Highly aggressive troll whackamole

We’ve got a deranged person who is using proxies, fake emails etc. to bomb our site with the products of his paranoia. He’s clearly getting a lot of gratification out of being deleted for “censorship” and coming back with a new sock-puppet ID within a day or less. And he has escalated to making violent threats against moderators in personal messages. We’ve tried most of the obvious things, but they aren’t that hard to get around if you’re determined and motivated by misplaced revenge fantasies.

He’s using various IPs, but one commonality is that they all map to something called “HERN Labs AB” in the Netherlands. So far as we can determine, no other users are associated with that IP. Most of them are in a range around this IP 2001:67c:198c:906:2::256.

  • Is there a way to blacklist HERN Labs AB by name?
  • I tried using a wildcard (*) to block the range of IPs rather than the specific one he’s using (which always changes). I’ve read that it’s possible to do this in Discourse, but when I’ve tried it, it doesn’t seem to work. Similarly with trying to search on the suspect IP in the users list using a wildcard, to see if there are any other similar accounts lurking—that doesn’t seem to work either.
  • We’ve alerted our legit users that they can instantly hide his posts by flagging them as Spam, which seems to be helping a bit.
  • We’re keeping an eye on the New Users list and silencing any suspicious looking accounts that pop up, but we’re volunteers, so tightening up the automated solutions would be preferable.

Any other suggestions? I assume he’ll get bored eventually but it could be a long time as he really seems to be getting off on the whole whackamole game. Makes him feel clever. And the violent threats indicate a level of demented determination that he isn’t easily going to give up on. We’d appreciate answers to any of the above or suggestions of things we may not have thought of.

8 Likes

If it’s just one person doing it, eventually they’ll get tired of it and move on.

I’d just keep deleting/blocking until he gets bored and finds a life.

8 Likes

This is what I was able to find on Bing. They could possibly be based in Sweden.

I hope I’m able to help out. :slightly_smiling_face:

There are some trolls out there who are extremely dedicated (and will do this stuff for years on end).

Personal experience… :persevere:

6 Likes

In Admin / Logs / Screened IPs you can make a Block rule for 2001:67c:198c:906::/64 - that’ll block anything on the local network he’s using.

If you want to block HERN Labs entirely, you could instead block 2001:67c:198c::/48, but the wider you get the more chance you have of hitting a legitimate user.

○ → whois 2001:67c:198c:906:2::256
% This is the RIPE Database query service.
% The objects are in RPSL format.
…
inet6num:       2001:67c:198c::/48
netname:        HERNLABS
…
17 Likes

I may not be much help because I’m only familiar with IPv4 not IPv6. Anyway, AFAIK the header search finds IPs as a substring match but the Admin User searches use “subnet masks”. You can still search by wildcard in a way, but by bits. eg.
123.123.123.0/24 will match IPs 123.123.123.0 to 123.123.123.255

2 Likes

Yes, that’s why we’re also considering maybe a more social-engineering approach to hopefully deprive him of some of the emotional payoff he’s seeking as well. His great claim is that we’re “censoring” him by this treatment because we don’t want to hear what he’s saying (apparently we’re an astroturf op for Big Pharma, who knew?). Whereas in reality LOTS of members bring up the exact issues he’s exercised about, but they discuss them intelligently rather than scream and shout and break things. And the community easily sees through the sock-puppet accounts to realize it’s obviously the same guy. But he’s using this behavior to cast himself as the hero of his own fantasy epic. So one thought I had was to just freeze one of his posts, lock out further comments and silence the account, but leave the post visible, with one single comment from admin explaining the situation. Here’s what the guy has to say, so read it and be impressed—or not—and understand that the reason he keeps getting banned is because of sockpuppeting, abuse, threats against staff and the rest. My thought is to PIN that post at the top of the forum for a week so he knows everyone can see it, undermining his claim about censorship and depriving him of the hero role he craves.

