'Copybot' and forum security

Hello

This is another thread to talk about things on the forum itself, particularly spam. Hopefully the moderators and web project manager can join here and allay any fears about technical risks. The last thread, called 'Chat Bot' was partly about how you tell the difference between a genuine user and abuse, and has reached 167 replies, so it was suggested that we start a new thread for each subject. There's also a thread from the last few months called 'Mods Please Make the Spam Stop', which has covered some of this and also covered the times when obvious spam is left on this forum. I don't personally think it's a massive problem, especially compared to some other forums, but it may make people uneasy unless it's dealt with in a clear way.

As I understand it, and  or  or @WebPM can correct me, every interactive site on the web is subject to some abuse, and the forum software the NAS uses (Telligent Community) has some automated ways to detect and moderate this. However, occasionally some advertising for irrelevant products isn't so obvious, and gets through. There are also some other 'borderline' things, where we're not sure if the user is genuine, and interact with them very cautiously. The way this is supposed to work is that we, the forum users, readers and contributors, help detect the probable spam and click on 'Report as abusive' which pops up when you click the 'More' button below any post or comment. The moderators than consider this, and take action such as locking or deleting the thread. There's also a 'report as abusive' button on each user's profile for occasions when it looks like the only purpose of the account is spamming or trolling.

[Sorry I'm being so verbose.]

The story so far

In the past week or two (May 2018), besides a small spam outbreak advertising pills and stuff, we've noticed what we're calling 'Copybot', which starts new threads by copying something someone real asked several months or years ago. This causes some confusion as people might start responding to these forgeries, not realising the question is very old and has probably been answered. There have been requests, mostly on the other two threads mentioned above, that the NAS checks its site security, and suggestions about how the site could better prevent Copybot.

I've actually only counted six Copybot threads so far, as of 7 June 2018. I think three of these have been deleted and three locked by the moderators, although some stuck around for several days. (Edit: since then there have been quiet periods and times of ten copied threads per week, which I've been listing at the bottom of this thread.)

What is Copybot?

Copybot is the name we (I) gave to whatever was behind the occasion when three threads showed up, from two users, that looked a bit suspicious partly because the two posts from the same account seemed to be from different people: one a parent, the other an autistic young person.  Since then we've had a few more, mostly appearing overnight. The threads look like they come from a new user with no avatar image and the standard "NAS3nnnn" name. The posts are usually well-written and relevant to autistic individuals and families - which is hardly surprising, because it's copying most of the text from another post. The title is usually transformed a little so 'How to find a girlfriend' became 'I can't find girlfriend', and other ones include 'please everybody help me' to get extra attention - this transformation is apparently automated, in a way that recognises some English phrases, and chooses a random variation on it. Occasionally the fake title can be taken from the first sentence of the post instead.  Sometimes people respond to the bot posting as it sounds genuine, but unsurprisingly I've not seen the bot reply. This is stealing people's real concerns and questions, which we find a bit creepy.  Sometimes the text that is copied is truncated, either omitting the sign-off, or stopping at a punctuation mark.

[Here is probably a good place to stop reading.  It may be too much information already.]

Several theories have been suggested as to Copybot's motives, such as that Copybot will eventually post malware links or impersonate a genuine user so well that personal information is compromised. However, I think it is simply a side-effect of trying to defeat anti-spam systems. If a bot registers and starts posting spam immediately, it's likely to get picked up by the automated anti-spam. If it registers, waits a bit, posts something apparently sensible, which people reply to and nobody complains is abusive, then it gains 'reputation', and when it does post spam, it's 'cleanlisted' and the spam appears on the site without moderation, and can go unnoticed which is why it seems to wait over two months to replace the copied text with spam. Also, if the copied post is automatically detected or treated as spam, then the anti-spam text-detection software may get a bit confused (technically this is sometimes called 'poisoning' a Bayesian classifier) and so won't be able to detect adverts for pills and so on so accurately.

A web search for "hi guys, i have a question about" and "i have a question, need help" shows that around June 2018 Copybots also started posting to other forums that use other types of forum software, including phpBB, myBB, vBulletin, Vanilla, Invision Community and Discourse. (Only in a technical Plone Discourse forum did I see someone notice that people were responding to bots, although moderators delete some threads.) The earliest Copybot thread I've found on the web is called "a quick question about business or public courses" on the thoroughly infested "Singapore Expats Forum" dated 26 April 2018, where the content was obviously different originally and then replaced with Vietnamese spam (I'm not linking to it for obvious reasons).

How to check, and what to do if there is a Copybot sighting

I've recently been on the forum a lot, and when I see any new post by someone I don't recognise, I check it. First I look at the post, and think about whether the title is written in a matching style to the text; then I look at the first few words and see if they also appear in the 'Related' bar to the right below one of the titles, and if they do, I look at that other post. I also might hover over the user name or avatar of the NASxxxxx poster to get a pop-up that shows how many 'points' they have; or follow the link on that user name to see their profile. So far, for Copybot, there's been nothing written on the profile, and there are 7 or 14 'points'. (An account gets 7 points for each thread started, and 5 for a reply, so 21 might also be suspicious, but we haven't seen a single account as active as that yet.) You can also check the 'Activity' tab of the profile to see if the posts are consistent and genuine.

If still suspicious, I also see if there are distinctive words or phrases and search to see if those have happened before. For example if the phrase 'depersonalization symptoms' appears, that's pretty rare with an unusual spelling, so I can put that into the search bar at the top and press 'Return' - if it shows a previous thread I check that. You can also check using a standard web search engine, by taking half of a well-written sentence (maybe six to ten words or so), putting double quotation marks (") around it and searching - if it only comes up with the latest NAS page, I'd assume it's not Copybot and we have a welcome post from a new user. If it comes up with other, older hits (I've not seen any from outside the NAS site yet, but it's possible), then I compare the two passages to see if they are more or less identical, and if the new post really is a copy.

If it looks genuine to me, I may like the post, or try to add a quick response, hoping other regulars know I check for Copybots. (It probably isn't appropriate to just say 'you're not a bot' politely, and ignore what the real human poster has said.)

If I find it's a copied post, what I do is:

  1. Reply to the post to warn people that 'this is a copy of a thread from...(however long ago)' and use the word 'Copybot' - this helps find current spam threads without linking to them.
  2. Copy in a full link to the original, genuine thread, (a) so the moderators can verify the copying issue; (b) so people interested in the issue can see other people's responses and contribute their own somewhere that is not likely to be deleted.
  3. Ask the moderators to delete or lock the post, and to moderate the user.
  4. Try not to link to the copybot post from other threads, as that may improve the search engine ranking of the page or bot.
  5. Click 'report as abusive' on the post
  6. Click 'report as abusive' on the user

[OK, it really does get dull and technical after this.]

Then it's up to the moderators to lock or delete the post as appropriate. Maybe more abuse reports from different people catches the moderators' attention more. If someone has added a valuable additional reply, I don't see any problem in locking the thread so that reply, and the link to the original thread, is still available. They may want to reassign the post to 'Deleted user' to prevent the spammy user from posting more copies or spam, but

If no obvious action is taken, then I suppose we can communicate with the moderators by mentioning them in this thread, via Direct Message if we've already had a message from them, or the communitymanager@nas.org.uk address. Forum rules are here by the way: community.autism.org.uk/.../rules

Technical countermeasures

If this becomes a bigger problem, something more may need to be done until Copybot gives up. DongFeng5 suggested using a 'hash' of the text of a post to check for duplicates in an automated way, or use the type of software that claims to score plagiarism by students. I think this is something NAS would have to suggest to the software suppliers as a feature request. I know a bit about this subject (I've written hundreds of anti-spam regexes for a job), and a 'fuzzy hash' should be possible and cope with minor text changes. However, Copybot may also copy anything about autism from other sites so as not to be detected  - someone said copied text from an article about baseball had also been used - or possibly use a Markov-chain text from multiple sources to generate random, but vaguely realistic, text. (We have also seen a short post, probably the same or a different bot, keyed to the forum title by NAS38283.)

Copybot seems unable at the moment to set an alias, avatar photo or profile text on Telligent. Therefore requiring a non-default alias in order to post may stop Copybot until its full features are implemented. It has been suggested requiring some kind of name would at least overcome the problem of not being able to tell the difference between 'NASnnnnn' users. If it is possible to require this in the current forum software settings it would seem worth doing. The accessibility problems with screening signups with ReCapctcha are probably prohibitive given many people with communication difficulties, and a maths Captcha probably wouldn't work. The software does have an option for custom fields to be mandatory. On some other forums, a bot sometimes posted spam in Vietnamese about cosmetics and pills and called itself 'amelinda' or 'philomena', so requiring a non-default alias to post may or may not stop Copybot.

