'Copybot' and forum security

Hello

This is another thread to talk about things on the forum itself, particularly spam. Hopefully the moderators and web project manager can join here and allay any fears about technical risks. The last thread, called 'Chat Bot' was partly about how you tell the difference between a genuine user and abuse, and has reached 167 replies, so it was suggested that we start a new thread for each subject. There's also a thread from the last few months called 'Mods Please Make the Spam Stop', which has covered some of this and also covered the times when obvious spam is left on this forum. I don't personally think it's a massive problem, especially compared to some other forums, but it may make people uneasy unless it's dealt with in a clear way.

As I understand it, and  or  or @WebPM can correct me, every interactive site on the web is subject to some abuse, and the forum software the NAS uses (Telligent Community) has some automated ways to detect and moderate this. However, occasionally some advertising for irrelevant products isn't so obvious, and gets through. There are also some other 'borderline' things, where we're not sure if the user is genuine, and interact with them very cautiously. The way this is supposed to work is that we, the forum users, readers and contributors, help detect the probable spam and click on 'Report as abusive' which pops up when you click the 'More' button below any post or comment. The moderators than consider this, and take action such as locking or deleting the thread. There's also a 'report as abusive' button on each user's profile for occasions when it looks like the only purpose of the account is spamming or trolling.

[Sorry I'm being so verbose.]

The story so far

In the past week or two (May 2018), besides a small spam outbreak advertising pills and stuff, we've noticed what we're calling 'Copybot', which starts new threads by copying something someone real asked several months or years ago. This causes some confusion as people might start responding to these forgeries, not realising the question is very old and has probably been answered. There have been requests, mostly on the other two threads mentioned above, that the NAS checks its site security, and suggestions about how the site could better prevent Copybot.

I've actually only counted six Copybot threads so far, as of 7 June 2018. I think three of these have been deleted and three locked by the moderators, although some stuck around for several days. (Edit: since then there have been quiet periods and times of ten copied threads per week, which I've been listing at the bottom of this thread.)

What is Copybot?

Copybot is the name we (I) gave to whatever was behind the occasion when three threads showed up, from two users, that looked a bit suspicious partly because the two posts from the same account seemed to be from different people: one a parent, the other an autistic young person.  Since then we've had a few more, mostly appearing overnight. The threads look like they come from a new user with no avatar image and the standard "NAS3nnnn" name. The posts are usually well-written and relevant to autistic individuals and families - which is hardly surprising, because it's copying most of the text from another post. The title is usually transformed a little so 'How to find a girlfriend' became 'I can't find girlfriend', and other ones include 'please everybody help me' to get extra attention - this transformation is apparently automated, in a way that recognises some English phrases, and chooses a random variation on it. Occasionally the fake title can be taken from the first sentence of the post instead.  Sometimes people respond to the bot posting as it sounds genuine, but unsurprisingly I've not seen the bot reply. This is stealing people's real concerns and questions, which we find a bit creepy.  Sometimes the text that is copied is truncated, either omitting the sign-off, or stopping at a punctuation mark.

[Here is probably a good place to stop reading.  It may be too much information already.]

Several theories have been suggested as to Copybot's motives, such as that Copybot will eventually post malware links or impersonate a genuine user so well that personal information is compromised. However, I think it is simply a side-effect of trying to defeat anti-spam systems. If a bot registers and starts posting spam immediately, it's likely to get picked up by the automated anti-spam. If it registers, waits a bit, posts something apparently sensible, which people reply to and nobody complains is abusive, then it gains 'reputation', and when it does post spam, it's 'cleanlisted' and the spam appears on the site without moderation, and can go unnoticed which is why it seems to wait over two months to replace the copied text with spam. Also, if the copied post is automatically detected or treated as spam, then the anti-spam text-detection software may get a bit confused (technically this is sometimes called 'poisoning' a Bayesian classifier) and so won't be able to detect adverts for pills and so on so accurately.

A web search for "hi guys, i have a question about" and "i have a question, need help" shows that around June 2018 Copybots also started posting to other forums that use other types of forum software, including phpBB, myBB, vBulletin, Vanilla, Invision Community and Discourse. (Only in a technical Plone Discourse forum did I see someone notice that people were responding to bots, although moderators delete some threads.) The earliest Copybot thread I've found on the web is called "a quick question about business or public courses" on the thoroughly infested "Singapore Expats Forum" dated 26 April 2018, where the content was obviously different originally and then replaced with Vietnamese spam (I'm not linking to it for obvious reasons).

