How A Spammer Slipped Through
 

In a two month period, one user made 15 posts. Almost all of them consisted of a plagiarized post body followed by a spam sig. He was not detected until now. This post is about how it happened.

Background

Our Culture

Our forum's culture has two aspects that facilitated this abuse of our facilities:

1. As you all know, we are a vibrant international community that gets many new users every day. We are used to seeing new users who do not have a perfect grasp of either English or of forum usage. The regulars have (appropriately) adopted a tolerant attitude towards posts that may not be in perfect English, or which may contain other mistakes.
2. While the rules do prohibit advertising, the forum has taken measures to make ads in sigs ineffective. Specifically, sigs are not crawlable. As well, they are not seen by users who are not logged in, and can be turned off by users who are. Confident in these measures, the forum moderators have started to largely tolerate ads that a) only appear in sigs, b) aren't for material that violates forum rules, and c) aren't visually obnoxious.

Spammer Culture

During the past week, I got 3-4 spammers banned. (Not including the spammer in question). Their post bodies have consisted of text plagiarized from other websites. Not just any text: the text always contained enough keywords to look like a legitimate part of the thread. In all cases, they changed certain words in the plagiarized text into their synonyms, to make the plagiarism harder to detect with search engines. The effect, usually, is that they looked like new users who were participating in earnest, had problems with their English, and just happened to have ads in their sig. The posts usually appeared to be on-topic.

Here is an example. It should show you just how difficult this activity can be to detect.

What Happened

What The Spammer Did

Between Jan 27 and March 15, the user moremendas01 made 15 posts. Most were plagiarized. All of them contained a sig with three spam links. A couple of these posts were generated by plagiarizing text from other websites (those are gone now). One was plagiarized from elsewhere on this site. Most, however, were simply plagiarized from earlier posts in the same thread. In all cases, he changed a few words of the plagiarized text to avoid detection.

No-one, apparently, noticed that he was plagiarizing. If the thread's participants noticed that he had plagiarized them, they kept their knowledge to themselves.

He had a low post count. His English was less than perfect, including odd word choices caused by his substitutions. His posts contained the right keywords for the thread and appeared to be on topic. Therefore, he looked like a new user who was struggling with English but nevertheless trying to participate.

Our Initial Response

Initially, this forum's response was to edit the spam sig out of the posts that specifically got reported. Sometimes, the editing was accompanied by a note to contact LQ about advertising opportunities.

He appeared to be participating, and why would we want to lose a participating user over something as trivial as a signature? When he continued to make more posts with the same spam sig, nothing was done to stop him.

Escalation

On March 15, he edited the posts that the mods removed the spam sig from. He reversed the mod edits and put the spam sig back. I reported him for this, and he was suspended. Here is one of the posts in question.

I also reported his other posts for containing advertising in their sigs, in violation of LQ's rules. In reply, I received a PM from Tinkster pointing out that LQ has taken measures to protect itself against sig spammers and that therefore sig spamming, by itself, is not grounds for a report.

Further Discoveries

When moremendas01 was suspended, Archtoad googled one of his posts and discovered that it was plagiarized from another forum. I went to that forum and found another post that was identical to a different moremendas01 post. I reported my findings. By now, we were aware that two of moremendas's posts were plagiarized. The two posts were removed. However, the temporary ban was not made permanent.

And The Kicker

This morning, moremendas01's suspension expired. I looked through his history and was able to prove that almost every one of his posts were plagiarized. I reported them, and provided links to the sources that he plagiarized from.

So What Happened?

As of this writing, the spammer, who has only ever pretended to participate, and who has posted almost nothing but plagiarism, has not been banned. His sig remains in his profile, and 13 of his posts remain in the forum, most still containing the spam links.

I did receive this follow-up from Onebuck. I read it as "we're not going to take this seriously because he hasn't logged in for ten days.":doh:

Why I Am Telling You This

In my opinion, this spammer has proven that we need a tougher spam policy. Although he made 15 plagiarized spam posts in two months, no-one noticed that he was plagiarizing. Because no-one noticed that he was plagiarizing, we tolerated his spam sig. And when presented with proof of how he'd deceived and exploited us in almost every single one of his posts, we told ourselves that he had finished with us and we decided to let him go.

What We Should Do

What we need to realize is that people who post spam are probably here to spam. This is true whether the spam payload is in their post body or their sig.

Under The Current Policies

Therefore, if you see a post containng a spam sig, here's what you should do.

First, if it's a follow-up, check if it's a legitimate follow-up based on was was previously said in the thread! If it's a non-sequitur in context, then the user is not here to participate but to spam.

Whether or not it appears to be a legitimate follow-up, do a text search on parts of the post. Remember that spambots usually paste in text from other sources and then change certain keywords to cover their tracks. You might be able to prove that the post was plagiarized.

Then, do the same with every post in that user's history. The longer you allow the spammer to continue, the more difficult this will be.

If, after being investigated, the user still appears to be legitimately participating, you can conclude that he's a legitimate user who just happens to have ads in his sig. But only then.

How I Recommend Changing The Policies

Personally, I recommend disallowing ads in sigs altogether and then being vigilant about enforcing that policy. If we had this policy in place, then moremendas01 wouldn't have been here in the first place.