StopForumSpam.com seems to be tracking a lot of related spammers, and there should be a free plugin for SFS for Telligent, although it's not listed on the SFS site. See also Project Honeypot, another free anti-spam service which is basically an IP address blocklist. A simple addition would be to use GeoIP to check for forum submissions from particular Asian countries, or if that's not possible could explicitly ban or firewall the main Vietnamese ranges.

Making the site HTTPS, partly to protect anyone from having their site password compromised if using unencrypted wireless, has also been suggested. This was done in June. It had no effect on Copybot. A related consequent suggestion was permitting non-alphanumeric characters in passwords.

[Oh, blimey. I do go on.]


Etc

We can also use this thread to report any new instances of Copybot, although I think adding a comment identifying it as Copybot and reporting it as abuse, as described above, is better.  Perhaps mentioning the NAS number without linking would show a useful pattern in the spam signups.

The weather forecast for today, Thursday 7th June 2018 is: no Copybot sightings. Nothing on Friday either, so we're doing well. In fact I haven't noticed a peep out of it until:

Saturday 16 June.

  • NAS37990, approx 4am - thread locked around 9pm, user still exists, but presumably moderated.
  • NAS37991, approx 10am - locked by Monday afternoon, user still exists, but probably moderated
  • may be worth checking IP addresses for NAS37988 NAS37989 NAS37994 NAS37995 to see if part of pattern

Tuesday 19 June:

  • NAS38026, approx 4pm - (one reply) thread locked on Wednesday, user in moderation (check ...27 and ...28?)

Thursday 21 June:

  • NAS38049, approx 10am. Two threads both titled 'NEED HELP?', copying parts of different threads, 5 minutes apart. Not locked as of 10:40, reported and deleted some time that day.

Friday 29 June:

  • NAS38140, about 7am. First since HTTPS enabled. Thread taken from 'Autistic adults' category and copied there. Title 'Talking' transformed to 'hi guys, i have a question about Talking, please help me'. Reported 7pm. Locked within a day or two.

Thursday 5 July:

  • NAS38186, approx 5am, copied thread to same forum (Miscellaneous and chat) with inappropriate title 'need help?' Reported, deleted within 24 hours.
  • NAS38188, approx 8am, copied two threads to the same respective forums (adults, h&wb), one replaced as 'How to adult wetting ?', other as 'hi guys, need help'. Reported and later deleted or locked..
  • NAS38187, NAS38185 might also need checking out.

Friday 6 July:

  • NAS38195, approx 8am, copied two threads to their respective forums within a minute of each other. The threads chosen were both 3 or 2 months old and have titles a bit similar to Copybot's replacements, 'Help me, please' and 'Hi there'  respectively. Reported, and deleted within 5 hours.
  • NAS38196, approx 10am, spotted by Graham; copied two threads to their respective forums, one very current, both retitled 'need help?' with differing case. Reported and deleted within 5 hours.
  • It does look like copybots come in clusters or avalanches; either the botmasters step up spamming for money, or it's the weather. The fact they mostly occur in the morning might just be when bots in Asia are online, like vulnerable versions of Windows.

Mon 9 July:

  • NAS38230, copied 'what does the diagnosis mean?' to 'A quick question about diagnosis' (recognising key noun?).
  • about a day later, copied '3099/what-s-mild-autism' to 'hi guys, i have a question, please help me !' Both prompted sincere responses, and had head content replaced by mods and locked after 2 days.

Weds 11 July:

  • NAS38261, posted ~9am, copied 1 week old thread 'Are things JUST different?' from autistic adults to misc-and-chat. copied 'Musicals' to 'Hi there' in introduce yourself. Identified by Martian Tom & Nada..
  • NAS38263, copied 'What is Alpha Stim?' in 'Miscellaneous and chat' forum to 'a quick question about Alpha Stim'.
  • The above five posts still unlocked as of 1pm, but locked as of Thurs am.

Thurs 12 July

  • NAS38270, about 3am, copied two threads, one a week and one three months old to same forums. Titles were both 'i have a question, need help?', but one included a space before the comma. Reported, and both threads deleted the same day.
  • NAS38272, about 12noon (shortly after site was back from scheduled maintenance), copied a thread about a year old to the same forum keeping the same title, 'New to all of this and just saying hello', but dropping the first paragraph. Notably the original thread included today's date, 'july 12'. Reported.

