Published on 12, July, 2020
Hello
This is another thread to talk about things on the forum itself, particularly spam. Hopefully the moderators and web project manager can join here and allay any fears about technical risks. The last thread, called 'Chat Bot' was partly about how you tell the difference between a genuine user and abuse, and has reached 167 replies, so it was suggested that we start a new thread for each subject. There's also a thread from the last few months called 'Mods Please Make the Spam Stop', which has covered some of this and also covered the times when obvious spam is left on this forum. I don't personally think it's a massive problem, especially compared to some other forums, but it may make people uneasy unless it's dealt with in a clear way.
As I understand it, and Ross-Mod or Kerri-Mod or @WebPM can correct me, every interactive site on the web is subject to some abuse, and the forum software the NAS uses (Telligent Community) has some automated ways to detect and moderate this. However, occasionally some advertising for irrelevant products isn't so obvious, and gets through. There are also some other 'borderline' things, where we're not sure if the user is genuine, and interact with them very cautiously. The way this is supposed to work is that we, the forum users, readers and contributors, help detect the probable spam and click on 'Report as abusive' which pops up when you click the 'More' button below any post or comment. The moderators than consider this, and take action such as locking or deleting the thread. There's also a 'report as abusive' button on each user's profile for occasions when it looks like the only purpose of the account is spamming or trolling.
[Sorry I'm being so verbose.]
In the past week or two (May 2018), besides a small spam outbreak advertising pills and stuff, we've noticed what we're calling 'Copybot', which starts new threads by copying something someone real asked several months or years ago. This causes some confusion as people might start responding to these forgeries, not realising the question is very old and has probably been answered. There have been requests, mostly on the other two threads mentioned above, that the NAS checks its site security, and suggestions about how the site could better prevent Copybot.
I've actually only counted six Copybot threads so far, as of 7 June 2018. I think three of these have been deleted and three locked by the moderators, although some stuck around for several days. (Edit: since then there have been quiet periods and times of ten copied threads per week, which I've been listing at the bottom of this thread.)
Copybot is the name we (I) gave to whatever was behind the occasion when three threads showed up, from two users, that looked a bit suspicious partly because the two posts from the same account seemed to be from different people: one a parent, the other an autistic young person. Since then we've had a few more, mostly appearing overnight. The threads look like they come from a new user with no avatar image and the standard "NAS3nnnn" name. The posts are usually well-written and relevant to autistic individuals and families - which is hardly surprising, because it's copying most of the text from another post. The title is usually transformed a little so 'How to find a girlfriend' became 'I can't find girlfriend', and other ones include 'please everybody help me' to get extra attention - this transformation is apparently automated, in a way that recognises some English phrases, and chooses a random variation on it. Occasionally the fake title can be taken from the first sentence of the post instead. Sometimes people respond to the bot posting as it sounds genuine, but unsurprisingly I've not seen the bot reply. This is stealing people's real concerns and questions, which we find a bit creepy. Sometimes the text that is copied is truncated, either omitting the sign-off, or stopping at a punctuation mark.
[Here is probably a good place to stop reading. It may be too much information already.]
Several theories have been suggested as to Copybot's motives, such as that Copybot will eventually post malware links or impersonate a genuine user so well that personal information is compromised. However, I think it is simply a side-effect of trying to defeat anti-spam systems. If a bot registers and starts posting spam immediately, it's likely to get picked up by the automated anti-spam. If it registers, waits a bit, posts something apparently sensible, which people reply to and nobody complains is abusive, then it gains 'reputation', and when it does post spam, it's 'cleanlisted' and the spam appears on the site without moderation, and can go unnoticed which is why it seems to wait over two months to replace the copied text with spam. Also, if the copied post is automatically detected or treated as spam, then the anti-spam text-detection software may get a bit confused (technically this is sometimes called 'poisoning' a Bayesian classifier) and so won't be able to detect adverts for pills and so on so accurately.
A web search for "hi guys, i have a question about" and "i have a question, need help" shows that around June 2018 Copybots also started posting to other forums that use other types of forum software, including phpBB, myBB, vBulletin, Vanilla, Invision Community and Discourse. (Only in a technical Plone Discourse forum did I see someone notice that people were responding to bots, although moderators delete some threads.) The earliest Copybot thread I've found on the web is called "a quick question about business or public courses" on the thoroughly infested "Singapore Expats Forum" dated 26 April 2018, where the content was obviously different originally and then replaced with Vietnamese spam (I'm not linking to it for obvious reasons).
