A few remarks about spamming bots …

Hello, everyone.

I've seen a few spam-bots here recently, so I thought it could be a good idea to share with you what I found out, and how I have reacted towards them.

I have the role of a moderator in a forum about High Sensitivity and about Highly Sensitive People (HSPs).

It is built upon vBulletin 3.6.4 . There are no Captchas or how they are called during the registration process.

According to www.stopforumspam.com there is an insanely huge list of bots out there.

I once thought it would be great to have the bot names from that site as an RSS feed or so to use them as akind of filter against newly registering bots here.

First of all, try to make it a habit to control evry new user. If you find it, the new user's timezone is set to China, it's likely it's going to be a bot.

During this year, in an massive hack several hundreds - or even thousands ? I don't know - chinese or asian boards have been compromized. As I suspect, they now act as kind of "spam-throwers" towards the rest of the world. However, I cannot prove this. It's just that I combined 1 + 1.

Here is just a short list of bots that are likely to arrive here, but before, I'll tell you why:

1. I banned Yangkee140 on the HSP board.
2. Yangkee730 was here just today.
3. Both sound astonishingly similar.

1. First step: Take the user name and feed it into Google or any other search engine.

Results:

1. If the results are more than let's say 5 pages, then it's most likely a bot.

2. If almost all results are user names from forums, then even more so.

3. If the time zone of Yangkee730 is set towards China, then you'll have another clue.


2. Second step: Take the e-mail adress and/or (double-checking) the IP adress of Yangkee170, and look for it in the database of www.stopforumspam.com .

I just did it, and interestingly it was not present there.

Google also has only 3 entries.

But we just saw it working. So it must be brand new.

Maybe it is the last "specimen" of the following list I found via www.stopforumspam.com :

Yangkee408
Yangkee672
Yangkee197
Yangkee070
plus Yangkee140, from "my" forum.

They all have interestingly the same e-mail adress: treessoo@gmail.com

Sometimes, you can also feed the e-mail adress into google ot whatever. It *can* give another clue, but not always.


Now, there's a very weird thing:

Yangkee140 from "my" forum had something in "its" signature.

There was nothing else than this:

10

That's all.

I still don't know what's this for, but I have a suspicion that this belongs to a greater scheme, because I have found similar bots in "my" forum with other, also very tiny, fragments.

Now follows a small list, first the bot's name, after that the fragment in the signature (within quotation marks):

Yangkee140 "10"
Huitogi84 "leveling"
Jucke45u "eing"
Rutiio032 "up"

I wonder whether these are fragments used by other bots to compose a spam-message out of this (these fragments) … Like someone collecting mosaic-stones and putting them together and then distributing the complete work …
But I don't know …

Also interesting is that so many bots actually put their time zone to China … Why do they do this ? Why do they have this "feature" implemented ? Trying to conceal their identity ? Just code left behind in the bot (maybe out of lazyness) ? Or waiting from a signal coming from China so it is essential that they have the same time zone, maybe for putting together fragments like in my example from above ?
I still don't know.

Well, now this is in principle what I've found out this far. Unfortunately I've never worked enough with PHP to understand these things enough …

Interestingly, several bots we banned in "my" forum come back again and again … But since they are banned, they can write nothing …

Unfortunately I'm only a moderator over there, with not enough rights to examine what these already banned bots still try to do. I think it would be interesting …

Among these "Zombies" are the following names:

080903k
080907k
CEO2008GAME
usagirl19735

Other names of bots that we banned in "my" forum:

KaiyureBoy
loveumaryii
lovebeijgo
usagirl19735
dtrrrjoke
baadman27
xuanlu425
xujingmei04
LRTIMKEN
vwxy720
Easyforpp
megadream20
admin86skf


Well, that's it for now. Hope this helps you.

Thank you for listening.

Alrik

Wow, you put a lot of thought and research into this, Alrik. Thanks a lot. I can't tell you much about spambots per se as I just kill them, but perhaps there are specialists out here who can answer some of your questions…

Banned spambots try to post and post and post until they are forced to logout. Should they return after logout, they'll just try to log on and log on and log on… virtually banging their virtual heads against virtuall walls.
We have a 'custom' method for banning spam bots (or, more correctly, a customizable board function we use). Thus moderators can 'paint' (= instabanban) the bots and somebody else can clean up after them, a fairly quick and easy method. Thanks to our eagle-eyed moderators many spambots are painted before they ever get a chance to post.

With so many bots registering nowadays, it's impossible to research the background of all new users (pity dte can't be online 24/7 ). Easier to wait for them to act and get painted. Should the shit ever hit the fan in an especially unpleasant way, there's still the option of putting newly-registered entities in a moderation queue - new users would have to be accepted manually. But the latter is something we'd rather avoid.

Putting up all kinds of protection measures to prevent spam bots from registering and thus posting, makes it also more difficult for the 'normal' visitors to register. It is like a DRM system; you want to prevent illegal use and abuse, but you are annoying a whole lot of honest people in the process.

