Forum Spammers

Avatar
21

As you probably have noticed, we’ve had serious issues with massive amounts of spam, typically in the forums, since last week. We’re still working on this, but I wanted to provide a quick update so you at least know what’s happened.

First of all, there are no security issues. There is nothing wrong with your site, or your accounts. And as a reminder, we don’t have, and we have never had, access to your credit card information if you’re a Premium member.

The issue is that someone, or some entity, is creating hundreds of accounts and plastering our forums with spam. What’s weird about this is that it’s working: We literally have multiple layers of spam protection, and none are catching any of this despite how obvious it is.

The spam is mostly in the form of new forum threads, though I did see a few spam comments from these same accounts over the weekend.

Given the severity of the spam—literally thousands of forum threads created over two days last weekend—we removed the forum link and widget from the home page, and we implemented various new anti-spammer tools, including Stop Spammer, Google Captcha, Askismet.

This actually worked for a few days. But as of today, the spammers are back. And they’re bypassing all of our measures, including the ones noted above.

So now we’ve temporarily removed the ability to create a new forum thread until we can figure this out. We’re reaching out to experts at WordPress, CleanTalk, and elsewhere in the hopes that someone will stop passing the buck and actually help.

Users can now post new topics again as of 10/5/18. We may have to reverse this in some sort of emergency -Tim

Anyway, sorry for the disruptions here in the forums. We’re working on it. And I will provide a more detailed account of what happened whenever we do get past this.

Thanks!

Paul

 

A quick update from Tim (10/5/18 @ 12EST)

Comments (21)

21 responses to “Forum Spammers”

  1. Avatar

    infloop

    Thanks for the update, Paul. I do hope that the team can get help from the various providers about this problem and get it resolved. I can only imagine what a headache it must be.


    Looking forward to the next update.

  2. Avatar

    faustxd9

    Wow, that is a huge amount of additional investment to exist on the internet these days! I hope they haven't hijacked a admin account and are using that to generate accounts. Thanks for the post and all the hard work!

  3. Avatar

    disco_larry

    I'm surprised it's financially worthwhile for spammers. I can't imagine many people click on those links.

    • Avatar

      wunderbar

      In reply to disco_larry:


      All it takes is a very tiny percentage. Same reason spam callers work.

      • Avatar

        hrlngrv

        In reply to wunderbar:

        A tiny fraction of, say, Disqus users reading all sorts of blogs and web sites would be one thing, but would those of us following tech sites click on obvious spam links? Selling pyramid schemes to high schoolers, patients in rehab, residents at senior centers is one thing, selling them in police bunko squad rooms is quite another.

        OTOH, maybe thurrott.com was a convenient testing ground for all sorts of nasty hacking tools.

  4. Avatar

    Daekar

    Good grief, who the heck has so little to do that they work to bypass comprehensive spam filters? Definitely looking forward to hearing all about it when you get them put in their place!

    • Avatar

      gardner

      In reply to Daekar:

      Apparently the ability to communicate with the smart people that frequent this forum is worth the extensive effort it takes to overcome these obstacles. Unless this is some sort of personal attack, and not motivated by "spam economics".

  5. Avatar

    skborders

    You guys are really getting hammered. Thanks for your hard work.

  6. Avatar

    wolters

    Thanks for the update...glad I know I wasn't going crazy looking for the forums tab.

  7. Avatar

    Tim

    I launched an update last night after collaborating with one of our anti-spam services. At their request, we loosened some of the measures that were causing many false-positives and keeping some of you unable to log into the site.


    I added some tools for our admin team to report/remove spam a little easier. Part of this is meant to send more data to the anti-spam tool, the theory is that it will continue to learn the nature of this particular SPAM attack and get better at preventing it.


    One thing to keep in mind is that this means we will likely see some batches of SPAM come through, but this is meant to decline over time.


    I would also like to speak a little to the nature of our systems in place.


    Google reCAPTCHA

    This is sort of the first line of defense. It is arguably the best captcha system available, leveraging the insane powers of Google's machine learning capabilities. This is in front of all account registrations and as of this week is also a part of submitting a new thread to the forums. We have not implemented this for comment replies as it is a little more cumbersome then I think we'd prefer for this interaction but...never say never.


