Behind Thurrott.com: Spammers

In yesterday’s discussion about comment moderation, I mentioned in passing how wonderful it is to be protected from spammers. And while I’d always meant to follow that article with a closer look at how we prevent spam from overwhelming article comments and the forums, I didn’t expect to write about it so soon. But what the heck, a couple of particularly good examples popped up today.

As noted previously, I spend a lot of time in the OpenWeb admin interface, as it’s become a key nexus of reader interaction for me. But at its heart, OpenWeb is about battling online toxicity. And that takes many forms: people who spread misinformation indiscriminately, trolls who are triggered by specific topics (like UWP) or individuals (Elon Musk), angry people lashing out at authors or fellow readers, and, of course, spammers.

I’m more than willing to handle any of that. But having spent the past several years engaged in an undeclared war against spammers, this particular type of toxicity is personal. There were times in the past when I had to manually manage deluges of spam, but thanks to OpenWeb and the most basic of forums policies, this has shifted to a tiny trickle each day over the past year or so. And that’s one of many reasons I’m so happy about this service.

So what does it look like now? Usually, it looks something like this.

Now, this one is particularly obvious. But it’s also painfully typical. It’s typical because the spammer left this one and only comment and then drifted back into whatever primordial ooze in which they live: when the comment didn’t immediately appear on the site, they gave up, knowing that posting more would just be a waste of time. (Had it been posted successfully, they would have added more.) And it’s typical because it’s so obvious: spam is rarely subtle or hard to detect, in part because of the people who create it. They’re poor, they need to deliver spam in volume, they live in other countries, and they don’t speak English primarily (in general, but, seriously, almost always).

Here’s how I deal with this.

First, I look up the account’s username in the WordPress Users interface. (It’s probably more accurate to use their email address, which OpenWeb also provides, but this usually works fine.) This is always open in a browser tab.

Mousing-over the name, I can see that this user is user account #198532, and while I don’t need that information in this case, this also tells me something that can be important (see below): this is a recently created user account. And I know that because I do this every day, and I know that we’re now in the 198xxxx range for new user accounts. And it being new is one of several clues, or signals, that this may be a spam account, because accounts established weeks, months, or years ago are very rarely used to spread spam now. (Again, I didn’t need to even know that in this case, as it’s obvious.)

From here, I CTRL-click “Edit” to open that interface in a new tab. And then I scroll down to the “Account Management” section of this page in WordPress, where I find two critical buttons: “Set New Password” and “Log Out Everywhere.” Clicking them disconnects the spammer from the site, should they actually still be (mal)lingering around. And it means they can’t just sign right back in because I changed the password. Oops.

After scrolling down to the bottom of the page and clicking “Update User,” I return to the previous tab and click “Delete” so that I can delete this user account from WordPress. This triggers a warning, of course.

But I continue, and the account is deleted. Depending on how that account was created, so too was all of the content they may have created. But since this is a spammer, in most instances there is nothing else. So no worries there. That tab goes back to the Users view in WordPress, one of several I keep open in my main browser window every day, and then I manually close the tab I used to reset the password and log out that user.

Then, I return to OpenWeb and select More > Add to blocklist from the choices to the right of the spam comment.

The Add to Blocklist dialog appears.

Here, I check all three of the available options, and I’ve provided feedback to OpenWeb that there should be a single checkbox that does all three at once, since I’ve never ever come here and only wanted to check one or two of the choices. I always want the “nuke it from orbit” response.

And then I reject the comment, by clicking the Reject link. It disappears from Pending, never to be seen again. Well, unless I navigate over to the “Rejected” view. Which I rarely need to do.

Strictly speaking, I don’t need to spend the time looking up the user, changing their password and logging them out, and then deleting their account in WordPress. After all, blocking them in OpenWeb mostly solves the problem. But I don’t want crap empty accounts in WordPress, and there is always the possibility that the spammer could create a new password and then try to post spam to the forums too. So I do the right thing, and it doesn’t take that long. And there aren’t that many each day.

Speaking of which. What about forums?

I noted that we have a simple policy for new forum posts: the first time you try to post to the forums, I have to approve it before it goes live. But once you have successfully gotten past this non-gauntlet of moderation, you’re in, and you can post again in the future with no waiting. Because of this, I look at the forums each morning to see if there is anything pending, and I check again and again throughout the day, and at the same time I’m checking in with OpenWeb.

Our forums aren’t as busy as the comments, but when I got back from lunch today, I saw a pending (“Draft”) forum post. And as you can see, it looks legit enough based on the title.

So I CTRL+clicked on it to open it in a new tab and see what was up. And if you don’t read this too closely, it looks legit. More important, there’s no hyperlink, which dramatically decreases the possibility that this is spam.

The problem is, this is spam. And that raises the interesting possibility that this spammer has learned a lesson that most spammers have not: they’re testing our defenses, so to speak, by posting something that looks innocuous so that, if successful, they can then post further forum posts or comments (or edit this one) to includes malicious/spam hyperlinks. Nicely done, spammer.

So. How do I know this is spam?

Actually, I can’t say that I know. But there are three signals here that point strongly to this possibility. And that’s enough for me to shitcan it forever. They are:

• English as a second language. There’s nothing wrong with a non-native speaker trying to communicate in my language on this site, but most spammers seem to come from Eastern Europe and Southern Asia, based on the many examples I’ve interacted with. And this reads like that to me.
• This is a stupid and very vague question. Who would come to Thurrott.com and ask what a VPN is, based on the advice of “many people”? I read advice columns in The New York Times and Washington Post each morning, and I subscribe to Facebook groups for Macungie (the town I now live in) and Mexico, and it always boggles my mind when people reach out to groups for “advice” (really, answers) about a topic that would be better and more quickly answered via Google. There is a definitive source for this basic information online and you chose to ask here? Seems unlikely.
• It’s a new user account. As mentioned above, we are now in the 198xxxx range for new user accounts. And this person’s user account is #198528, so it’s brand spanking new.

Put this all together and you can probably understand my suspicion: a non-English speaker, butchering the language, asking a very basic question that is better answered on Google, using an account he just created? Come on. But even if you’re still on the fence, which I understand, the fourth factor is just my years of experience with this kind of thing. Yes, there is some infinitesimal chance that this person is legit, literally wants help with this question, and somehow found this site, though it was the right place for this question, and then created an account just so they could ask it. That could be true.

But I don’t care. Playing the odds, I close the tab, navigate back to the Users view in WordPress that I leave open in a different tab and look up the account. Steve Walters, oddly, has an email address that starts with “garydavis15@.” And while that’s not necessarily damning, it’s a fifth factor I can and do add to the list of signals that informed my already-made decision. Then I delete this account as described above. And if doing so does not delete that draft forum post they created—it doesn’t always, again, based on how the account was created—then I delete it manually.

What if I made a mistake? Well, if they reach out to me or the site, we can fix it by restoring the account and the forum post. But you know what? I don’t think we’re going to hear from Steve. Or Gary. Or whatever their name is. Because I think they’ve moved on.

That’s what spammers do.