First, thanks for both the feedback and in-depth analysis. We do have slightly looser rules for .sigs than we do for the content of posts, for a variety of reasons including the ones you note. I would agree that the behavior you have outlined above is absolutely not acceptable and will not be tolerated here at LQ. The member has been permanently banned. While we do not have plans to make the rules for .sigs stricter at this time do note that the pattern of behavior above *is* something you should report. Unfortunately, your conclusion that "disallowing ads" is .sigs would cut down on this behavior has proven untrue and would have a negative impact on legitimate members while having nearly no impact on spammers.

--jeremy

Sorry, but I don't understand that. Please be so kind and explain to me why stricter rules regarding spam in sigs would affect legitimate members.

To elaborate: the spammer was already banned on 15/03/2011, rendering the "As of this writing, the spammer, (..), has not been banned. (..) This morning, moremendas01's suspension expired." statements incorrect.


I think we don't. Those of us who've been here quite a while have developed a good sense for sniffing out spam. That's not the problem IMO. The problem is a lack of eyeballs. So I'd urge everyone who thinks a post is spam to report it, preferably accompanied by any findings of your own. The "extra" work isn't the problem as it comes with the territory: I'd rather dismiss tens of posts than let a spammer through. I'd also urge you not to judge the status quo of LQ spam handling by one incident though a heightened sense of vigilance among more LQ members would definitely help enforce the current policy more efficiently.

+1

Rules for sigs regarding advertising could be a lot stricter without harming legit users.

Can someone give some background on this spamming? Is this a bot? 15 messages is not much on a forum like this, I think there are several hundreds of posts a day. And this forum is highly specialized, what yield would a spammer expect? Why it is worth it? Sending out 1 million mails a day I can imagine, but this...

Something else amazing. I know there is some kind of correlation about who answers to which topic. I find myself often in the same threads as say, Jefro, AnishaKaul, Archtoad6, Corp796, T0kira, etc. But I am puzzeled that I posted in 5 (could be as well 4) of the 15 threads moremendas01 did that as well. I know this because every time Dugan posted in such a thread to complain about the spammer's behaviour I received a notification. I think that is quite coincidental, given the total amount of daily posts, my number of posts being nothing exceptional, really. (I was always extremely bad in statistics at school!)

jlinkels

e.g. Dugan's sig. which contains a pointer towards his own website. That's also an advertisement, but we are not frowning on him since that website is very helpful and he is a legitimate member so we don't doubt his intentions. Now if you totally disallow links in sig.s we'll be deprived of the useful links in the sigs. of various members, IMO

I wouldn't consider those links spam (the same applies to the links in my sig), because they don't link to a commercial side. He don't want to sell me anything. Therefore I also wouldn't consider that as advertisement. I don't want to get rid of sigs or links in sigs generally, but to handle (real) spam in sigs stricter.
I would do it simple as that:
1. A member reports spam in a sig to a moderator.
2. The moderator checks the sig. If it is not spam, nothing is to be done. If it is spam go along with 3.
3. The moderator informs the spamming member to remove the spam and disables his account from further posting.
4. If the spammer removes the spam and informs the moderator about it, the restriction will be removed.
5. If the spammer changes his sig back to spam the member should be warned and/or banned.
6. Repeated abuse should end in a perma-ban.

This way a legitimate member will not be affected at all.

But that's what is exactly happening, I have reported several such members,
and found mods themselves removing their sigs totally, and also many times
banning the person in the first time it self. Othertimes the mods say that sigs
are not visible in you don't login, and many members have disabled can disable visibility of other's sigs too, so ads in sigs. are not too harmful.

Of course there can be some rare cases which mods have missed but
usually I have found them on dot.

If that is what exactly is happening, this thread wouldn't exist. It doesn't help to remove the spam from one post, as it seems actually to be done, when the spammer doesn't remove the spam from his sig.
Are there any statistics about that? Most members with a somewhat higher post-count have a sig, so why should they disable other's sigs?
Doesn't make sense to me to not log in when I visit LQ, since I have to login when I want to answer to a post. Therefore I have auto-login enabled.

Of course it is up to us members to report spam when we see it, but I stand to the position that it should be handled stricter.

That was a WRONG statement from my side, I should have said, that members have the option to disable the visibility of other's sigs. I will correct my above post.

I was talking about the actual guests, they can't see the sigs.

I know that and have discussed the same with XavierP, he told me all about the guests can't see sigs and members can disable them etc.

The LQ rules say that advertisement is not permitted. so irrespective of the fact that Dugan doesn't want to sell anything, he is still advertising his own site in his sig. :D

OK, then I have to remove the links to Slackware and XFCE from my sig to comply with the rules. ;)

Don't do that, we need those links :) That's the reason I think the root said that if he forces the strict rules, the legitimate members would be effected. I am not very sure if that is the reason, I am just guessing.

Please understand that we're talking about commercial advertising here.

It's true that noncommercial advertising can go too far too ;), but that's not what we're discussing when we talk about whether to allow (commercial) ads in sigs.

That's not what his "last activity" box said! It was blank at the time that I made the OP. On March 23rd, which was one day after I reported him for having edited his posts to reverse mod edits, the box said "banned until March 24, 8am. Do not reverse mod edits of your posts." It was also blank when I reported him for that.

It's clear to me that when his status was to changed to "banned forever", the date next to it was not changed with it. March 15 was not the date he was banned. It was the date that he last logged in and edited his signature back into the posts they were edited out of.

:) I understand that, but LQ rule doesn't differentiate between varieties of advertisements: Rule says: