Bot-like accounts

Continuing the discussion from "Chopped" Spam in New User Profiles:

As mentioned in the linked topic, we started to get a lot of accounts with 250-character Spam profiles after we switched to SSO. Six days ago, the language of the Spam, and the associated e-mail addresses, changed to Polish, and since then we’ve had 30 Polish and only one English (with a Polish e-mail address) - 24 of them in the last three days.

In the last few days, we have also had a huge increase in other Spam profiles, all Polish, and all fitting such exact patterns that they look like bots to me. I understand the argument that bots can’t click the activation link in an e-mail, but the utter consistency of these looks bot-like to me. In my experience, humans creating multiple accounts invariably have occasional odd discrepancies - inconsistent capitalisation, typos, even clicking the odd post or the welcome message. These do not. Each matches its “type” exactly, and all have read 0 posts and spent less than 1 minute reading. None has a profile picture; all use default system letter. Unfortunately, we have no IP addresses recorded for these, but I would be most interested to know if anybody else recognises these patterns.

In addition to those mentioned above, in the space of three days we had 24 of this pattern:

• Username is a capitalised first name plus four random letters.
• E-mail name is a first name which does not match the username
• E-mail domains: subdomain.securemail.co.pl
• Name: “Proper” name, correctly capitalised. e.g. Kyle Guido, Raisa Seidensticker, Marcus Haefner. Does not match either username or e-mail.
• Profile text: URL plus single sentence. English, but has an air of “spun” about it.

(We have since blocked securemail.co.pl, and had no further sign-ups of that pattern, although we’re not sure if blocked e-mail domains work with SSO.)

In the same three days, 27 accounts of this pattern:

• Username is a capitalised first name plus two random letters.
• E-mail name is a name (surname?) which does not match the username, plus two digits
• E-mail domains: 4**.e90.biz
• Name: “Proper” name, correctly capitalised. e.g. Dennis Balle, Lenny Lyas, Todd Lleras. Does not match either username or e-mail.
• Profile text (all posted in “About Me”): URL which redirects. Fake “bio” which appears to be created from stock phrases. Last line is generally a proverb, or spun version thereof, with “new” replacing one word.
  English, but has an air of “spun” about it.

A further 10 accounts for this pattern, over the same period:

• Username is 9 random lower-case characters plus two digits.
• E-mail name is short word or name followed by two digits, the first of which is 0. Repeating patterns: e,g. risk01@, risk02@, risk05@
• E-mail domains: Multiple; mostly lengthy German or Polish.
• Name: “Proper” name, correctly capitalised. e.g. Maksymilian Sikora, Adrian Wisniewski
• Profile text: 20 - 23 words, including URL; German nonsense text.

And the latecomer to the party - in the past two days, 17 of these:

• Username is 5 random lower-case characters plus two digits.
• E-mail name matches username.
• E-mail domains: wnmail.top, tpmail.top, xtmail.win
• Name: “Proper” name, correctly capitalised. e.g. Blandyn Kwoka
• Profile text: 250 characters, nonsense text with occasional “male sexual health” terms; mixed languages

So that’s over 100 Spam accounts in three days (not counting the handful of “normal” Spam accounts I’ve seen).

So far, thankfully, none of these has posted, but if these are automated or semi-automated accounts, that could get very messy.

As before, I’m interested in these specific patterns of sign-up, and whether anybody else has seen the same or something similar.

One thing that is confusing me here is that the source of the problem would be the SSO origin, shouldn’t the origin where accounts are registered be in charge of making sure less spam accounts register in the first place?

I wonder if this might be related to the relatively new login that was put in place a while ago.

i.e. instead of the modal it goes to a “site-wide” page.

I have noticed that when I log out, it appears that I have logged out.
Yet after I close the browser (which removes cookies and deletes cache) when I later open the browser (which is set to have the “start” page as the last opened page) it looks like I am logged in (i.e. avatar displays) even though I’m not and can’t post until I go to the login page and log in.
When I log out and then do a page refresh before closing the browser the log out “sticks”.

I assumed it was just only me and some wonky browser thing I was unaware of, but maybe not.

If you go to an older account that has recently visited, is the
admin/users/{id}/{membername}
Last IP Address
also missing?

Were you some how reading our Slack coversation where I said the same thing

No, in all seriousness, I believe that to be 100% correct. SSO is bypassing the spam counter-measures that Discourse has by default by being a JavaScript heavy application.

In the meantime for those who also use SSO and have seen this problem, we’ve pre-emptively blacklisted several email domains to help combat the issue, as it seems the blacklist setting is still in effect even with SSO (based on coversations we’ve had with the SP devs – I personally haven’t had time to dig into). It is still a bit too early to tell if the blacklisting is working, but we’re crossing our fingers. But I don’t see any reason for it not to work at this point in time.

Yes indeed. I’m just interested in whether other sites have had a similar experience, or whether we’ve found a unique way to screw up.

Yes. There’s been an issue with that since the switch to SSO. (I think I mentioned it in the other topic.)

As far as I’m aware, it only affects new sign-ups; some of them have last IP addresses and some do not. We’ve now confirmed that the accounts in at least one of the above groups did “click” the confirmation link, so it’s not that which makes the difference.

I’ve also been having weird experiences with the log-in/log-out not working as expected, but I don’t know if that’s connected to this issue. (Unlike the old vBulletin days, I’m not seeing large numbers of bot accounts still apparently logged in and “active” even after they were banned.)

Hmmm where are we at these days on this issue?

We at the I-Novae Studios forum are getting attention from like-bots/accounts. They all have links in their pop-up bio, ranging from indigo, 9gag, facebook, to some random sites I’m certain are better left unvisited. A ‘set’ of them seem to be active for a few days, then go quiet, only to be replaced by the next set of bots.

If you’re interested, here’s a link to our thread discussing them and posting the bot profiles: Bot Forum Accounts - Support - I-Novae Studios

Annoying, but they don’t seem to be doing anything except liking random posts.

I strongly recommend you upgrade from Discourse 1.9 to start! There are critical security fixes you’ll want.