Message for @admin - hacker/scammer using the forum

[Vorpal]

The dodgy links I mentioned have already gone so thanks for that. However, the third page of new members begins with a masseuse. Scrolling further back there are more and this page has a veritable peloton:-

memberlist.php?sk=c&sd=d&start=850

I don't know if this does any real damage because none seems to have posted; perhaps it's just my not liking to thinks these creatures have goy away with it.

Unfortunately, as far as I can tell, those have to be removed manually. Someone cleverer than I am might be able to do it with an SQL query & the database. I will do a little more investigation, but I don't have much confidence that I will find a way to deal with it easily.

[thirdcrank]

I don't want to create work

[Vorpal]

I don't want to create work

It's not you creating work. It's a combination of spammers using a work-around and software that allows it.

[Mick F]

All it needs is the regular posters to alert the moderators that there's an issue.
Spam is easy to spot, but a new poster who comes on with a valid first post, isn't so easy to spot further down the line.

Alert us please.

[thirdcrank]

I've just checked some 35 pages of members, starting from the most recent joiners and of those with an attached signature, and of those with posts, there are a couple clearly bona fide people and only two who have managed one post each, both having the same Hispanic spam link www.

I presume these are all would-be spammers who, with two apparent exceptions were cut down by the vorpal blade etc at the first post.

This suggests that my concerns about dodgy websites may be misplaced.

I also see that a lot of the dodgy websites on the first few pages seem to have gone.

[slowster]

By way of an update on some of the issues raised in this thread:

Over the last year or so of dealing with spammers and bots, I've gained a better sense of how they behave. Even for those first posts which are obviously spam or a bot, I don't just disapprove the post and ban the poster. I also do various other checks (which many of you will be able to guess at, but which I am not going to detail). If I deal with a report about a suspicious post by an existing member, I will make the same checks for that post/poster.

In addition to giving a better sense of how spammers and bots behave, sometimes those checks also reveal yet further spammers/bots which have made one or more seemingly genuine posts, only to return after the thread has gone quiet and edit their posts with a spam link.

Today, doing those checks on a user whose first post was dispproved and is now banned led me to the post with its suspicious links which was the subject of the original post of this thread, which had been removed from the public area of the forum. Something which had not been done at the time (and which I have only recently realised was worth doing) was to search for other posts containing those suspicious links. There were three hits for that search:

- The original post identified by DevonDamo
- The opening post of this thread
- A second spam/bot post which had not been previously spotted, which in turn then led me to another (both now removed and banned)

Anyone can use the forum search in this way to see if a suspicious link has been posted elsewhere by another spammer/bot. If you do so, I suggest you shorten the link as much as possible to widen the search, e.g. remove http:// so that the link starts www. and remove anything after .com.

If a possible spammer who has succeeded in getting a first post approved is spotted/reported, one of the reasons why I will often not take immediate action and will instead watch and wait, is because if and when they actually post their spam link, previous posting of the same link by other spammers can then be searched for. That was why I delayed taking action on the spammer that prompted this thread - viewtopic.php?t=161856. The link that the spammer eventually posted contained the following sequence of letters:

gowithguide

There is another post containing that text and I will leave the post with its link up until tomorrow so that anyone who wants to do so can use the forum search and look at that person's posting history. Back in July I thought it just might be genuine and left it for the time being, but looking again now and comparing the two similar posting styles/patterns I am sure it is a spammer (there was one particular and very compelling reason I gave it the benefit of the doubt, in which respect the spammer is unique in my experience, but that is something only visible to the moderators).

Suspicious links in signatures are a bit more problematic. The forum search does not include signatures, and the results of a Google search of the forum for the text or link in a signature can be hit or miss (which by the same token may reduce the value of a link in a signature to a spammer, since if Google's web crawler does not properly pick up the link, it will presumably not affect search engine optimisation results).

Lest it seem that spam is major problem, and to put the above into context, in addition to the more focused/targeted searching I describe above, I have also done some much more widescale trawling, and the frequency with which I then find a spammer/bot is very low.

[slowster]

A good example here - search.php?author_id=57655&sr=posts. I've just found this one by following a trail from 40+ spam posts which Hemipode disapproved back in May. I am still working my way through that trail to see if there are any others, so it will be a little while before I get back to dealing with this one and either removing the links or the entire posts. In the meantime if anyone wishes they can have a go at searching to see if the spam links in the posts exist anywhere else on the forum.

Edit - another here - search.php?author_id=44031&sr=posts. Putting the link in a quoted post is a frequent trick.

Further edit - all the above posts now removed to a moderator area of the forum.

[Psamathe]

Would the forum suffer badly if links in signatures were banned entirely for everybody? Even ban signatures entirely.

Ian

[slowster]

Would the forum suffer badly if links in signatures were banned entirely for everybody? Even ban signatures entirely.

I think it may help and reassure if I try to put this all in some context. Over the last week I have been doing some wide scale trawling of the forum. I did it once last year on a slightly smaller scale, and it revealed 4 or 5 spammers who had made a few posts each. Having spent another year doing routine approving of first posts and disapproving first posts that are from spammers/bots, I now have a much better idea of the patterns of spam posts. During the last week I have done some more trawling and removed 15-20 spammers/bots. The user accounts are almost only ever used to make a few posts. Many more than that increases the risk of discovery if all the posts contain a suspicious link, and they want the spam links to be undetected on the forum for as long as possible. I found only one post with just a spam link in the signature. It would not be worth restricting signatures, especially considering the value of something like the bike fitting guide in 531colin's signature.

Commercial spam's weakness is the need to post the same links in multiple webpages, either within a forum or more likely across multiple fora, or both. Find one suspicious link, and you can use it to find if the same link has been posted by another spam user account on this forum. The forum software allows even non-members to see all the posts of a particular member*, so if a spam link is spotted in a post, anyone can quickly scroll through all the posts that have been made by that spammer.

* This is the case for many other fora - just click on the poster's post count. Consequently it's possible to Google search for a spam link found on this forum, and then if found on other fora, check the posting history of the spam account on those fora for other spam links, and then search for those links in this forum. I have only tried doing this once previously, and it revealed a large number of spam posts across multiple fora. That was prompted by a spammer that added a link to their post for "vinylcutter.eu." (this case - viewtopic.php?t=161573). Google searching other fora for that text (with the quote marks) led to numerous fora and revealed other spam links, one of which I later found on this forum. Details are contained in the extract of my post below from the moderator chat area of the forum.

All the above will be of little or no interest to most members, but I am posting it firstly to provide reassurance that the problem is being actively managed, and secondly because there may be a few members who are interested, and maybe even one or two who wish to do their own searching.

I did some digging into this recent attempt to post a spam link - viewtopic.php?t=161542. I concluded that the account was not taken over as a result of a genuine dormant user's password being hacked elsewhere on the web. Instead I am certain the account was set up by the spammer back in 2018, and they then waited six years before attempting to use it. The evidence for this was a spider's web of related posts on other fora, which I found by searching for the same spam links and/or the same fake posts used by 1st fake user to create a pretext for a reply by a 2nd fake user containing a spam link. The pattern was consistent, with a number of common features (majkell user name, [redacted], another fake account being created in 2018 and not being used for years).

There is no need to look at these, but if you are interested you can see the various connections in the links below:

https://forum.thinkpads.com/viewtopic.p ... 96#p821096

https://forum.thinkpads.com/viewtopic.php?f=9&t=130346

https://www.eforum.de/threads/25144-suc ... nux-laeuft

https://forum.thinkpads.com/viewtopic.p ... 84#p873084

https://forum.thinkpads.com/viewtopic.p ... 80#p843280

https://forum.thinkpads.com/viewtopic.p ... 65#p871765

https://forum.ts.fujitsu.com/forum/view ... hp?t=49514

https://www.chasingsnows.com/forum/gear ... -car-vinyl

https://www.yarisworld.com/forums/showt ... hp?t=65102

https://www.orlando-forum.de/forum/inde ... er-kaufen/

[slowster]

I am currently doing some more trawling. As and when I find spam posts, I'll list them in this post and will leave the spam posts up for a day or so.

1. viewtopic.php?p=1483326#p1483326

2. viewtopic.php?p=1514908#p1514908

3. viewtopic.php?p=1523871#p1523871

Edit - all the above opening posts and their threads now removed to a moderator area of the forum.

[drossall]

I've been involved in running some forums in previous jobs. Just to remark that, as our moderators may be aware:

• Some forum software limits the rights of users until they have made a number of posts. Therefore, one tactic is to post some meaningless and harmless posts in order to try to accumulate a posting history. Copying posts from elsewhere is of course an easy way of obtaining otherwise-random text that is likely to prove meaningful.
• I have come across some attempts where a harmless link is posted initially. Then it's updated later to a malicious or spam link, in the hope that the editing will be subjected to less scrutiny than the original posting.

I've not studied this thread in huge detail to see how relevant this general background might be.

[slowster]

Some more below. You will note various similarities. Most of them were posted a few years ago. I suspect that they were mostly from the same source, and that they largely stopped/reduced attempting to post more such spam, possibly because it was not sufficiently profitable or because regulatory/law enforcement put a stop to their activities. As I commented above, I will leave these up for a day or so for anyone who wants to have a look at them, and then I will either remove the links from the posts or move the posts themselves to the moderator area of the forum.

4. viewtopic.php?p=1425085#p1425085

5. viewtopic.php?p=1282966#p1282966

6. viewtopic.php?p=1537469#p1537469

7. Four posts - search.php?author_id=44553&sr=posts

8. viewtopic.php?p=1279809#p1279809 - suspicious signature?

9. duplicate of 8 above

10. viewtopic.php?p=1238530#p1238530 (cleverly concealed, but would be picked up by a search of the same link in one of the other posts).

11. viewtopic.php?p=1223660#p1223660

12. viewtopic.php?p=1421411#p1421411

13. Two posts - search.php?author_id=45643&sr=posts

14. viewtopic.php?p=1398290#p1398290

15. viewtopic.php?p=1326525#p1326525

16. viewtopic.php?p=1356389#p1356389

17. viewtopic.php?p=1417056#p1417056

18. viewtopic.php?p=1304193#p1304193

19. viewtopic.php?p=955722#p955722

20. Four posts - search.php?author_id=44553&sr=posts

21. viewtopic.php?p=1408640#p1408640

22. viewtopic.php?p=1309340#p1309340

Edit to add:

23. viewtopic.php?p=1374098#p1374098

24. viewtopic.php?p=1309738#p1309738

25. viewtopic.php?p=1824593#p1824593

26. Two posts - search.php?author_id=47633&sr=posts

Further edit - all the above posts now removed to a moderator area of the forum.

[Vorpal]

I've been involved in running some forums in previous jobs. Just to remark that, as our moderators may be aware:

• Some forum software limits the rights of users until they have made a number of posts. Therefore, one tactic is to post some meaningless and harmless posts in order to try to accumulate a posting history. Copying posts from elsewhere is of course an easy way of obtaining otherwise-random text that is likely to prove meaningful.

We generally check for that sort of thing, though we occasionally miss something.

[*]I have come across some attempts where a harmless link is posted initially. Then it's updated later to a malicious or spam link, in the hope that the editing will be subjected to less scrutiny than the original posting.[/list]

I've not studied this thread in huge detail to see how relevant this general background might be.

That's the sort of thing that started this thread, and what happened to most of the posts slowster has added.