply that they are in a specific country on vacation.
Anyway - sounds like a lot of work but I can go through the application list pretty quickly - checking IP and sending questionaire in about 20 secs each.

Good skills
But its a shame we all have to resort to such time consuming tactics

I can confidently say that of my 1,400 members there could only be one or two spammers.
I dont let them join, and they'd soon get Reported
Why bother?

 

[Johno1942]

Why bother?

I have seen a lot of this sort of activity from "sleepers", for the most part it seems to obtain google listing legitimacy rather than to actually promote the site itself.

 

[Icon]

Good skills
But its a shame we all have to resort to such time consuming tactics

I can confidently say that of my 1,400 members there could only be one or two spammers.
I dont let them join, and they'd soon get Reported
Why bother?

If you really, really put time into putting StopForumSpam/Honeypot APIs, this "work" is immediately done for you. Why? The spam mitigation is working in the background. There are a few spam, but most of the time, its human spam. In that case, you go in and moderate them.

View attachment 55309
This was in reply to a thread about updated tooltips on my website.


View attachment 55308
This was in reply to a 6 year old thread about the API my website uses.


View attachment 55307
This is in reply to a strategy thread about clearing dungeons to get a specific item.

I've had spammers try to write legitimate posts in various qualities of English to get past my approval process, but these seem different somehow.

I been getting the same issue, fortunately, you can go to the user's post history and just click on post moderation - you can do anything in this menu, its basically a [mini] mod menu.

What i like to do is click those posts, go to mod menu, and move it to a trash forum and keep it there for archive reasons so you can see what the user did. I usually do this, in addition to spam cleaning once moved to secret trash board. That way the sovereignty of your thread is intact.

But this is spam, full stop. Technically its necro-bumping a thread so they can come back and edit the post with links later. That actually happened.

 

[feldon30]

Good skills
But its a shame we all have to resort to such time consuming tactics

I can confidently say that of my 1,400 members there could only be one or two spammers.
I dont let them join, and they'd soon get Reported
Why bother?

I cannot possibly justify the time in reviewing every user registration to my forum. My current system does result in thousands of phony registrations, but they will never be able to spam my forum or PM my users.

 

[rkins]

My site is not huge (8600+ members), definitely niche and I get approx 10-15 new applicants a day. And those new applicants are ones that made it through the captcha and questions. Who know how many people don't make it through. I have quite a few people complain about how hard it is to get through the screening process.
I have not seen any bots, just real human applicants. I have a Russian pestering me right now. A few more days and I'll change the questions and scramble them. I use the tools available and have been doing this every day for 16 years.

 

[feldon30]

Now they're cloning posts within the same thread from the previous page. And another user under a different name tried the same post I pasted above. The bots are trying lol.

 

[DigNap15]

My webhost error log shows many (upto a hundred) errors with hackers or bots trying to look for Wordpress links in my website and forum
I do not use Wordpress (it is a magnet for hackers)
Yes they still come everyday, wasting my bandwith

 

[feldon30]

It just gets weirder. Now I've got people registering, setting a plausible avatar, and replying to an automated RSS newsfeed as if that's an interesting topic (it's not!). What do you do when someone is ticking all the boxes of a valid user but yet is obviously trying to get approved so they can spam the membership?

 

[Chris]

Check email address, and location of registration. I block all registrations from some countries, or require them to send a message to register before allowing in.

 

[feldon30]

Check email address

Gmail and Yahoo.

and location of registration.

US and Canada IPs.

I block all registrations from some countries, or require them to send a message to register before allowing in.

I wonder what I would ask to verify they're human.

 

[ThornInYourSide]

1. This is very similar to what I was getting at with this thread: https://www.theadminzone.com/threads/how-quick-can-you-spot-a-spammer.153992/

Odd IDs posting seeming random, barely on topic gobbledygook. Sometimes they bump threads that are years old. Left unremoved, they'll come back in a day or a week, or a month and post spam links.

2. Post moderation is fine for the first few posts in many cases. IF you have the time to review all first few posts of all new members in a timely manner.

Keep in mind the content of your board and the urgency one may feel if seeking help on a tech type forum. They want help NOW, not in a few days or hours when an Admin gets around to approving posts. One board I signed up for took about two days to approve, and it was a low traffic board. Not many new members each month, let alone each day.

I'm on a couple of boards where a broken down piece of machinery out in a field is a REALLY bad thing. A new member is seeking information NOW so they can go back out in the field and get the machine running to get it back to the barn. Tomorrow might be too late and the machine might be further damaged.


3. Questions? Challenges? Yes there can be too many. You don't want to alienate new members before they even get registered.

I wonder what I would ask to verify they're human.

One of the boards I'm on asks questions like 'What color paint does Brand A use on their products?' That's a question that valid members would know right off without even thinking, but a bot likely would not know how to respond to.