How to check, and what to do if there is a Copybot sighting

I've recently been on the forum a lot, and when I see any new post by someone I don't recognise, I check it. First I look at the post, and think about whether the title is written in a matching style to the text; then I look at the first few words and see if they also appear in the 'Related' bar to the right below one of the titles, and if they do, I look at that other post. I also might hover over the user name or avatar of the NASxxxxx poster to get a pop-up that shows how many 'points' they have; or follow the link on that user name to see their profile. So far, for Copybot, there's been nothing written on the profile, and there are 7 or 14 'points'. (An account gets 7 points for each thread started, and 5 for a reply, so 21 might also be suspicious, but we haven't seen a single account as active as that yet.) You can also check the 'Activity' tab of the profile to see if the posts are consistent and genuine.

If still suspicious, I also see if there are distinctive words or phrases and search to see if those have happened before. For example if the phrase 'depersonalization symptoms' appears, that's pretty rare with an unusual spelling, so I can put that into the search bar at the top and press 'Return' - if it shows a previous thread I check that. You can also check using a standard web search engine, by taking half of a well-written sentence (maybe six to ten words or so), putting double quotation marks (") around it and searching - if it only comes up with the latest NAS page, I'd assume it's not Copybot and we have a welcome post from a new user. If it comes up with other, older hits (I've not seen any from outside the NAS site yet, but it's possible), then I compare the two passages to see if they are more or less identical, and if the new post really is a copy.

If it looks genuine to me, I may like the post, or try to add a quick response, hoping other regulars know I check for Copybots. (It probably isn't appropriate to just say 'you're not a bot' politely, and ignore what the real human poster has said.)

If I find it's a copied post, what I do is:

  1. Reply to the post to warn people that 'this is a copy of a thread from...(however long ago)' and use the word 'Copybot' - this helps find current spam threads without linking to them.
  2. Copy in a full link to the original, genuine thread, (a) so the moderators can verify the copying issue; (b) so people interested in the issue can see other people's responses and contribute their own somewhere that is not likely to be deleted.
  3. Ask the moderators to delete or lock the post, and to moderate the user.
  4. Try not to link to the copybot post from other threads, as that may improve the search engine ranking of the page or bot.
  5. Click 'report as abusive' on the post
  6. Click 'report as abusive' on the user

[OK, it really does get dull and technical after this.]

Then it's up to the moderators to lock or delete the post as appropriate. Maybe more abuse reports from different people catches the moderators' attention more. If someone has added a valuable additional reply, I don't see any problem in locking the thread so that reply, and the link to the original thread, is still available. They may want to reassign the post to 'Deleted user' to prevent the spammy user from posting more copies or spam, but

If no obvious action is taken, then I suppose we can communicate with the moderators by mentioning them in this thread, via Direct Message if we've already had a message from them, or the communitymanager@nas.org.uk address. Forum rules are here by the way: community.autism.org.uk/.../rules

Technical countermeasures

If this becomes a bigger problem, something more may need to be done until Copybot gives up. DongFeng5 suggested using a 'hash' of the text of a post to check for duplicates in an automated way, or use the type of software that claims to score plagiarism by students. I think this is something NAS would have to suggest to the software suppliers as a feature request. I know a bit about this subject (I've written hundreds of anti-spam regexes for a job), and a 'fuzzy hash' should be possible and cope with minor text changes. However, Copybot may also copy anything about autism from other sites so as not to be detected  - someone said copied text from an article about baseball had also been used - or possibly use a Markov-chain text from multiple sources to generate random, but vaguely realistic, text. (We have also seen a short post, probably the same or a different bot, keyed to the forum title by NAS38283.)

Copybot seems unable at the moment to set an alias, avatar photo or profile text on Telligent. Therefore requiring a non-default alias in order to post may stop Copybot until its full features are implemented. It has been suggested requiring some kind of name would at least overcome the problem of not being able to tell the difference between 'NASnnnnn' users. If it is possible to require this in the current forum software settings it would seem worth doing. The accessibility problems with screening signups with ReCapctcha are probably prohibitive given many people with communication difficulties, and a maths Captcha probably wouldn't work. The software does have an option for custom fields to be mandatory. On some other forums, a bot sometimes posted spam in Vietnamese about cosmetics and pills and called itself 'amelinda' or 'philomena', so requiring a non-default alias to post may or may not stop Copybot.

StopForumSpam.com seems to be tracking a lot of related spammers, and there should be a free plugin for SFS for Telligent, although it's not listed on the SFS site. See also Project Honeypot, another free anti-spam service which is basically an IP address blocklist. A simple addition would be to use GeoIP to check for forum submissions from particular Asian countries, or if that's not possible could explicitly ban or firewall the main Vietnamese ranges.

Making the site HTTPS, partly to protect anyone from having their site password compromised if using unencrypted wireless, has also been suggested. This was done in June. It had no effect on Copybot. A related consequent suggestion was permitting non-alphanumeric characters in passwords.

[Oh, blimey. I do go on.]


Etc

We can also use this thread to report any new instances of Copybot, although I think adding a comment identifying it as Copybot and reporting it as abuse, as described above, is better.  Perhaps mentioning the NAS number without linking would show a useful pattern in the spam signups.

The weather forecast for today, Thursday 7th June 2018 is: no Copybot sightings. Nothing on Friday either, so we're doing well. In fact I haven't noticed a peep out of it until:

Saturday 16 June.

  • NAS37990, approx 4am - thread locked around 9pm, user still exists, but presumably moderated.
  • NAS37991, approx 10am - locked by Monday afternoon, user still exists, but probably moderated
  • may be worth checking IP addresses for NAS37988 NAS37989 NAS37994 NAS37995 to see if part of pattern

Tuesday 19 June:

  • NAS38026, approx 4pm - (one reply) thread locked on Wednesday, user in moderation (check ...27 and ...28?)

Thursday 21 June:

  • NAS38049, approx 10am. Two threads both titled 'NEED HELP?', copying parts of different threads, 5 minutes apart. Not locked as of 10:40, reported and deleted some time that day.

Friday 29 June:

  • NAS38140, about 7am. First since HTTPS enabled. Thread taken from 'Autistic adults' category and copied there. Title 'Talking' transformed to 'hi guys, i have a question about Talking, please help me'. Reported 7pm. Locked within a day or two.

Thursday 5 July:

  • NAS38186, approx 5am, copied thread to same forum (Miscellaneous and chat) with inappropriate title 'need help?' Reported, deleted within 24 hours.
  • NAS38188, approx 8am, copied two threads to the same respective forums (adults, h&wb), one replaced as 'How to adult wetting ?', other as 'hi guys, need help'. Reported and later deleted or locked..
  • NAS38187, NAS38185 might also need checking out.

Friday 6 July:

  • NAS38195, approx 8am, copied two threads to their respective forums within a minute of each other. The threads chosen were both 3 or 2 months old and have titles a bit similar to Copybot's replacements, 'Help me, please' and 'Hi there'  respectively. Reported, and deleted within 5 hours.
  • NAS38196, approx 10am, spotted by Graham; copied two threads to their respective forums, one very current, both retitled 'need help?' with differing case. Reported and deleted within 5 hours.
  • It does look like copybots come in clusters or avalanches; either the botmasters step up spamming for money, or it's the weather. The fact they mostly occur in the morning might just be when bots in Asia are online, like vulnerable versions of Windows.

Mon 9 July:

  • NAS38230, copied 'what does the diagnosis mean?' to 'A quick question about diagnosis' (recognising key noun?).
  • about a day later, copied '3099/what-s-mild-autism' to 'hi guys, i have a question, please help me !' Both prompted sincere responses, and had head content replaced by mods and locked after 2 days.

Weds 11 July:

  • NAS38261, posted ~9am, copied 1 week old thread 'Are things JUST different?' from autistic adults to misc-and-chat. copied 'Musicals' to 'Hi there' in introduce yourself. Identified by Martian Tom & Nada..
  • NAS38263, copied 'What is Alpha Stim?' in 'Miscellaneous and chat' forum to 'a quick question about Alpha Stim'.
  • The above five posts still unlocked as of 1pm, but locked as of Thurs am.

Thurs 12 July

  • NAS38270, about 3am, copied two threads, one a week and one three months old to same forums. Titles were both 'i have a question, need help?', but one included a space before the comma. Reported, and both threads deleted the same day.
  • NAS38272, about 12noon (shortly after site was back from scheduled maintenance), copied a thread about a year old to the same forum keeping the same title, 'New to all of this and just saying hello', but dropping the first paragraph. Notably the original thread included today's date, 'july 12'. Reported.

Friday 13, copybotageddon

  • NAS38279 spammed two or three replies (with contact details, may have been essay writing spam) to a current thread. Reported and deleted.
  • NAS38280 at 7.30am copied two (?) threads to same forums, parsing the second title into 'a quick question about classified'. First deleted, second OP text replaced but not locked.
  • NAS38283 around 9am did not copy but used a common Copybot title 'Need help?' and minimal text 'My baby has sinusitis. Is there a way to minimize it? Thanks' possibly keyed to 'Health and Wellbeing' forum title. (Does anyone real use OUP's '-ize' suffix?) Reported user and later post. No apparent action, but user may be moderated.
  • NAS38284 at 8am copied two threads to same forums. The first had been copied before. Possibly these were selected for similar 'hello' and 'question' title patterns. Both deleted promptly.
  • Suspect all these, except possibly the first, are part of the same botnet given timing proximity and similar titles. A regular forum member discusses leaving because of copybot etc.
  • After web research, added edit above about 'other types of forum software' and ideas in 'technical countermeasures'.