But meanwhile, if we could also narrow his access to the forum by technical means that would help too.

3 Likes

You may have missed this?

6 Likes

I don’t think you’ll be able to block Hern Labs by name because they have over a billion IPv6 addresses within their IPv6 block range. :grimacing:

The IP block may be owned by Hern Labs AB in Sweden, but this IPv6 shows the location as being in Great Britain.
image
Here’s the URL I used to get this and it has all the contact info for Hern Labs. Note this is not a secure site. :face_with_raised_eyebrow:
http://www.whatmyip.co/info/whois6/2001:67c:198c:906:2::256
But there is another site you can check.
https://findipv6.com/ipv6-whois/
Abuse contact for ‘2001:67c:198c::/48’ is ‘abuse@hernlabs.se

4 Likes

If this gets too serious or out-of-control, could you file a cease-and-desist letter?

4 Likes

That’s really helpful, @JimPas. We’ll try contacting their abuse line. Trolling is one thing, but this guy is making physical threats, and he’s been consistently running his junk through Hern Labs.

6 Likes

It’s on our list to try—thanks!

3 Likes

It might take some massaging to get to work, but you could also try the shadowban plugin. That way he has no feedback on the fact that he’s banned, until he realizes he’s getting no responses, so the cycles between sign-ups are longer.

8 Likes

That’s a great idea—one of the other admins suggested something like this but I didn’t know there’s a plugin for it. Definitely will check it out. Troll has been idle the last 4 days, but I love the idea of leaving him alone in the closet with no one to talk to. Thanks for that tip!

3 Likes

Let’s be real, it doesn’t really seem possible to totally block someone from registering again to your forum with a different username / informations / IP / browser and maybe even device.

Shadow banning may work for a little while, but sooner or later, he’ll probably figure out what is happening. And then, it will be useless, as he’ll know.

The better thing I see would be to actually talk to him and find a solution with him. For example, why not let him have access to just one thread (his own personal thread), that anyone could then easily mute if they want (or maybe not. Their choice. They can even follow it, and/or engage with him if they want). This may be an acceptable solution for both of you, and it would stop him for good, while at the same time he would not be censored and hardly be able to claim so anymore.

(I don’t know if you can easily restrict someone to one single thread. I hope so)

5 Likes

Public shaming, create a badge and pin it on him

image

8 Likes

Something like the Miserable Users plugin could be useful. A way to annoy users into leaving.

https://www.vbulletin.org/forum/showthread.php?t=93258

11 Likes

That’s along the social-engineering lines I was thinking of, yeah. Engaging him directly hasn’t worked—he just spews venom and threatens physical violence. But allowing one of his posts to stand as representative of the point he wants to make, but not allowing discussion on it because it leads nowhere except to confrontation and insults to other members.

For now, he’s quiet. There’s a chance (from what he’s posted about his mode of life and current circumstances) he’s been incarcerated. That would be ok with us.

7 Likes

For clarity, Hern Labs AB is Otello, AKA Opera Software.

If you block that network you also block everyone else who uses the built in privacy VPN for the Opera Browser.

13 Likes

That seems a bit extreme, don’t you think?

Oh, that makes more sense now that I think about it!

He’s definitely using either Opera or Opera GX (I have a bit of experience with the latter, so feel free to ask me anything).

This is what the VPN feature looks like in Opera GX.


Another toggle pops up when the VPN feature is enabled.

Here’s what the interface looks like.
image
You can choose different locations.
image
Depending on if the VPN feature is enabled or not, other settings may be changed automatically.
image
As you can see here, the WebRTC setting changes automatically.

Anyways, I think that’s just about everything! Again, feel free to ask me anything! :slightly_smiling_face:

Here’s some more information about the VPN feature.

2 Likes

This actually happened to us years ago; one troll disappeared for 6 months and after he returned we learned through other sources that he had been in jail. People will never stop to surprise you :slight_smile:

9 Likes