Friday 13, copybotageddon

  • NAS38279 spammed two or three replies (with contact details, may have been essay writing spam) to a current thread. Reported and deleted.
  • NAS38280 at 7.30am copied two (?) threads to same forums, parsing the second title into 'a quick question about classified'. First deleted, second OP text replaced but not locked.
  • NAS38283 around 9am did not copy but used a common Copybot title 'Need help?' and minimal text 'My baby has sinusitis. Is there a way to minimize it? Thanks' possibly keyed to 'Health and Wellbeing' forum title. (Does anyone real use OUP's '-ize' suffix?) Reported user and later post. No apparent action, but user may be moderated.
  • NAS38284 at 8am copied two threads to same forums. The first had been copied before. Possibly these were selected for similar 'hello' and 'question' title patterns. Both deleted promptly.
  • Suspect all these, except possibly the first, are part of the same botnet given timing proximity and similar titles. A regular forum member discusses leaving because of copybot etc.
  • After web research, added edit above about 'other types of forum software' and ideas in 'technical countermeasures'.

Saturday 14 July

  • NAS38296 around 0830 copied a thread, retitling it 'A few question about Autism friendly'. Reported and deleted (or moved to abuse queue; included two new replies; ) within an hour or so.
  • NAS38297 around 0830 copied a thread, retitling it 'question about talking therapy ?'. Reported and promptly deleted.
  • Flashback. Three months earlier: NAS37248 posts a thread 'HELLO!!', apparently copying a post from single mother of an autistic young man. This attracted five replies from genuine users including a moderator.
    • Head post text has now been replaced by Vietnamese (or Lao?) text as if from beauty website and three links - this is similar to what has happened on other forums where the original post has been left for over two months. No other activity recorded from NAS37248. Reported and commented (without link to what it copied since that was unknown), and apparently deleted within two hours along with replies.

Sunday 15 July 8am.... coast clear so far.

  • Drat, it's still happening. Thanks for flagging those up. So far as I can tell one (NAS38335) is genuine although 'just saying hi.' seems like a generic thing a bot could add to the start of a copied post. I can't find the text elsewhere on this forum though, unless it's been deleted.

    The other (NAS38336, titled 'need help?'), which also posted about 5am today Tues 17 July, is definitely a bot and I've reported it (for some reason the 'More' button gave me a 'Flag as spam/abuse' option at first, rather than 'Report as abusive'. It's a generic text, not copied from the forums. Knowing the country of origin would make it clearer.

    And just while I've been typing this around 0830, two more, NAS38337 ('question about Overwhelmed ?') and four minutes later NAS38338 ('a quick question about emotions', copying this to same forum), very suspicious from the titles. Disappointing nothing that's been done, settings or removing Copybot's first post, has stopped them. Still, one genuine new member out of four, I hope.

    Anyone else want to also report the copied posts? According to the WebPM once enough people do, they should just vanish into the recycle bin.

    HTH. HAND. (Hope that helps. Have a nice day.)

  • Couple more in the past few hours, possibly...

  • ...This means that whatever the Title, we are stuck with it? Certain Users whose Threads are wa-a-a-ay popular, can no longer DOT a Title to stop responses when their own circumstance changes? (   .   ) One has 30 Minutes in which  to weigh regrets? And what if there is an unexpected Sign-Out or Error?

    I do know some forums that only give you about 5 minutes before what you wrote becomes fixed. Yes, it applies to the main text and the title. I suppose if you need to remove or correct something, you can add the correction in a reply, and/or contact the moderator to ask them to delete or change it for you. Maybe this rule will be removed again if it's not necessary.

    ...I also thoroughly agree with Cassandro pointing out that this would have absolutely no effect upon Automated Spam, here.

    Copybot wouldn't be able to come back two months and replace the copied post with its own spam.  But how would it know to stop copying more posts? It can't check if will be able to edit its posts, if we haven't left any of its posts to edit!

    (Actually it looks like one has been left unlocked, by NAS38280. Otherwise I think they're all gone.)

