Spam 101

[The_J]

We have encountered many types of spam here, some easy to identify, some difficult to spot. Not everything can be seen daily.
So I thought it should be written down what we've seen and tactics to recognize spam, as a help for new moderators and maybe also for the normal users. So, I'd also like to post this in SF, if nobody has any objections.

So, the spam:

The obvious

"Buy new Apple iPhone", yeah. Obvious spam is not hard to identify, especially when it's posted as a new thread. Not much to say here, but still 2 examples below:

Spoiler :

The unobvious

Spam doesn't come in a single form, but in multipe forms, and you should pay attention to different things.

Beware of new users!
Bots are in nearly all cases new users with a low post count.
So everyone who does not clearly post anything ontopic should be watched with suspicion. Same counts for newly created threads, which might not clearly belong here.
At this point you should also remember that CFC is primary a Civilization side, and secondary a gaming site. Everyone who registeres and heads straight to one of the other areas is highly suspicious.

Beware of generic text!
Bots do not have to be dumb. They can have a low intelligence, they might even post ontopic. These ontopic posts can stem from different sources. They can be

• Generic text. Probably every forum on the internet has a rants thread, a raves thread, a youtube thread, a welcome new members thread. It's easy to hack some generic phrases into a bot which might fit into one of these threads. A simple "Hello I'm new" in the "welcome new members" thread is suspicious.
• Copies from within the thread or forum. The easiest thing to make an ontopic post is to copy another post from within the thread, or to create a copy from an older thread. This can be hard to spot, so here you might want to look at the post count. Easier to spot when the bots make epic fails, like e.g. copying the text from the post before, or copying a thread which is totally out of line, e.g. one copied the OP of the "welcome new members" thread.
• Copies from elsewhere. We have seen that bots copied text from a thread in the 2K Civ5 forum, or one posted text from the Apolyton wikipedia article.
• Generated text based on already present text. There were bots who exchanged parts of a post, like e.g. they transformed "Hi, I'm George from Arizona" into "Hi, I'm Catherine from Flordia", or they answered the poll "What is your favourite building?" with "My favourite building is [last poll option]".

Examples for generic text:

Spoiler :

Examples for an internal forum copy:

Spoiler :

(original thread)

Copy from wikipedia:

Spoiler :

Generated text:

Spoiler :

Why is this a bot? The post was from this thread, and like pointed out the Ziggurat is more or less an invalid option. The user had additionally a spam link set as homepage in his profile.

Beware of links!
Yes, spam should in most cases contain a link.
Links can be

• Simply within the text.
• As a fake signature. Remember: New users cannot use signatures. If they seem to have a sig, then it's a fake and likely a bot.
• As "homepage" entry in their profile
• Related to above: There are bots which do NOT post! They just put a link as their homepage, and set a date as their birthday. So they will appear at some point at the main page, and random users might click into their profiles or google might index them (could be that other measures at the moment prevent this)
• As "location" in their profile
• In visitor messages
• In private messages
• In or as social groups. Yes, we had bots which created social groups for their spam.
• They can quote posts with some generic text, and modify the quotes to have links
• Youtube #1: We've seen bots which spammed youtube links to promotion videos
• Youtube #2: Most people know that youtube links look like youtube.com/watch?v=ABCDEF. Now there were bots which posted youtube.com/watch?v=ABCDEFXYZ. You would not notice it, but they didn't post a youtube link, but attached a new link to it. If you quote it, it would look like
  [URL="youtube.com/watch?v=ABCDEF"]youtube.com/watch?v=ABCDEF[/URL][URL="evilspamsite.com"]XYZ[/URL]
• As smileys. Using external smiles from other sites is fine. But we've seen the tactic to embed a from external sources. Makes no sense, you'd think? It does. These types of smiley are used as web bugs to track users and are therefore spam too (wiki: web bugs).

Example for a fake signature:

Spoiler :

Example for youtube spam:

Spoiler :

Example for external smileys:

Spoiler :

Note: It seems the spammers took the side down, so you cannot really see a smiley here. Else you would see one at the front of the second message.
More explanation:
That smiley was a simple , and not some fancy smiley which we don't have.
The bots basically post generic text in various places, and all the posts have a from an external site.
Like explained in the wiki article, this is meant to track users. Since every user who loads a page from CFC, loads in such cases also content from that external site (the smiley), it allows that external site to track the users within the forum, and if the spam occures also on other sites, the tracking is also possible across different sites.

