How A Spammer Slipped Through
In a two month period, one user made 15 posts. Almost all of them consisted of a plagiarized post body followed by a spam sig. He was not detected until now. This post is about how it happened.
Background Our Culture Our forum's culture has two aspects that facilitated this abuse of our facilities:
Spammer Culture During the past week, I got 3-4 spammers banned. (Not including the spammer in question). Their post bodies have consisted of text plagiarized from other websites. Not just any text: the text always contained enough keywords to look like a legitimate part of the thread. In all cases, they changed certain words in the plagiarized text into their synonyms, to make the plagiarism harder to detect with search engines. The effect, usually, is that they looked like new users who were participating in earnest, had problems with their English, and just happened to have ads in their sig. The posts usually appeared to be on-topic. Here is an example. It should show you just how difficult this activity can be to detect. What Happened What The Spammer Did Between Jan 27 and March 15, the user moremendas01 made 15 posts. Most were plagiarized. All of them contained a sig with three spam links. A couple of these posts were generated by plagiarizing text from other websites (those are gone now). One was plagiarized from elsewhere on this site. Most, however, were simply plagiarized from earlier posts in the same thread. In all cases, he changed a few words of the plagiarized text to avoid detection. No-one, apparently, noticed that he was plagiarizing. If the thread's participants noticed that he had plagiarized them, they kept their knowledge to themselves. He had a low post count. His English was less than perfect, including odd word choices caused by his substitutions. His posts contained the right keywords for the thread and appeared to be on topic. Therefore, he looked like a new user who was struggling with English but nevertheless trying to participate. Our Initial Response Initially, this forum's response was to edit the spam sig out of the posts that specifically got reported. Sometimes, the editing was accompanied by a note to contact LQ about advertising opportunities. He appeared to be participating, and why would we want to lose a participating user over something as trivial as a signature? When he continued to make more posts with the same spam sig, nothing was done to stop him. Escalation On March 15, he edited the posts that the mods removed the spam sig from. He reversed the mod edits and put the spam sig back. I reported him for this, and he was suspended. Here is one of the posts in question. I also reported his other posts for containing advertising in their sigs, in violation of LQ's rules. In reply, I received a PM from Tinkster pointing out that LQ has taken measures to protect itself against sig spammers and that therefore sig spamming, by itself, is not grounds for a report. Further Discoveries When moremendas01 was suspended, Archtoad googled one of his posts and discovered that it was plagiarized from another forum. I went to that forum and found another post that was identical to a different moremendas01 post. I reported my findings. By now, we were aware that two of moremendas's posts were plagiarized. The two posts were removed. However, the temporary ban was not made permanent. And The Kicker This morning, moremendas01's suspension expired. I looked through his history and was able to prove that almost every one of his posts were plagiarized. I reported them, and provided links to the sources that he plagiarized from. So What Happened? As of this writing, the spammer, who has only ever pretended to participate, and who has posted almost nothing but plagiarism, has not been banned. His sig remains in his profile, and 13 of his posts remain in the forum, most still containing the spam links. I did receive this follow-up from Onebuck. I read it as "we're not going to take this seriously because he hasn't logged in for ten days.":doh: Why I Am Telling You This In my opinion, this spammer has proven that we need a tougher spam policy. Although he made 15 plagiarized spam posts in two months, no-one noticed that he was plagiarizing. Because no-one noticed that he was plagiarizing, we tolerated his spam sig. And when presented with proof of how he'd deceived and exploited us in almost every single one of his posts, we told ourselves that he had finished with us and we decided to let him go. What We Should Do What we need to realize is that people who post spam are probably here to spam. This is true whether the spam payload is in their post body or their sig. Under The Current Policies Therefore, if you see a post containng a spam sig, here's what you should do. First, if it's a follow-up, check if it's a legitimate follow-up based on was was previously said in the thread! If it's a non-sequitur in context, then the user is not here to participate but to spam. Whether or not it appears to be a legitimate follow-up, do a text search on parts of the post. Remember that spambots usually paste in text from other sources and then change certain keywords to cover their tracks. You might be able to prove that the post was plagiarized. Then, do the same with every post in that user's history. The longer you allow the spammer to continue, the more difficult this will be. If, after being investigated, the user still appears to be legitimately participating, you can conclude that he's a legitimate user who just happens to have ads in his sig. But only then. How I Recommend Changing The Policies Personally, I recommend disallowing ads in sigs altogether and then being vigilant about enforcing that policy. If we had this policy in place, then moremendas01 wouldn't have been here in the first place. |
First, thanks for both the feedback and in-depth analysis. We do have slightly looser rules for .sigs than we do for the content of posts, for a variety of reasons including the ones you note. I would agree that the behavior you have outlined above is absolutely not acceptable and will not be tolerated here at LQ. The member has been permanently banned. While we do not have plans to make the rules for .sigs stricter at this time do note that the pattern of behavior above *is* something you should report. Unfortunately, your conclusion that "disallowing ads" is .sigs would cut down on this behavior has proven untrue and would have a negative impact on legitimate members while having nearly no impact on spammers.