Saturday 14 July

  • NAS38296 around 0830 copied a thread, retitling it 'A few question about Autism friendly'. Reported and deleted (or moved to abuse queue; included two new replies; ) within an hour or so.
  • NAS38297 around 0830 copied a thread, retitling it 'question about talking therapy ?'. Reported and promptly deleted.
  • Flashback. Three months earlier: NAS37248 posts a thread 'HELLO!!', apparently copying a post from single mother of an autistic young man. This attracted five replies from genuine users including a moderator.
    • Head post text has now been replaced by Vietnamese (or Lao?) text as if from beauty website and three links - this is similar to what has happened on other forums where the original post has been left for over two months. No other activity recorded from NAS37248. Reported and commented (without link to what it copied since that was unknown), and apparently deleted within two hours along with replies.

Sunday 15 July 8am.... coast clear so far.

  • One reason for this is that a user may have something on their computer such as malware that could be causing this without their knowing 

  • Copybot' poses a threat to forum security by enabling unauthorized duplication of digital content. Forums must implement robust security measures, including encryption, user authentication, and regular audits, to protect intellectual property and user data. Vigilance against such threats is vital to maintaining the integrity and trustworthiness of online platforms.

  • Posted for "All" (including NAS, prefrerably)... yet directly to "Cassandro", <>the last Autistic Defender Here... Mr. Cassie, please do not wear Yourself out by replying to too many disparate Threads, and at the same time ALWAYS be careful. Follows is a pre-written Message to Anyone including NAS... before I leave. Thanks Very Much for All You do, Mr. Cass, Thanks For being a Friend to All... Slight smile

    --------

    I try this last post before having to leave for a while to protect My own Devices/Software --- *again*. MY being Hacked coincides with WebPM not being present, it seems...? --- *yet again*.
    I am currently tiring of not being able to do good/nice/helpful/funny things for others... because of Society ignoring Malicious Strangers, such as Malicious-Hackers & Stalkers. ...(e.g. NAS ignoring the latest things written upon this Thread!)

    Yesterday/Three days ago:

    https://community.autism.org.uk/f/health-and-wellbeing/19008/what-are-some-easy-doable-sustanaible-life-hacks-to-improve-wellbeing-please

    copies the reddit Thread:

    --- " r/Wellbeing/comments/gffssl/what_are_some_easy_doable_sustanaible_life_hacks/ "

    And Then:

    https://community.autism.org.uk/f/adults-on-the-autistic-spectrum/19007/question-for-autistic-adults

    copies the Reddit Thread:

    --- " /r/autism/comments/3xv9vm/question_for_autistic_adults_toileting/ "

    ...A Moderator ("Karin Mod") responded. (!!)
    So, If this is a serious long-term Malicious-Hacker (Mr."TenLettersFollowedByANumber") then they must *now* be laughing very hard, even more than before for this past Month/Year... (A Tip to Evil-Hackers: Post more about "Cute Children", for not even the "Moderators" here can resist that, yes?)

    ...Or - Directly asking NAS, here... Does this mean that it is OK to falsify names and/or to keep copying Questions & Posts from other WebSites...?

    ...& As I was simply checking this... NEW illogical errors came up for My Own Device, across the WWW and for this Forum. "TenLettersFollowedByANumber Malicious-Hacker" is as skilled as "Dutchman", yet is Automated & still not spotted/ restricted/censored.
    Because of this, For now, as I say I am going to have to take some time off from this site/forum, for the sake of My Devices...*AGAIN*.
    & Upon sight of the NAS Forum right now, I do not understand why nothing is done about this and why so few people involved seem to care... ?

    I Myself no longer tolerate being "punished" for trying to be 'helpful, or cheering, or Good'. So... Best Wishes and Good Fortune Everyone. I hope You All understand This Post.

    -----

    Follows is a Picture showing the current FAKE UPVOTES (See the Thread with the same name for more info.) :


    The pattern would seem to be:
    1- put fake Upvotes (shown by the picture.),
    2- post a fake post (see this Thread & others similar to it.),
    3- the fake post gains a "starter achievement" which then gets *automatically* at least Nine upvotes (both things together.),
    4- that fake User gains a High "reputation", and so is not censored by any Downvotes or any "report as abusive" reports, it seems...
    ...I write that last part (with the Picture,) for NAS's sake... but You are almost completely on Your own now, NAS, as I am likely about to be Maliciously-Hacked ---*AGAIN!* (Just Me & no-one Else... *Again.*?)