Now you might say "Once a smiley from another site...the user didn't find our smileys". Not the case. The users were sure bots, with copy text, and the first site appears 24 times in the PB thread, the second 18 times, and er...there was a third, I think.

Example for spam in the location field:

Spoiler :

Visitor message spam:

Spoiler :

Private message spam:

Spoiler :

Spam in a quote:

Spoiler :

The original poster had the correct link. The spammer changed it in the quote.

Beware of...er....users, even if they don't post links

Spam should have links. But it does not have too.
We have seen bots who edit their posts later to embedd a link, and we have seen political spam without any sorts of links. So basically everything is suspicious.


The unusual

This section is not really meant for serious spam detection, but rather what other types of spam we've seen. We have encountered different things, including

• Pirates, who tried to advocate their cracks
• Malware
• Porn
• Hatemail
• Spam via hacked accounts
• Bots failing to spam

A pirate:

Spoiler :

Malware:

Spoiler :

Porn:

Spoiler :

PM Hatemail:

Spoiler :

Note: That user name seems to be known in every forum in the web, but the intention...

A hacked account:

Spoiler :

Note: The hack was independend from CFC, and due to other info we're sure that nobody else is in danger.

failbots:

Spoiler :

That's why HTML is not allowed.




If a user has been registered, and has not yet confirmed his email, then most possible actions like responding to posts or visitor messages will result in a report. At least that sort of failed spam is easy to detect.





You can see, this PM was reported by a mod. The bot could apparently reply to the PM, which is send automatically with every infraction, with a spam PM. Didn't really work like intended, I guess.

What to do?

The most important thing is that you keep on open eye on who else is posting, and that you report suspicious things. In case of doubt we'd rather like to have more reports than less. This is especially important for PMs, VMs and posts within a thread, because they are not easy to spot, just due to the mass.
You can report a post via the button (or in the black CFC style), which is to the left of each post and to the top right of each private message. For visitor messages there is a link named "report". In case you see that a bot has created more than one thread, then please report only one. We normally remove all their posts, no matter how many different are reported.
Please also don't reply or even quote the bots. It's not very helpful when the moderator has finally removed the bot, but the offending material is still visible because you quoted it.
And since you have seen that not every bot is dumb: Use your brain! Did somebody who you don't know and who's not a known member here send you a suspicious PM? A friendship request? A visitor message? Keep an eye on that stuff. Bots can do that, and they will do it. There does not have to be a person at the other end.


Was this post necessary?

If you look through the images, you see that only a minority of the posts was reported.
Means the users did not recognize them as spam, or didn't bother to report, which is both bad. It might help with the former part.
I also hope that we could maybe collect other unusual occurences here. Because e.g. the smiley spam has not happened for quite some time, and if we see it again, it might be necessary that everyone knows about it and recognizes it. And new moderators might need an overview, because they just have not see what sort of stuff can happen here.

I hope this post was useful .

 

[The_J]

More attachement space for images, nothing to see here.

 

[The_J]

More space needed.

 

[The_J]

This thread was in the queue as well for quite some time, like the reports and infraction statistics for last year, found now some time, and I hope it gives an interesting read to some people.

Also important:

I also hope that we could maybe collect other unusual occurences here. Because e.g. the smiley spam has not happened for quite some time, and if we see it again, it might be necessary that everyone knows about it and recognizes it.

There's currently again one of this type of spammers around, so if you see some generic text with a non-CFC attached, then please report it .

 

[ls612]

I have a quick question, would it be possibe to add a category to the annual infraction roundup about spam?

 

[hobbsyoyo]

Can you guys post a thread with the funniest spam bot posts?

 

[The_J]

I have a quick question, would it be possibe to add a category to the annual infraction roundup about spam?

I would have liked to, but that's a bit difficult to measure at the moment.
Maybe I'll do, but I need a couple of hours of free time for that, and that seems unlikely for me at the moment.

Can you guys post a thread with the funniest spam bot posts?

We don't really log that anywhere.

But sometimes we really get unusual spam. Like for horse medicine, wedding dresses, funerals...

If anything more amusing comes to my eyes, then I might add it.
But at the moment it's rather boring. Nearly every bot advertises live streams or downloads for TV series, so nothing to see there currently :/.

 

[hobbsyoyo]

Oh that is boring. I remember some amusing ones that would pop up in the Civ5 forums where they'd mash together random words in a sentence. Joseph Gordon-Levitt is peanut buttery goodness!