I've recently been on the forum a lot, and when I see any new post by someone I don't recognise, I check it. First I look at the post, and think about whether the title is written in a matching style to the text; then I look at the first few words and see if they also appear in the 'Related' bar to the right below one of the titles, and if they do, I look at that other post. I also might hover over the user name or avatar of the NASxxxxx poster to get a pop-up that shows how many 'points' they have; or follow the link on that user name to see their profile. So far, for Copybot, there's been nothing written on the profile, and there are 7 or 14 'points'. (An account gets 7 points for each thread started, and 5 for a reply, so 21 might also be suspicious, but we haven't seen a single account as active as that yet.) You can also check the 'Activity' tab of the profile to see if the posts are consistent and genuine.
If still suspicious, I also see if there are distinctive words or phrases and search to see if those have happened before. For example if the phrase 'depersonalization symptoms' appears, that's pretty rare with an unusual spelling, so I can put that into the search bar at the top and press 'Return' - if it shows a previous thread I check that. You can also check using a standard web search engine, by taking half of a well-written sentence (maybe six to ten words or so), putting double quotation marks (") around it and searching - if it only comes up with the latest NAS page, I'd assume it's not Copybot and we have a welcome post from a new user. If it comes up with other, older hits (I've not seen any from outside the NAS site yet, but it's possible), then I compare the two passages to see if they are more or less identical, and if the new post really is a copy.
If it looks genuine to me, I may like the post, or try to add a quick response, hoping other regulars know I check for Copybots. (It probably isn't appropriate to just say 'you're not a bot' politely, and ignore what the real human poster has said.)
If I find it's a copied post, what I do is:
[OK, it really does get dull and technical after this.]
Then it's up to the moderators to lock or delete the post as appropriate. Maybe more abuse reports from different people catches the moderators' attention more. If someone has added a valuable additional reply, I don't see any problem in locking the thread so that reply, and the link to the original thread, is still available. They may want to reassign the post to 'Deleted user' to prevent the spammy user from posting more copies or spam, but
If no obvious action is taken, then I suppose we can communicate with the moderators by mentioning them in this thread, via Direct Message if we've already had a message from them, or the communitymanager@nas.org.uk address. Forum rules are here by the way: community.autism.org.uk/.../rules
If this becomes a bigger problem, something more may need to be done until Copybot gives up. DongFeng5 suggested using a 'hash' of the text of a post to check for duplicates in an automated way, or use the type of software that claims to score plagiarism by students. I think this is something NAS would have to suggest to the software suppliers as a feature request. I know a bit about this subject (I've written hundreds of anti-spam regexes for a job), and a 'fuzzy hash' should be possible and cope with minor text changes. However, Copybot may also copy anything about autism from other sites so as not to be detected - someone said copied text from an article about baseball had also been used - or possibly use a Markov-chain text from multiple sources to generate random, but vaguely realistic, text. (We have also seen a short post, probably the same or a different bot, keyed to the forum title by NAS38283.)
Copybot seems unable at the moment to set an alias, avatar photo or profile text on Telligent. Therefore requiring a non-default alias in order to post may stop Copybot until its full features are implemented. It has been suggested requiring some kind of name would at least overcome the problem of not being able to tell the difference between 'NASnnnnn' users. If it is possible to require this in the current forum software settings it would seem worth doing. The accessibility problems with screening signups with ReCapctcha are probably prohibitive given many people with communication difficulties, and a maths Captcha probably wouldn't work. The software does have an option for custom fields to be mandatory. On some other forums, a bot sometimes posted spam in Vietnamese about cosmetics and pills and called itself 'amelinda' or 'philomena', so requiring a non-default alias to post may or may not stop Copybot.
StopForumSpam.com seems to be tracking a lot of related spammers, and there should be a free plugin for SFS for Telligent, although it's not listed on the SFS site. See also Project Honeypot, another free anti-spam service which is basically an IP address blocklist. A simple addition would be to use GeoIP to check for forum submissions from particular Asian countries, or if that's not possible could explicitly ban or firewall the main Vietnamese ranges.
Making the site HTTPS, partly to protect anyone from having their site password compromised if using unencrypted wireless, has also been suggested. This was done in June. It had no effect on Copybot. A related consequent suggestion was permitting non-alphanumeric characters in passwords.