    Fare Well for now, Everyone. (Again.)

  • Thanks, DC for your kind words and 'ebullition'.  (I note your vigilance when copybot was causing confusion over a year ago.) I hope you've coped OK with the hot weather. Yes, I agree about the internet being flawed. It sometimes seems as much trouble as it's worth, what with bad designs and 'bad actors' (including trolls and spammers). I guess I find spam a particular irritant, although some people just accept it and others don't even realise it's spam.

    I'm afraid I've not had a lot of response from moderators so far about the spam accounts I've found and listed in the reply 3 above, although I've also emailed the list to the community moderator.    @WebPM could we have a response please? It's mostly copybots, with some essay-writing spam. If there's no technical way to stop the copybot spam getting through, could you maybe review how the moderation team deals with it or how we can report it more easily? I've put some time into finding the spam posted over the last month, but just clicking 'report as abusive' doesn't seem to provoke action in terms of removing the copies or spam links. Hope they're all OK. Is moderation more difficult during 'lockdown'?

    You can't edit your own posts if they're more than a week old, so I'm continuing the list of accounts to lock and spam to blank here:

    found 28/6/20:
    nas67940 barkietrin7 1 post copied from same forum 19 days earlier, spotted by the person who posted the original thread.
    nas67942 berlinpose2 0 points - something removed?
    nas67772 bomishketi4 2 posts, copied from r/NoStupidQuestions and r/Wellbeing
    nas67771 aryankanse6 1 post, copied from r/autism, 3 spam links added
    nas67809 1 reply, essay spam, text maybe human-generated

  • ( p.s. Mr, Cassandro, You need not reply now, if at all. I do not stay on very long, because Malicious Hackers can seem to see when I am online here, & so I shall log off soon. I just saw what You said and am very grateful for someone else saying it, as I was uncertain of how to say it.

    ...Now I am repeating Myself. Thanks Sooooo Very much anyway of course. )

  • ...Very Glad Tidings to Mr. Cassandro, & excuse Me please, for some ebullition... 

    ---YAAAAAAYYY!!! YIPPEE! THANK YOU SO MUCH! Slight smileSlight smileSlight smile

    ... I had noticed this, I did a search upon the General WWW, and found "crimp8"'s post upon "Reddit" also --- I had little idea as to how to report it all (including "so-and-so-4-5-6-7-8")..  You must have noticed that they posted here within an hour after I posted replies elsewhere, yet possibly also after Your good Self posted and I then replied to that...?

    What I could not do was directly access "reddit" - My devices are old and I get errors. But You nailed it, Sir, and so Thank You So Very Much!...

    In closing... there is the thing which I hope NAS reads, which was stated by a certain User here (name changed now but He knows who He is!)... a while ago. You are doing the Job which NAS should be doing. Sometimes, but not often, I have done it. But it is quite honestly not at all FAIR.

    I am grateful for NAS and for those of us who spot such things, but to Me it just builds up more and more reason for how flawed and bad "The Internet (TM)" is in general. Everytime something goes awry, it is corrected, denied, and there is the "no problem it has been fixed now" attitude...

    ...Sorry for ending upon a bit of a RANT there. But honestly, You have done the task I was really worried about as to how to Post upon here before. (so-and-so-4-5-6-7-8 etc.)

    This post may seem confusing, I shall end it now. But the thing is... I have been targeted by Hackers here before, yet I do like this Forum quite a bit, so I try to help, but am not always able. I hope You understand, Sir. Thanks for being here.

    (Even just typing certain keywords ( e.g. so-and-so-4-5-6-7-8 's *unique* names ) makes me a target, I know that for sure. I know about programming but just do not do it just now, sorry..)

    Thank You Again. Slight smile

  • Hello Cassandro/ZZ top , thank you for your thorough analysis on this. I always go and report spam (and the spam accounts)  when I see it, using the report spam button, and have been doing this regardless of my commenting activity,   but your post is a master-class in feedback:-)

  • This may not be of much interest except to the   if he is still around and @WebPM. The copying of content for spamming is still happening (maybe after a long break), but the content is now being taken from the autism 'subReddit', and the bots are setting usernames that are all lower case followed by a numeral. They've also started doing occasional replies, using copied text. Maybe it hasn't been that disruptive (DC noticed it on the thread 'Does anyone else get angry learning topics outside your special interests?' and Cloudy Mountains noticed a duplicate 9 months ago (NAS63676; I haven't been around to notice). However, it does mean people are spending time responding to people who will never see the responses, and the existence of spam links may make money for spammers, defraud people and downweight the NAS site with search engines.

    Anyway, the sensible thing would seem to be to delete or freeze the bot accounts (their posts can be found from the Questions tab), and remove the spam links at least from any posts. I'll try to list the ones I find in this one comment. Thanks Kerri for dealing with some of them so far.

    Noticed 19/6/20.
    members/nas67363 ashilnayak2 2 posts, 1 reply. (one still unlocked as I write this.) The reply is followed by a black box which contains a link to a '.cam' website. The lack of clickable link confirms that the bot is using the forums for 'blackhat SEO'.
    members/nas67514 jinelcrimp8 2 posts
    members/nas67828 bormikstel5 1 post
    A search for '.onl' (the spammy top level domain) doesn't find the posts, but if it did might find more..
    members/nas67830 yesinkatle6 1 post (again copied from Reddit, keyed to the word 'wellbeing').
    nas67515 makerbiles6 1 post copied from publichealth reddit.

    Noticed 20/6/20
    Reported at least one spam reply about essay writing, not necessarily Copybot and a few other things. Scanning from 67500 to 67600.
    nas67541 is a Copybot that hasn't changed name, 1 reply, part copied from r/AskReddit. Links are trying to get SEO for router login and destination page may link to malware?
    If it were possible to search for '.uno/', '.fun/', '.onl/' (tools, vet and other new gTLDs) or '.link/' you might find many users and links worth deleting.
    nas67557 is old fashioned copybot (also not changed name) starting a thread based on text from this forum, with three added spam links in middle of text.
    nas67560 is 'old-fashioned' copybot caught in the act 18 days ago copying from original with same title in autistic adults forum. Locked post at the time
    nas67563 tarancepil7 1 post copied from r/AskDocs, no replies, please delete.
    nas67564 cristomike2 1 post copied from r/disability, several replies, link removed by moderator

    Noticed/found  21/6/20
    nothing suspicious overnight, checking up to 67725.
    nas67506 2 successive replies to same topic 22 days ago, first something from r/Mommit, then part of the head post with the same 'routerlogin' links as above (from someone remarking on the links, they appear to have been included when the reply was made, ie the bot did not return to edit them in). Reported via button.
    nas67693 melkumew looks like a single-issue spammer for wifi-amplifiers (no other messages, similar things on other forums).
    NAS 67722 seems human may have just posted similar messages here and on a couple of Reddit forums later.

    Noticed 23/6/20
    nas67879 essay-writing spam, probably a blackhat SEO bot looking for the word 'essay'.
    nas63604 3 replies about 9 months old, essay-writing, casino and general spam, possibly blackhat SEO human.
    nas67458 general spam (tutoring)
    nas67451 one post (but oddly Questions result confuses with nas67452), copying this thread to same forum
    nas67452 one post copying this thread to same forum
    nas67425 one post copied from r/autism
    nas67426 reply to the above, copying head post again, adding 'had the same issue !! lol' and three spam links; also copied this thread to new post in same forum, which was replied to yet another bot (ashilnayak2); also copied thread from r/AspiePartners to new post also in Health & Wellbeing, appending 'my issue has been solved!!' and three spam links
    nas67434 one post copying this thread, adding an extra '?' to the title.and a 'cam' spam link in the middle of the text.
    nas67435 one post copying this thread to same forum (note by the way text loses formatting), adding an extra '?' to the title. No apparent links as yet.
    nas67399 named 'kreinafine2', copied thread from r/AskDocs, added 'my issue has been solved!!' and three spam links
    nas67404 one reply copied from r/socialskills (first I've seen quite like this), with Reddit title added in bold. Itself a response to a spam post.
    nas67400 named 'aksargige4', one thread copied from r/Autistic again with 'my issue has been solved!!' and two spam links; relevant reply copied from 'r/Militaryfaq' to nas67425 (see above)

    Found 24/6/20
    nas67895 1 reply, essay spam
    nas67902 1 reply warez (in French)

    Found 25/6/20
    nas67919 1 reply with warez/malware French link, generic text, in reply to existing unlocked spam thread
    nas67910 named 'pedrocevil4' 1 post copied from r/Wellbeing with three spam links at bottom
    nas67909 named 'oelimtrila7' 1 post copied from genuine thread in same forum, with three spam links at bottom, attracted three genuine answers.
    nas67726 one reply 10 days ago, deleted by moderator, so dealt with. Plastic replied 'always the same pattern'

  • Thanks for the update. The moderators will respond. We'll also continue to look at options to reduce or prevent this.