    It's possible that any successful, editable post causes the botnet to target this site. From the web logs the website manager might be able to see what tests precede a copybot posting, such a checking a previous copy is still there, or still editable. If the forum looks like a likely host for spam, the bot keeps trying to post, so actually the rate of spamming may increase exponentially, which was what it felt like we were beginning to see.

    I wrote:

    how the original post text was replaced with spam

    Ah yes, that was ambiguous. The copied text (the 'original' or initial copybot posting) had been replaced with spam. I'd maybe clarify what I wrote if I could edit.Grinning

    Good night.Zzz

  • Yes, I was thinking about whether such a policy could help. It's probably OK for most people, although inconvenient for me particularly on this thread because I kept editing the head posting. Is 30 minutes the maximum? I'm not sure if Copybot tests for this condition — if it doesn't that doesn't help with the problem of deceptive copies being posted in the first place.

    ...Same here, definitely. (Excuse me for next adding - !!!!!!!!!?!!!?!?!!)

    ...This means that whatever the Title, we are stuck with it? Certain Users whose Threads are wa-a-a-ay popular, can no longer DOT a Title to stop responses when their own circumstance changes? (   .   ) One has 30 Minutes in which  to weigh regrets? And what if there is an unexpected Sign-Out or Error?

    ...I also thoroughly agree with Cassandro pointing out that this would have absolutely no effect upon Automated Spam, here. Apart from that... um, good job, anyone... !

  • I'd be lion if I said I was sure there was no risk from the little cheetahs.

    A purrfect answer and one which gives paws for thought.  And yes siamesey about you re-siting my deleted post. I'm feline fine about that.

    Sorry, I am sure there must be more puns but don't want to invoke the off-topic claws ....

  • Hi

    Thanks for attending to this.

    when we are trying to deal with misuse of the forum, saying openly what we are doing may not be a good idea

    Understood... although that's kind of 'security through obscurity' and the spammers will work it out eventually.

    I did update the 'Technical countermeasures' section over the weekend (so ideas like fuzzy hashes of paragraphs remain, plus mention of a couple of anti-spam databases). If this were free-libre or open source software it would probably be publicly discussed on a bug tracker, but it seems this supplier doesn't like bugs or feature requests being public.

    The motivations of "copybot" threads are not, to be honest, too clear.

    It's clear to me that the motivation is to evade anti-spam measures. I always assumed they would come back and replace the text, and now have evidence that is happening on this forum and others (see head post). I'd assume it's just 'ordinary' spam as opposed to malware, and for some reason there's lots of money in beauty spas in south-east Asia.

    On the basis of that, I have just limited editing to 30 minutes after the post was made. Apologies if this inconveniences anyone, but it should enable you to correct anything should you rethink, or spot a typo, after posting, whilst making it harder to change the whole nature of a message after people have already started to reply to it.

    Yes, I was thinking about whether such a policy could help. It's probably OK for most people, although inconvenient for me particularly on this thread because I kept editing the head posting. Is 30 minutes the maximum? I'm not sure if Copybot tests for this condition — if it doesn't that doesn't help with the problem of deceptive copies being posted in the first place.

    I think we've removed the "copybot" threads before that could happen (assuming that it was the intention)

    I think we've been very thorough with ones to date. That one that had been replaced slipped through before we were aware of the problem.

    Using the "report as abusive" facility is helpful - if enough people report the same message, it will go into moderation automatically, so you can, together, reduce the spam.

    To other forum users: yes please report message and account! I can understand you not wanting to say what the threshold is set to.

    It's not necessarily important precisely which rule is broken. This kind of situation is where forum operators invoke their right to delete any posting.

    Right. As I say, spambots aren't people. We're not going to offend them.

    The messages are designed (by those posting them) to be hard to spot. That, I believe, is the point of copying existing messages - more advanced forum systems now have ways to spot randomly-generated text and the like, and off-topic messages are really obvious, so copying something genuine is a way to get a message to post that is less likely to attract attention from either the moderators or any automated systems. It's quite clear that this is a problem being suffered on various forums, on topics as varied as animation, gaming and Web browser technology.

    Exactly.

    To be quite clear, in response to a couple of comments above, messages can only be edited by their authors, and by the moderators and administrators. Copybots are regular users and would be subject to these rules, like everyone else. So I would be very concerned about any suggestion that a copybot was modifying someone else's messages, as opposed to messages posted from the copybot account.

    Yes, that would be a security bug. I've not seen any evidence of such a thing happening (and if Copybot knew how to use it it would have done so). If I've suggested any user can edit another's posts please point it out so I can correct my post... (or not... Grinning )

  • Yes, I'm still here. We have been doing work on this, even if we have not posted. Forgive me if I'm not too detailed in answering the above questions. Of course, anyone can read everything I post and, when we are trying to deal with misuse of the forum, saying openly what we are doing may not be a good idea! That said, this is clearly still an issue in spite of the limited steps so far.

    The motivations of "copybot" threads are not, to be honest, too clear. Where links are included, then it's fairly obvious spam. Most of these threads have not included links. There's a note above about a thread where the offender apparently waited for some replies to make the thread look genuine, and then went back and added the link spam.On the basis of that, I have just limited editing to 30 minutes after the post was made. Apologies if this inconveniences anyone, but it should enable you to correct anything should you rethink, or spot a typo, after posting, whilst making it harder to change the whole nature of a message after people have already started to reply to it.

    However, in most cases, and with the help of people here, I think we've removed the "copybot" threads before that could happen (assuming that it was the intention). Please continue to flag problem threads - the attentiveness of our users has been valuable. Using the "report as abusive" facility is helpful - if enough people report the same message, it will go into moderation automatically, so you can, together, reduce the spam.

    It's not necessarily important precisely which rule is broken. This kind of situation is where forum operators invoke their right to delete any posting.

    The messages are designed (by those posting them) to be hard to spot. That, I believe, is the point of copying existing messages - more advanced forum systems now have ways to spot randomly-generated text and the like, and off-topic messages are really obvious, so copying something genuine is a way to get a message to post that is less likely to attract attention from either the moderators or any automated systems. It's quite clear that this is a problem being suffered on various forums, on topics as varied as animation, gaming and Web browser technology.

    To be quite clear, in response to a couple of comments above, messages can only be edited by their authors, and by the moderators and administrators. Copybots are regular users and would be subject to these rules, like everyone else. So I would be very concerned about any suggestion that a copybot was modifying someone else's messages, as opposed to messages posted from the copybot account.

  • Hello. This is addressed to , and the @WebPM who I hope is still in this thread, about what can be done about the continuing 'stealth spam' we're calling Copybot.

    I've added more information to the main post and above since the weekend, as last week it was particularly disruptive, wasting people's time and causing one regular forum contributor to declare he was taking time out. I admit the copybots got me confused myself yesterday and I overzealously reported a new NASxxxx user (now called 1986) who submitted a three-letter test post: — apologies to all concerned.

    The ideal is if this activity could just be stopped. I may have got slightly obsessed with mitigating copybot, but do have better things to do. So can I ask some of the following questions please, and apologies if they are seen as interfering:

    • Have NAS staff or volunteers contacted the suppliers about the Copybot problem?
    • Has there been any response?
    • Are they aware of this thread, which may well be the fullest description of the problem on the public web?
    • Are there any proposals to fix it, and how long will it take?
    • Have NAS considered any plugins or configuration options that might reduce spam that has non-spammy text?
    • Do NAS have records of the originating countries of the copybot activity? (This would seem not to be personally identifiable information, since it doesn't relate to a person, and is too general to identify an individual.)
    • If there is no current obvious technical solution, can the moderators take on the screening of new accounts themselves? (Mid-morning seems a good time to check.)
    • At the moment it isn't possible to see if a Copybot user has had their moderation flag set. Would it be possible for moderators to confirm this somewhere?
    • Is it possible for a bot to edit old posts when the moderation flag is set?
    • Is there a guideline about how long an abuse response is?
    • Is there anything else we can do to help the moderators and reduce the disruption?

    Thanks.

  • It looks like today is mercifully free of copybots. For newbies, please be a little cautious responding to posts started by 'NAS(number)' particularly if the title is something like 'question about (Something), please help'. Nothing terrible will happen if you do respond, but the post may be by a bot as described above, so you'll be wasting your time. Also you might like to make sure your own profile includes a name or an avatar picture so we can recognise you as genuine — just go up to the top right of the page and then Profile > Edit Profile and click on your name or picture to change them.

    It is tedious, but I feel it is time to re-raise the subject of copybot spam with NAS staff and volunteers. On Saturday I went looking through pages on the forum from about three months ago, and found what I expected, a single post to which people had replied and which had been replaced with spam in Vietnamese.  Because it had been replaced by the bot I was unable to find what thread it had copied, but it seemed to be from a single mum looking for services for her son. However, I do have a cache of the thread, including responses by Heather-Mod, DragonCat16, NAS37159 (genuine) and California, You can find it in Google cache by searching for "My son is 24 and was diagnosed with Aspergers when he was 6" which shows how the original post text was replaced with spam. It may be that this spamming technique originated in Vietnam (there's also a public database associating the usernames with Vietnamese IP addresses, and the timing of the postings is consistent with Asian PCs), but the bot transforms titles according to English rules. Therefore the botnet may be hired out to gangs elsewhere in future. The intention is what is often called 'Blackhat SEO', getting more incoming links to a spammy site.

    Having found it, I added a note and reported it and the whole thread was deleted, including a response to my comment by Trainspotter. I hope it's OK by Trainspotter to move that conversation here.


    Cassandro said:
    Looks like our earliest example of a copybot (similar to that seen on other sites). Apparently had copied a post from single mother of an autistic young man, and after 2-3 months has returned and replaced the text with something in Vietnamese about beauty treatments, with three links (probably just spam, but could be malware),

    Could the NAS Moderator please remove (or restore?) the OP text, and moderate NAS37248?

    Trainspotter said:
    Looking at this thread confused my computer.  It crashed at the thought of all that incomprehensible (to me) language.

    {quote]Somewhere in the conditions is that we should converse in English.  That being said, this post should be deleted or changed back to the original and then locked.

    {quote]These 'copybots' often have consecutive ids, seemingly launching a concerted attack..

    And is this going to be one thing they do, change their original post to one offering dubious services with links to even more dubious websites?  I have not followed the lynx, I think the cat may roar, bite and scratch.


    Looking at this thread confused my computer.  It crashed at the thought of all that incomprehensible (to me) language.

    Maybe I should have thought about that before bumping the thread, sorry. It's possible your computer loaded a full Unicode typeface that took up a lot of its memory, just in order to show the accented characters. I'll not post samples of the Vietnamese text, but basically it's about beauty services.

    Somewhere in the conditions is that we should converse in English.

    Remember this is a bot. The conditions were written for people who might read and respond according to rules. The bot doesn't understand rules, and doesn't have rights or a need to communicate. So even if it posts something that doesn't break any of the rules that were meant for contributors, it's still abuse.

    I suppose rule 7 covers this activity for human spammers: 'We do not allow users to register an account with us primarily to advertise, or sell, products and services.' A bot is a user as far as the forum software is concerned, but I would say is not a 'user' in terms of the rules or everyday language. You could argue that the botmaster or programmer was human and could obey the rules. However, they're not interested in forum dialogue either and I bet have never even heard of the National Autistic Society.

    That being said, this post should be deleted or changed back to the original and then locked.

    I think being changed back would have been slightly preferable, so that the subsequent discussion (still in Google cache) wasn't lost. (I'm also curious what the original thread was. It's not in the Wayback archive.)

    These 'copybots' often have consecutive ids, seemingly launching a concerted attack.

    True. There's certainly variation over time, and it's accelerated since 5 July. Copybot will probably not want to be predictable. It may be one bot instance (infected Windows PC, or possibly spammer's own equipment) that registers one account to post two threads, or two accounts to post one thread each. On the other hand, since it posts around the morning, it could be that proper users aren't registering much in that time so the user IDs are consecutive by mere coincidence.

    And is this going to be one thing they do, change their original post to one offering dubious services with links to even more dubious websites?

    I believe so. From looking at its activity on other forums, I think copybot waits for at least two months for any discussion to die down so it can furtively swap in the spam text without being noticed. If it posted a new thread that would of course appear at the top of the discussion list.

    I have not followed the lynx, I think the cat may roar, bite and scratch.

    I'd be lion if I said I was sure there was no risk from the little cheetahs.

    More to come still, I'm afraid.

  • Thanks DC, Lonewarrior, & Graham & Tom & Nada for noticing the bots. On bit of a break, yes, so hadn't been monitoring. Meaning to come back to my knotty problems soon.

    I'll add the copybot sightings to my notes above, but actually should resist the pointless tendency to make them exhaustive. Still hoping  and @WebPM will find a solution, although it's a fairly new development in the 'anti-spam arms race' that the software developers have to deal with.