[Oh, blimey. I do go on.]
We can also use this thread to report any new instances of Copybot, although I think adding a comment identifying it as Copybot and reporting it as abuse, as described above, is better. Perhaps mentioning the NAS number without linking would show a useful pattern in the spam signups.
The weather forecast for today, Thursday 7th June 2018 is: no Copybot sightings. Nothing on Friday either, so we're doing well. In fact I haven't noticed a peep out of it until:
Saturday 16 June.
Tuesday 19 June:
Thursday 21 June:
Friday 29 June:
Thursday 5 July:
Friday 6 July:
Mon 9 July:
Weds 11 July:
Thurs 12 July
Friday 13, copybotageddon
Saturday 14 July
Sunday 15 July 8am.... coast clear so far.
Hello. This is addressed to NAS Moderator, Ross-Mod and the @WebPM who I hope is still in this thread, about what can be done about the continuing 'stealth spam' we're calling Copybot.
I've added more information to the main post and above since the weekend, as last week it was particularly disruptive, wasting people's time and causing one regular forum contributor to declare he was taking time out. I admit the copybots got me confused myself yesterday and I overzealously reported a new NASxxxx user (now called 1986) who submitted a three-letter test post: — apologies to all concerned.
The ideal is if this activity could just be stopped. I may have got slightly obsessed with mitigating copybot, but do have better things to do. So can I ask some of the following questions please, and apologies if they are seen as interfering:
Thanks.
Yes, I'm still here. We have been doing work on this, even if we have not posted. Forgive me if I'm not too detailed in answering the above questions. Of course, anyone can read everything I post and, when we are trying to deal with misuse of the forum, saying openly what we are doing may not be a good idea! That said, this is clearly still an issue in spite of the limited steps so far.
The motivations of "copybot" threads are not, to be honest, too clear. Where links are included, then it's fairly obvious spam. Most of these threads have not included links. There's a note above about a thread where the offender apparently waited for some replies to make the thread look genuine, and then went back and added the link spam.On the basis of that, I have just limited editing to 30 minutes after the post was made. Apologies if this inconveniences anyone, but it should enable you to correct anything should you rethink, or spot a typo, after posting, whilst making it harder to change the whole nature of a message after people have already started to reply to it.
However, in most cases, and with the help of people here, I think we've removed the "copybot" threads before that could happen (assuming that it was the intention). Please continue to flag problem threads - the attentiveness of our users has been valuable. Using the "report as abusive" facility is helpful - if enough people report the same message, it will go into moderation automatically, so you can, together, reduce the spam.
It's not necessarily important precisely which rule is broken. This kind of situation is where forum operators invoke their right to delete any posting.
The messages are designed (by those posting them) to be hard to spot. That, I believe, is the point of copying existing messages - more advanced forum systems now have ways to spot randomly-generated text and the like, and off-topic messages are really obvious, so copying something genuine is a way to get a message to post that is less likely to attract attention from either the moderators or any automated systems. It's quite clear that this is a problem being suffered on various forums, on topics as varied as animation, gaming and Web browser technology.
To be quite clear, in response to a couple of comments above, messages can only be edited by their authors, and by the moderators and administrators. Copybots are regular users and would be subject to these rules, like everyone else. So I would be very concerned about any suggestion that a copybot was modifying someone else's messages, as opposed to messages posted from the copybot account.
Hi
Thanks for attending to this.
WebPM said:when we are trying to deal with misuse of the forum, saying openly what we are doing may not be a good idea
Understood... although that's kind of 'security through obscurity' and the spammers will work it out eventually.
I did update the 'Technical countermeasures' section over the weekend (so ideas like fuzzy hashes of paragraphs remain, plus mention of a couple of anti-spam databases). If this were free-libre or open source software it would probably be publicly discussed on a bug tracker, but it seems this supplier doesn't like bugs or feature requests being public.
WebPM said:The motivations of "copybot" threads are not, to be honest, too clear.
It's clear to me that the motivation is to evade anti-spam measures. I always assumed they would come back and replace the text, and now have evidence that is happening on this forum and others (see head post). I'd assume it's just 'ordinary' spam as opposed to malware, and for some reason there's lots of money in beauty spas in south-east Asia.
WebPM said:On the basis of that, I have just limited editing to 30 minutes after the post was made. Apologies if this inconveniences anyone, but it should enable you to correct anything should you rethink, or spot a typo, after posting, whilst making it harder to change the whole nature of a message after people have already started to reply to it.