--jeremy |
Quote:
|
Quote:
Quote:
|
Quote:
Rules for sigs regarding advertising could be a lot stricter without harming legit users. Can someone give some background on this spamming? Is this a bot? 15 messages is not much on a forum like this, I think there are several hundreds of posts a day. And this forum is highly specialized, what yield would a spammer expect? Why it is worth it? Sending out 1 million mails a day I can imagine, but this... Something else amazing. I know there is some kind of correlation about who answers to which topic. I find myself often in the same threads as say, Jefro, AnishaKaul, Archtoad6, Corp796, T0kira, etc. But I am puzzeled that I posted in 5 (could be as well 4) of the 15 threads moremendas01 did that as well. I know this because every time Dugan posted in such a thread to complain about the spammer's behaviour I received a notification. I think that is quite coincidental, given the total amount of daily posts, my number of posts being nothing exceptional, really. (I was always extremely bad in statistics at school!) jlinkels |
Quote:
|
Quote:
I would do it simple as that: 1. A member reports spam in a sig to a moderator. 2. The moderator checks the sig. If it is not spam, nothing is to be done. If it is spam go along with 3. 3. The moderator informs the spamming member to remove the spam and disables his account from further posting. 4. If the spammer removes the spam and informs the moderator about it, the restriction will be removed. 5. If the spammer changes his sig back to spam the member should be warned and/or banned. 6. Repeated abuse should end in a perma-ban. This way a legitimate member will not be affected at all. |
Quote:
and found mods themselves removing their sigs totally, and also many times banning the person in the first time it self. Othertimes the mods say that sigs are not visible in you don't login, and many members have disabled can disable visibility of other's sigs too, so ads in sigs. are not too harmful. Of course there can be some rare cases which mods have missed but usually I have found them on dot. |
Quote:
Quote:
Quote:
Of course it is up to us members to report spam when we see it, but I stand to the position that it should be handled stricter. |
Quote:
Quote:
Quote:
|
Quote:
|
Quote:
|
Quote:
|
Quote:
It's true that noncommercial advertising can go too far too ;), but that's not what we're discussing when we talk about whether to allow (commercial) ads in sigs. Quote:
It's clear to me that when his status was to changed to "banned forever", the date next to it was not changed with it. March 15 was not the date he was banned. It was the date that he last logged in and edited his signature back into the posts they were edited out of. |
Quote:
Quote:
|
It's amazing the things you learn when someone points them out to you ;)
|
Quote:
|
Quote:
tabzz would be a better example of a (legitimate) user who could be affected by even slightly stricter sig rules. Of course, if being unable to advertise off-topic businesses hurts a user in any meaningful way, then that user was never legitimate in the first place. Quote:
http://www.linuxquestions.org/questi...e-html-550222/ Obviously, it didn't work out. What happened? |
Quote:
|
Interesting case, and detailed analysis, good work on that. I would not have caught this because I would assume that it is a typical gibberish post that some users tend to post. I mean, I know of many users that will post something like that, and they're not considered spammers and expect an answer. Something with no punctuation marks, no grammar, no sense ...
It does bring up many issues as a matter of fact, so I'm glad you posted this. For non-commercial advertising, I'd say that posting a link to your Linux-related website in your sig is acceptable ... or I guess than can change. |
Quote:
Most URLs of serious members are quite useful and I often visit them to see what they think is useful or interesting. We should not forbid that. In Dutch there is a saying: throwing away the child with the bath water. Cannot be translated, but it means throw away something useful because you want to get rid of something in relation with it. jlinkels |
The process outlined in post #7 is actually very close to what we currently do, it's just that we're not as strict about the content contained in .sigs as we are with the content of posts (which is not to say we "allow spam" in them, we don't). Keep in mind that members who are in the "New Member" group can't even have a .sig, which means they have to pass various spam filters and other measures before adding one.
--jeremy |
Quote:
Quote:
The fact that he edited his posts later on, though, indicates that LQ was a very high priority target. |
EDIT: If you google the username, you'll find other forums that he spammed. Depressingly, none of them list him as being banned. The results also contain many threads where it's clear that all of the participants are spambots.
|
All times are GMT -5. The time now is 04:02 PM. |