  • I really had come to think we'd beaten it after over two weeks of apparent inactivity, but it's still out there and whatever automated defences there are still aren't enough. Today

    • 16 Aug around 5am, NAS38696 copied two threads, 2 & 3 years old, to same forums (changing first title by lowercasing and prefixing 'Im', second by changing to 'Hi' - it's in 'introductions'). Text is verbatim (byte-identical) in both cases. Reported, could do with more reports at the mo.

    Maybe I should check every new thread for the past month. Or maybe not.

  • Starting a new post here. As well as some unrelated non-bot 'research-spam' last night (I emailed the researchers quoting rules 5 and 8; apology here) which stopped us seeing which were most recent threads and posts within threads, today sees the return of Copybot:

    • Thu 26 July 0830, NAS38448 copied two threads to same forums, with titles 'need help?' (now becoming a classic) and 'i have a question, help me'. Warnings added by us within 30 minutes, and deleted by noon.
      • In technical things of little consequence, the thread from NAS37128, has now been locked. The thread had the strange property of not being listed in most recent threads despite recent comments, and also seems to be the only thread still indexed by Vietnamese words (although the spam itself has been blanked by mods). Also, some but not all of the threads that were 'under review' (in the abuse queue) have been deleted.
      • Even more technical and irrelevant: I mentioned an old copybot thread by NAS37248 that was replaced by spam, but is still in Google cache. The Google search I mentioned now shows an older http version from 30 May, where you can now see that was is a copy of this genuine thread. You can still find the later spam version in cache by searching for "If he is interested, you could suggest that he come on here and introduce himself". I did wonder if Google were aware and had deleted the spam from cache or index or snippets, or have multiple caches of one page, but apparently not; search term weighting may have changed. We'd already deleted NAS37502 and NAS37362 (similar to NAS35818) and their spam is also still in cache. There's a one in 2^7 probability of all the spammified (replaced) threads this year ending in an even digit - could copybot be holding its fire?
    • Fri 27 July, 1059, NAS38462 copied a thread two months old, changing 'Hello :)'  to 'Hi there'. Identical text apart from removed a final trailing space. Reported.
    • Mon 30 July. Just to record that I haven't seen any copybots since Friday. Which is nice.  Wouldn't get too complacent though, as they seem to be most active Tues-Fri.
  • Hi Tom & DC & mods. My verdicts:

    • 'need help?' (NAS38373, about 3am this morning, Thu 19 Jul) - bot. I've added a note to this. It's not a copy, but is similar to the 'sinusitis' post by copybot I mention above. (Content was 'Im so sick with same old love. What should I do? thanks') Removed and locked promptly, thanks.
    • 'Advise please' - genuine, from a mum about behaviour of 8-year-old
    • 'help me' (NAS38067, around 22 June) - bot. I might have checked when it was first posted weeks ago, but searched on a word that the bot had misspelled by transposing two letters, so couldn't find the original (at least I think it's the original). It also dropped 's' at the ends of words, changed 'the' to 'a' and inserted anextraneous space. Disallowed Cynosure found it yesterday though, and I agree with DC's suspicions. Mods, please lock and moderate. (edit, 20 July: blanked but not yet locked; edit 2,23 July, locked thanks)
    • 'Please help, Poss PDA, sleep and wake issues Meds?' - Genuine and the author updated nickname and responded.
    • 'need help?' (two days old version, NAS38336, 'How to use this forum? thanks so much') - bot. Mods, please lock and moderate. I think we've said all we're going to about aspie detectives. (edit, 20 July, locked, thanks)
    • 'Hello to all' (NAS24003) - Earliest Vietnamese bot spam I've seen anywhere, 11 months old. I reported this and others (NAS35818, NAS36782, NAS37722) having searched for the Vietnamese text for 'read more' and so on. Looks like the original text was also probably something like 'How to use this forum?' It is already locked, but mods may want to blank the text and particularly the links to the spammed website. (edit: done)
      • Would be good to know if previous edits of posts are retained in the database so it's possible to 'revert' a post. It appears the forum software can't move replies or revert.
    • All other remaining posts are from real people as far as I can tell, except a few like NAS38272 or NAS38280, where people responded before the copybot was identified, so the replies have been retained and the thread has been locked, and usually the head post blanked by moderators. By the way, I often 'like' a post, and if you see my name among the likes, then it means I've done some botchecking.

    @WebPM, please note there is a related thread: 'Unable to edit'. The 30-minute rule does seem to cause difficulties, and has had no effect on the rate of spam posting. Half the people here seem to be posting perfectionists. (edit: time limit has been increased.)

    @DC, 'Report as abusive' does not mean insulting to users. It means abusing the forum service, the intended use of which is allowing autistic people and families and friends to communicate. Other than search engine bots (also known as crawlers or spiders, which just read content), bot activity potentially disrupts that purpose and is abuse. It's the same sense as in which spam is abuse of the medium of email. As WebPM says, bots don't need to break rules to be 'abusive' – they follow their programming, not agree to rules. Incidentally, I did see 'Flag as spam/abuse' once and once only I think for this function. Maybe I very briefly had moderator privileges (which I don't want, but I recall California said he was interested).

    And before anyone asks, yes, I also saw some server errors about 0730 this morning, of the 'error authenticating your request' type.

    [Edit, minor additions, 20 July. I saw one obvious copybot in the list, flagged by another regular and deleted before I could check. Otherwise quiet in terms of what's been public, I think. The thread(s) by NAS38067 and NAS37128 (which may have been a copy of this but keeping the same title) is still unlocked, although the spammer may not currently be able to edit the main post because of the edit time limit.]

    [Minor edits, 23 July. The last four days seem to have been quiet; either Copybot is not posting as often, or the moderation is working much more quickly. The remaining post by NAS37128 still worried me that it might encourage the bot, so I added a request to moderate there, although something about that thread means that it's not appearing in the list of messages.]

    [24 July. We've not quite neutralised Copybot. There was a 'need help?' posting this morning maybe 7am by NAS38384, copying this real thread. One person replied, I commented and reported it, and it now shows 'Content Under Review // This content is currently pending review by moderators and is not available. Please try again later.' so presumably enough people reported it for it to go to the abuse queue. (I think WebPM may have reduced the number of reports necessary for this to happen.) At least one of the old spam threads (introduce-yourself/11974/hi-guy-im-new) is also still 'under review'.]

  • 'need help?', posted 4 hours ago, looks ominous, too.

  • ( Greets, Mr.Webster...

    Slightly off-Topic, and perhaps overly-pedantic, but... is there any way to change the Name of the Button "Report as abusive"... to something ike "Report as against NAS Rules" or something... since there are a LOT of Rules, and  even the awful CopyBot is not exactly "abusive"...

    ...Just wondering... I'll go'way, now... mumble, mutter...   (!) ) 

    ...Please have a nice day, though!

  • There is a Thread by NAS38067 called "Help Me", which seems to copy a 3 Month old Thread by "Veroedge" called "How do I tell my son he has Asperger's?"...  But the COPY Thread is almost a Month Old, now...?

  • Thanks. I followed your lead and reported NAS38345 too. (edit, add) Yes, if certain patterns of title could reduce the need for abuse reports, it would have helped.

    I am NotABot. I am Cassandro in disguise just confirming that the username chosen on registration is not used by the forum software. Maybe Single Sign-On can do that so people don't need to enter their chosen nickname twice, but for policy reasons it is a requirement. There is a message encouraging new users to fill out their profile. If we remember to remind new users of this, it may encourage trust.

    This morning's two copies (18 Jul) were by NAS38354 (numbers really can be confusing), posted around 0754 and 0748. One, titled 'So i need help' (copy of this) has already disappeared; the other is an innocuous 'Hi there' copying this. It now looks probable that Copybot chooses some threads to copy based on already including a word like 'hello' or 'help'. Also seems that 9am is a good time to check, although one or two, like NAS38345 around 3pm which you mention, mean looking at the end of the working day is also worthwhile. (One other thought is that if the forum software's spam protection doesn't look like it's going to cope in the foreseeable future, could try moving the whole subdomain to an external proxy like Cloudflare that may use anti-spam systems, although with no guarantee it would stop the spam.)

    Have a bot-free day, all.

  • We’ve just had another one, by NAS38345. I’ve reported it and added a comment to warn others.

    It’s a shame we can’t immediately moderate posts that are titled ‘need help ?’ as it appears to be a favourite of copybot!

  • Thanks for the update. You can imagine that we are as frustrated by this as are you. As you have recognised, the point of the way that the "copybots" are doing things is to make them hard to detect by the usual counter-measures, and as I have mentioned we aren't by any means the only forum experiencing this.

    The positive thing here, I think, is that the attentiveness of our users is helping to make the spammers' efforts a waste of time, although that is in turn taking your time to achieve it.

    We'll keep working on appropriate counter-measures.

  • I admit the copybots got me confused myself yesterday and I overzealously reported a new NASxxxx user (now called 1986)

    My bad :o I was a little hasty in trying to use the forum, hadn't realised it had posted until I'd written out my new post :)