We have all seen them and I for one report them. Is it better to not post a response to them so they just disappear without comment? I would think it is.

Originally Posted by Jaz
With so many bots registering nowadays, it's impossible to research the background of all new users (pity dte can't be online 24/7 ). Easier to wait for them to act and get painted.

*finishing 8th Red Bull*
24/7 it is ready for duty updated my title just for you looking for bots I brought lots of paint get them bots check some profiles I know they're out there BOTBOTBOTBOT get the spraypaint still on duty that username looks bogus reading new posts
*opening 9th Red Bull*

Uhh-Ohh Seen him like that once before. I suggest we all log off and leave him to his paintgun for a few hours. It won't be pretty to watch…

Yea, it gives him something new to get involved with now that McCain has lost the election!!

Originally Posted by Myrthos
Putting up all kinds of protection measures to prevent spam bots from registering and thus posting, makes it also more difficult for the 'normal' visitors to register. It is like a DRM system; you want to prevent illegal use and abuse, but you are annoying a whole lot of honest people in the process.

I see. So, all in all, manual removing seems to be stioll better, in this case.

I specialized forums it might be a bit better; for example if you tend to expect usernames in rather the country's language …
For example.

Originally Posted by Jaz
Thanks to our eagle-eyed moderators many spambots are painted before they ever get a chance to post.

With "painting" I just had the idea of giving bots an extra tag or user title … Kind of tagging them …

Which would it make easier for *normal* users to spot them as long as they aren't removed (but still cannot post a thing).

Originally Posted by Cm
We have all seen them and I for one report them. Is it better to not post a response to them so they just disappear without comment? I would think it is.

Yes, I think this would be a good idea. However, I hadn't spotted the "report entry" feature until recently.

Commenting on them was until then my way of "marking" them.

I think, there should be some kind of announcement for this new policy, then.


Apart from that, I still wonder where these bots actually reside, I mean, where their actual code is. They need code to perform actions, but where is it ? On some distant servers ? Or do they carry it with them ?

I saw some news recently that 70% spam just got wiped out by closing down an ISP, ahh on the bbc.

You can but hope.

I remember a report of a meeting of EU ISPs and Russian ISPs.

The report had a disturbing part which went like this:

EU ISP: "Now, we would like to talk to you about spam …"
Russian ISP: "Why this ? Spam ist our business !"

I've seen a - to me - brand new technique today here:

A bot put several links (with no separation between them) into one reply, which all direct to different blogs on the same blog-site or blog-engine, so to say.

These blogs read relatively normal first, but they contain keywords as links hidden in the text, like - in an example - within a text about the discovery of Australia the following sentence appeared:

In 1802, the United Runescape Gold and France sent a fleet to sail the "New World" and want this invaluable piece of land occupied.

Of course, the keyword was in fact a link.

This technique is brand new to me. And disturbing.

I have seen them some times here, but before I could check them and reported, someone already deleted them. Last week there were a nice amount of those post if I am not mistaken

With the 24/7 coverage living in different time zones gives us, spam bots don't survive here for long!!

Originally Posted by titus
I have seen them some times here, but before I could check them and reported, someone already deleted them. Last week there were a nice amount of those post if I am not mistaken

I sometimes have the time to report them, but our crew does a good 24h/7 job :-)

I think it was yesterday when I blocked one with this name:

lyjg1123

Now, today, another one has registered on "my" forum, with a very similar name:

lyjg1126

Now, there's a certain amount of numbers between 23 and 26 - so I expect there to be some more bots "roaming around".

Update: A quick search with google revealed that there's already an

lyjg1125

out in the wild.

Read this, spamming as an experiment on BBC: http://news.bbc.co.uk/2/hi/programme…ne/7932816.stm

Currently a bot called Gossioii9 tries to complete the Turing-Test on RPGWatch.

He has a brother called Gossioii8, which I encountered in another forum using exactly the same phrases today.

This is a glimpse into the future: The next generation bots will try to act like humans - or to be considered as humans, as a result to their replies.

This reminds me of the Eliza program.
Or rather here: http://en.wikipedia.org/wiki/ELIZA_effect

The entries of these two bots are made up so generic that they might fit to the above used post … trying to fit in as closely as possible.

I don't know which algorithm they use to determine to which posts they should reply to. But it seems as if they are relatively sophisticated already.

Future bots will try to fit in even more closely in order to not be labelled as bots.

Which could enable them doing some "viral marketing".

As a mod, my brief is to be tolerant, unless I'm absolutely sure it's a bot, or similar. I think it's admins call whether we're to be pre-emptive here or not. I'm fine with either decision.

Lol, another conspiracy theory? Quite interesting reading and it could become quite interesting in games if it's achieved, ton of money to make there too, probably more than through a strange wide marketing plan for the future.