 

[aimeeandbeatles]

Also, as an example of what happens when a spammer's software breaks, comes this (courtesy of the comments section of my website):

}{{Try to avoid|Stay away from|Avoid|Attempt to avoid} {making|creating|producing|generating} {promises to|offers to} {yourself|your self|oneself|on your own} in {network marketing|multilevel marketing|multi-level marketing|mlm}. {While|Whilst|Although|When} {it is important to|it is essential to|you should|it is very important} {look|appear|appearance|seem} {ahead|forward|in advance|ahead of time} and {envision|visualize|imagine|picture} {a large|a big|a sizable|a huge} {market|marketplace|industry|market place}, {setting|environment|establishing|placing} {unrealistic|impractical|improbable|unlikely} {goals|objectives|targets|desired goals} {will bring|brings|will take} {about a|in regards to a|regarding a|with regards to a} {real|genuine|actual|true} {sense of|feeling of|sensation of|experience of} {failure|malfunction|failing|breakdown}, {if you do|should you|should you do|if you} {happen to|occur to|eventually|afflict} {fail to|neglect to|forget to} {meet|fulfill|satisfy|meet up with} them. {Inevitably|Undoubtedly|Unavoidably|Certainly}, most {promises|guarantees|claims|pledges} we make with {ourselves|yourself|ourself|our own selves} are {unrealistic|impractical|improbable|unlikely}, so {try to avoid|stay away from|avoid|attempt to avoid} them {altogether|entirely|completely|totally}.

Obviously if you see something like this it should be reported

 

[Catharsis]

Hi The_J ,

Wow , it is a great post ! It is good to know for me that great post can made : )

Did u make a post like this at cool website www . fabulouslyhotsusans . gov , hottest girls all called Susan , most fabulous Susans on www , " boys named Sue " no questions asked ; ) www . fabulouslyhotsusans . gov

 

[aimeeandbeatles]

I almost reported that until I noticed your username

 

[The_J]

yeah, nice one.

Also, as an example of what happens when a spammer's software breaks, comes this (courtesy of the comments section of my website):



Obviously if you see something like this it should be reported

Haven't seen something like that here, so that's rather new .

 

[Maniacal]

You forgot the spam links in AoG (and I presume other subforums) for craptastic browser/flash games that are quite similar to the "visitor message" example.

 

[The_J]

That's hard to differentiate for most times.
Not only, but also due to Kickstarter, we get in the last time lots of "game advertisement" threads, and it's not easy to say if a person is really a spammer, or someone who's really interested in promoting a game and contributing (at least a minimum) to this community.

But yeah, you're right, might be necessary to add.

 

[filli_noctus]

A lot of the time with new thread spam it's pretty obviously spam from the thread title and/or the OP preview alt text, however I still need to open the thread and trigger any web beacons etc. to report it. Is it possible to add a (small) report button on the forum level view so that can be avoided?

 

[The_J]

Don't think we can do that, I don't think vb is that flexible (and it's definitely not a default option).

But that's not really a big issue . Nearly nothing of the obvious spam contains web bugs, that's all in the non obvious spam (that itself is sure an issue again, but nothing what we could prevent).

 

[aimeeandbeatles]

Also, for Firefox, there's this, which lets you enable/disable image loading on-the-fly:

https://addons.mozilla.org/en-us/firefox/addon/imglikeopera/

 

[Lone Wolf]

The original poster had the correct link. The spammer changed it in the quote.

Hah, this is really sleazy. Most spammer examples you give, even those who try to mask themselves, are obvious, but that's something precious, especially when linking to an URL that really starts with "sweetandyoung".

I also like bots that post large book excepts, placing links in them. I remember one that posted excepts from Harry Potter, and another one that posted a large chunk of War and Peace. Some bots are obviously more appreciative of high culture then others...

 

[Maniacal]

The people who code bots can be pretty clever, I especially like how the bots in Guild Wars 2 have evolved from barely able to path find their way around objects to bots that teleport from harvest node to harvest node... it makes them quite difficult to report (though I have only definitely seen one bot after 592 hours of playing). Bot names can be pretty interesting too, sometimes they are super obvious and sometimes they are references, as opposed to just being random gibberish.

 

[classical_hero]

Must click every link.

Most adware bots are very obvious, but the one with the changed link code, that was rather clever, but dangerous. Most ones I have come into contact with are easily recognisable by the fact that they are clearly advertising things.