Yes, I was thinking about whether such a policy could help. It's probably OK for most people, although inconvenient for me particularly on this thread because I kept editing the head posting. Is 30 minutes the maximum? I'm not sure if Copybot tests for this condition — if it doesn't that doesn't help with the problem of deceptive copies being posted in the first place.
WebPM said:I think we've removed the "copybot" threads before that could happen (assuming that it was the intention)
I think we've been very thorough with ones to date. That one that had been replaced slipped through before we were aware of the problem.
WebPM said:Using the "report as abusive" facility is helpful - if enough people report the same message, it will go into moderation automatically, so you can, together, reduce the spam.
To other forum users: yes please report message and account! I can understand you not wanting to say what the threshold is set to.
WebPM said:It's not necessarily important precisely which rule is broken. This kind of situation is where forum operators invoke their right to delete any posting.
Right. As I say, spambots aren't people. We're not going to offend them.
WebPM said:The messages are designed (by those posting them) to be hard to spot. That, I believe, is the point of copying existing messages - more advanced forum systems now have ways to spot randomly-generated text and the like, and off-topic messages are really obvious, so copying something genuine is a way to get a message to post that is less likely to attract attention from either the moderators or any automated systems. It's quite clear that this is a problem being suffered on various forums, on topics as varied as animation, gaming and Web browser technology.
Exactly.
WebPM said:To be quite clear, in response to a couple of comments above, messages can only be edited by their authors, and by the moderators and administrators. Copybots are regular users and would be subject to these rules, like everyone else. So I would be very concerned about any suggestion that a copybot was modifying someone else's messages, as opposed to messages posted from the copybot account.
Yes, that would be a security bug. I've not seen any evidence of such a thing happening (and if Copybot knew how to use it it would have done so). If I've suggested any user can edit another's posts please point it out so I can correct my post... (or not... )
Disambiguating Cynosure said:...This means that whatever the Title, we are stuck with it? Certain Users whose Threads are wa-a-a-ay popular, can no longer DOT a Title to stop responses when their own circumstance changes? ( . ) One has 30 Minutes in which to weigh regrets? And what if there is an unexpected Sign-Out or Error?
I do know some forums that only give you about 5 minutes before what you wrote becomes fixed. Yes, it applies to the main text and the title. I suppose if you need to remove or correct something, you can add the correction in a reply, and/or contact the moderator to ask them to delete or change it for you. Maybe this rule will be removed again if it's not necessary.
Disambiguating Cynosure said:...I also thoroughly agree with Cassandro pointing out that this would have absolutely no effect upon Automated Spam, here.
Copybot wouldn't be able to come back two months and replace the copied post with its own spam. But how would it know to stop copying more posts? It can't check if will be able to edit its posts, if we haven't left any of its posts to edit!
(Actually it looks like one has been left unlocked, by NAS38280. Otherwise I think they're all gone.)
It's possible that any successful, editable post causes the botnet to target this site. From the web logs the website manager might be able to see what tests precede a copybot posting, such a checking a previous copy is still there, or still editable. If the forum looks like a likely host for spam, the bot keeps trying to post, so actually the rate of spamming may increase exponentially, which was what it felt like we were beginning to see.
I wrote:
Cassandro said:how the original post text was replaced with spam
Ah yes, that was ambiguous. The copied text (the 'original' or initial copybot posting) had been replaced with spam. I'd maybe clarify what I wrote if I could edit.
Good night.
Cassandro said:Yes, I was thinking about whether such a policy could help. It's probably OK for most people, although inconvenient for me particularly on this thread because I kept editing the head posting. Is 30 minutes the maximum? I'm not sure if Copybot tests for this condition — if it doesn't that doesn't help with the problem of deceptive copies being posted in the first place.
...Same here, definitely. (Excuse me for next adding - !!!!!!!!!?!!!?!?!!)
...This means that whatever the Title, we are stuck with it? Certain Users whose Threads are wa-a-a-ay popular, can no longer DOT a Title to stop responses when their own circumstance changes? ( . ) One has 30 Minutes in which to weigh regrets? And what if there is an unexpected Sign-Out or Error?
...I also thoroughly agree with Cassandro pointing out that this would have absolutely no effect upon Automated Spam, here. Apart from that... um, good job, anyone... !