Some new spam bots appeared, which are intelligent enough to optimise for Discourse’s built-in spam filters. They first make a comment without any links, and later on they’ll edit and add the link. Discourse doesn’t catch them this way. For example the following revision:
I’ve experienced this too, the most insidious are burying links in punctuation with their edits. Instead of generating clicks from the victim site they seem mostly concerned with creating inlinks and are oblivious to the nofollow being applied to said links.
The other more worrying trend is wiki edits, unlike posts and post edits these don’t appear in the user activity, I can only tell that it has happened because they’ve received a wiki editor badge, without ever posting a wiki post.
Is this spam bot TL1 or TL0?
I don’t see a link in that post. I just see text. Can you show raw?
I deleted the user, and I don’t remember the TL.
The links were like the following:
<a href="https://shareit.onl/">shareit</a> <a href="https://mxplayer.pro/">MX player</a>
<a href="https://messenger.red/">https://messenger.red/</a> <a href="https://kodi.software/download/">https://kodi.software/download/</a>
<a href="https://viamichelin.onl/">viamichelin</a> <a href="https://putlocker.ooo/">putlocker</a>
(The end of three different posts from the same user)
TL is critical for diagnosis here, cause you can just disallow edits to TL0 which is fine, if the spam bot is smart enough to get to TL1 … well we have a diff problem.
It was able to comment 3 posts + add 6 links without triggering the spam system, I think it must have been TL1, but I might check it in a backup.
Honestly, these bots are really smart. They post a “thanks for your post” reply first. There is absolutely nothing suspicious about it, even their email address is similar to their user name. Only googling the email gives results on spam list, nothing else really.
They wait for you to approve the post. Only then they later activate their spam posting bits.
These are not bots, they are humans. There has been a vast increase in human spammers in the last 8 years.
That’s been my impression too. It’s borne out in a variant of the technique described in the OP that we’ve seen. In this case the spammer “replies” to a comment and uses the Discourse quote feature to copy some of the other person’s text into their message. Then they insert their link into the copied block, thus making it look like the other user did it. Not sure if this is supposed to spoof the system into thinking the link is from someone of a higher T level or what. Kinda stupid, really, but definitely seems like something that had to be done manually, not by a bot. In particular, they don’t just drop the URL into the quoted text either; they highlight some text and use the link tool, adding a further layer of disguise. We’ve seen a few of these over the last couple of months.