    It's worth noting that even this is not fullproof: https://nakedsecurity.sophos.com/2017/11/01/now-anyone-can-fool-recaptcha/


    IP and Email Address Known SPAM Databases

    We leverage a service that has access to several of the largest databases of known/reported SPAM email addresses, top level domains, and IP addresses. Every user registration, comment, and forum post passes through this filter, and many are blocked every day. We have had nearly 10,000 positive hits in the last week alone.


    We are able to see global reports on every individual email and IP address. I would like to point out that in manually investigating many of the SPAM addresses from the incident this week, almost every one I spot checked had zero incidents of SPAM until the last 2-3 weeks at which point reported incidents skyrocketed. This indicates to me that this is a new attack that is being launched across various corners of the internet.



    Content Analysis

    We pass content over to a service that also analyses the author information (IP, username, email address) but also examines the actual content of what's being posted in an attempt to flag SPAM as SPAM. All of our comments pass through this system but new forum posts had not been getting through this system. This is the biggest change that has been made in the last 48 hours. Now every piece of content posted by a user is passed through this filter. It was short-sighted that forum posts weren't put through this system but this has been addressed.


    Moving Forward

    Brad has been begging, as well as many of you, for some simple SPAM reporting features from users. This was meant to roll-out in the next major release we have been working on for the last several months (which we'll likely be sharing information about soon) but I am accelerating this feature and hope to have it out sometime early next week.



    These things are an ongoing arms race, we will ultimately win this battle but the war will go on...IE, SPAM will always be an issue. No website is SPAM free, it's just not feasible in today's world. I actually really believe the SPAM on our site is relatively minimal and fairly well managed internally (I know this because I work on and have worked on dozens of other websites across many topics)-- we currently lack hugely in giving our user's the ability to help us manage it; we're working on that (as mentioned above). You will likely continue to see some junk posted over the next few days...bare with us.

  8. Avatar

    lordbaal1

    Just put some lettuce, tomatoes, and bacon on it.

  9. Avatar

    maethorechannen

    Maybe the forums should be made premium only. That would either block the spam or make you more money.

  10. Avatar

    hrlngrv

    Thanks for the update. FWIW, y'all might consider a banner on the top page just under the menu at the top which could mention when some usual web site features were disabled temporarily.

    Now some cynicism. Is your Forum and comments system easier for spammers to abuse because BWW developed them in-house? I know you know what you're talking about with respect to Windows, but it's a lot less clear BWW knows what it's doing developing thurrott.com forum and commenting systems.

    I've never noticed Disqus or comments on ZDNet, The Verge, or similar needing to go down due to spam attacks. I can accept that BWW is doing everything it can given usual constraints of having few people working on the problem, but perhaps problems like this can only be addressed effectively when the budget to do so is well into 6-figures in US dollars. That is, perhaps thurrott.com doesn't bring in enough revenue to be able to afford to respond to this sort of spam attack effectively.

    Tangent: if you're using pattern matching to identify repeated posts, are you replacing all the HTML spaces (varying widths) and change of writing direction characters with plain spaces or nothing? E.g., the following are NOT the same: foobar f‏oo‎b‏a‎r. Note: necessary to reverse the order of characters between ‏ and ‎.

    • Avatar

      Tim

      In reply to hrlngrv:


      "Is your Forum and comments system easier for spammers to abuse because BWW developed them in-house?"

      We are using the same systems that are available to all available forum platforms at the moment. So...I'm not so sure.


      "I've never noticed Disqus"

      This is just literally not true, on this site specifically we had an enormous SPAM problem with Disqus.


      We are leveraging 3 major anti-spam platforms congruently and this "attack" continues to beat all three (perhaps most notable is Google..). We are in talks with all of these platforms...who's business is beating SPAM and have large 6+ figure budgets.


      I think your generally theory is reasonable given the context but the reality is that SPAM is generally not an issue on Thurrott.com. In fact, it's significantly less of an issue than when we were on Disqus. It's significantly less of an issue on these forums than on the Petri forums which are VBulletin (god I hate that software).


      The commenting system isn't perfect (yet?) but a single incident like this over the course of 3 years with a team as small and budget-limited as we are...I dunno, I think the track record is more good than bad.

  11. Avatar

    bharris

    Phony phone calls, junk e-mails & now fake forum posts. It's amazing how much time & effort we have to invest just to use technology without being harassed....and at least with the phone calls, I see no real solution. It's ridiculous...

Leave a Reply