    It's good that we're all recognising the suspicious titles (as well as the text we've read before). I assume it helps them be deleted before causing confusion if several of us 'report as abusive'.

    (For moderators, and possibly software developers, and Dongfeng may want to comment: I suggest the same policy as before. If there are no significant replies, delete the thread; if there are, and sometimes people put a lot of thought into a response, it seems they can't be moved to the genuine thread, so best to lock it and link to the original. In any case, moderate the user, and if possible report the IP address upstream, to Akismet or whatever. Perhaps GeoIP or Project Honeypot can be used to weight the chance of initial moderation, along with title patterns and matching hashes of previous text. Could also look at how bots monitor their own posting success.)

  • Reply from Disallowed Cynosure.

    Again to Mr. Cassandro. If you are taking a rest, then please continue to do so! And Thank You again for this Thread and what is done so far.)

    (...nicer if NAS themselves Posted more appreciation, though...)

    Here here ! Yes post a bit more appreciation here,,yes here.

    thank you D.C.

  • (Again to Mr. Cassandro. If you are taking a rest, then please continue to do so! And Thank You again for this Thread and what is done so far.)

    (...nicer if NAS themselves Posted more appreciation, though...)

  • ...I myself may have just spotted another one...?

    "NAS38230" is also a COPYBOT. This is their CopyThread:

    https://community.autism.org.uk/f/health-and-wellbeing/12820/a-quick-question-about-diagnosis

    ...This was from almost 2 days ago.

  • 'Graham'? I can only see one graham 

  • Glad Tidings to Cassandro...

    This is an excuse for myself to post here again. There is another CopyBot sighting, identified by "Graham":

    https://community.autism.org.uk/f/health-and-wellbeing/12828/hi-guys-i-have-a-question-please-help-me

    ...I was thinking some things: Insofar as this FORUM existing, then these Copybots shall continue, and you may have to start a separate Thread listing these - like a Diary of sorts - because your Header will likely increase in length and go on and on and on...

    In case it needs to be said -again (!) - YES this is a very good Thread, and YES it fairly provides a vital service! (I wrote this before but, well, whatever...)

    ...Anyone else, to-day...?

  • (I don't want to keep bumping this thread to the top of more important conversations.)

    Finally... this is my first Post to this Thread, but it is rather directly at Mr Cassandro, however. I quote that there to say that this should NOT be a worry. Without "Maintenance" Threads such as this, then this NAS Forum would be drowning in SPAM... or at least, before you joined, it would have "fallen over" with the amount of ERRORS which cropped up.

    As DongFeng said, it is a curious pity that (some) Users appear to have to do this... but I cannot - dare not - really comment about that. "Community" and "helping one another" and all that...      :-/

  • Do the copybot attacks have tendency to cluster?

  • Now, I hope it's OK to suggest that the next thing on people's lists seems to be the web server unavailability (IIS giving 503 errors)

    Guess I would support that.

    Sometime soon after that, the password widget should be changed to start accepting non-alphanumeric characters to radically expand the attack space for brute-forcing.

    The current implementation is borked. The headline example is probably that a lot of A**** devices will offer to create a password for you which amounts to 12 useful chars, hyphenated into 4 groups.

    The hyphens mean that the suggestion is immediately rejected by the NAS front-end login process.

  • Of course, now that the forum is on https, it would be a very good idea to CHANGE YOUR ACCOUNT PASSWORD TODAY.

    Yes, I just changed mine.

  • Great, thanks for that. Much more secure.

    I think I noticed something had happened around Monday (because Firefox and NoScript wanted additional permissions to store passwords and so on. Privacy Badger seemed to snuffle around as usual.) HTTPS hasn't had any effect on Copybot, but I didn't expect it to.

    Now, I hope it's OK to suggest that the next thing on people's lists seems to be the web server unavailability (IIS giving 503 errors). It can be down for several hours at a go. I find it a bit annoying when I'm typing a reply and I know the reply button will just freeze (good to copy-and-paste what you've written somewhere else in that case). Anyway I think you've said your web host is looking into it, and it doesn't have much to do with Copybot or security, and is dealt with on its own thread:

    https://community.autism.org.uk/f/miscellaneous-and-chat/11479/what-happened/74405#74405

    And there's another Copybot today, NAS38140, which I've added to the list above and I hope can be blocked from possible unmoderated posting. Is Telligent aware of 'Copybot'?