1. Alan has completed the new Pain Recovery Program. To read or share it, use this updated link: https://www.tmswiki.org/forum/painrecovery/
    Dismiss Notice

Our recent spam outbreak

Discussion in 'About This Site' started by Forest, Dec 1, 2014.

  1. Forest

    Forest Beloved Grand Eagle

    Hi everyone,

    You may have noticed a series of 11 spam threads in our General Discussion Forum. These threads all advertised a video streaming site (most likely illegal). Threads like this can ruin a forum, so well-run forums don't tolerate them. I've gone through and deleted all of the messages, banned the users, and reported their IP numbers and email addresses to forum spam databases. Thank you to all of the people who used the "report" links at the bottom of the posts. One user in particular, @mike2014, reported all of the threads, which helped in disposing of them.

    Handling spam like this is a piece of cake because we use cutting edge software in our site. Unfortunately, however, I am currently on vacation, so it took a while for me to notice the spam and fix it. It was only about 4-5 hours, but it really only takes 5 minutes to clean up obvious spam, so I'm hoping to eventually put a team together who can handle it when I am not available. Most forums do it like this and it is considered to be an honor to be given privileges within the software to handle the spam and fix other problems.

    I decided to make a video as I cleaned things up to show people what is involved and how simple things are:
    Ollin likes this.
  2. mike2014

    mike2014 Beloved Grand Eagle

    Hi Forrest,

    Great job in cleaning up the forum and the tutorial on deleting spam.


  3. Walt Oleksy (RIP 2021)

    Walt Oleksy (RIP 2021) Beloved Grand Eagle

    Who needs spam? Monty Python had some hilarious sketches about Spam, the awful processed meat in a can.
    I consider spam the same as Spam.

    Have a great day, Mike.
    Ollin likes this.
  4. BruceMC

    BruceMC Beloved Grand Eagle

    You make me feel dumb that I didn't see the Report button in the lower left-hand corner. Duh moi! Great job getting rid of that movie subcription-spam-scam, Forest! The Onion doesn't like those movies anyway!
  5. Forest

    Forest Beloved Grand Eagle

    Thanks, folks. I always trust the Onion movie reviews above all others.
  6. Forest

    Forest Beloved Grand Eagle

    Heya, everyone,

    Since the recent spam outbreak, I've turned on manual moderation of all new accounts on our forum. We only get about 3-5 members per day, so it's not too much trouble. It allows me to weed out some spammers before they even have a chance to post.

    Earlier today, I temporarily blocked a signup by a user because their IP number is associated with forum spam. I thought I'd explain how I did this so that people will better be able to use the "Report" link to identify "affiliate link" spam. In addition, eventually I hope to recruit some forum moderators to help with the day to day work, so I thought it might be helpful to describe what is involved in that work. My bet is that the best mods are the ones who would want to know a lot about what the job involves before jumping up and applying. Being a good mod involves a lot of thoroughness, restraint and integrity, traits that I'm happy to say many members of this community (and TMSers in general) already possess a great deal of.

    Every computer, phone or other device attached to the public internet has a unique "IP number," also known as their "IP address." This IP address is known by any computer that they communicate with (I'm ignoring proxies because they are rare). This number can change over time, but identifies them almost uniquely. People who run forums like this one track the IP numbers of spammers and then store those IN numbers in databases such as the Stop Forum Spam database. Then, when someone tries to sign up using a device with a listed IP number, the forum admin can block their signup or take other action.

    In this case, I checked the user's IP number against one database and found that it was registered as a recent source of forum spam:

    I then Googled the username and found quite a few registrations under the username at a variety of forums. Perhaps the person just has wide interests, but many of the accounts included links to an affiliate marketing schemed. He also had a number of posts on an affiliate marketing web site. Further, on one of his forum accounts he listed his location as Indiana, USA, whereas his IP address is registered with Phillipine Long Distance Telephone.

    Affiliate marketers use special links that they sometimes use to spam forums or other social media sites. If people click on their link and then make a purchase, the spammer gets a small "cut" of the profit. Such people generally aren't interested in honest interaction with our community; they just post the link as widely as they can in order to drum up sales.

    You can often tell an affiliate link because it has extra information at the end - often just random characters that identify who gets paid if someone clicks on the link and buys something. Affiliate marketers often create "fake review" websites:
    Hence, in general, you should have a healthy skepticism of review sites that you see on the internet, unless they are hosted by an amazing 501(c)3 nonprofit like this one.

    For the record, while one might consider affiliate marketers unethical if they don't disclose their payments, they are more the "used car salespeople of the internet" rather than being out-and-out criminals like identify thieves or hackers. The above link to wikihow will give you some tips on how to avoid them. However, while they can ruin a forum if allowed to run rampant, they will not do anything dangerous like steal your financial information.

    Based on the above, my hunch is that this person is an affiliate marketer, but I can't know that for sure. We have very few visitors who post on affiliate marketing web sites, very few that use IP numbers that are sources of recent forum spam, and very few from the Phillipines. Putting these three things together, I think we have compelling case if not a certain one.

    In situations like this, my current policy is to send what I call a "challenge" email. Basically, I ask them a question that will be hard to answer if they aren't a real TMSer. It's fairly hard to make money from a spam post, so spammers have to make many posts quickly. To put numbers on it, I would guess that to break even, they need to be able to make between 30-3,000 posts per hour. Hence, if I ask them a simple question and they are a spammer, they probably will just never respond. I don't think this person will ever respond.

    I'm an idealist at heart, and I pretty much hate spammers because they waste my time and the time of many other forum admins and email users. Hence, I couldn't resist showing a bit of a hard edge in one paragraph. For example, this might be the exact same individual who covered our General Discussion Subforum with links to illegal movie downloads (those might have been affiliate links where the spammer gets a cut of the money raised by selling illegal access to copyrighted movies).

    Here's the actual challenge email I sent out earlier today:

    Hello, ____.

    You recently signed up for a forum I manage. Unfortunately, your IP address has recently been reported for forum spam. If you are interested in participating in our community, I'd like to welcome you to it.

    Because of problems with the IP address you are using, I'm afraid that I'm going to have to ask you to tell me a little bit about your interest in the TMS Wiki forum. Once we have that all sorted out, we can get you signed up and participating in our community.

    If you are a forum spammer or affiliate marketer, you should know that such activity is not welcome on our site and we will pursue commercial posters to the best of our ability. This includes, among other things, reporting email addresses and IP numbers to multiple sources including Stop Forum Spam.

    On the other hand, if your purpose in signing up was not to make commercial posts, and you simply have a genuine interest in mindbody medicine or just want to give or receive support, we welcome you into our community!


    Anyway, if you're still reading, thanks! I hope you found it a little interesting and learned a little bit about how the internet works.
  7. BruceMC

    BruceMC Beloved Grand Eagle

    So, Forest, potential spammers may each have a unique, individual IP address, but what if they're going through a DHCP server that rotates a number of IP addresses from a list?
  8. Forest

    Forest Beloved Grand Eagle

    Good point, Bruce. DHCP is one of the main reasons why, if someone's IP number has been a recent source of forum spam, that is an indicator that they have been a source of spam in the past, but is not conclusive. This is why it is important to combine information from the IP number with other sources of information such as the sources of information I mentioned above. Sending out a challenge email, like I did, is a good way to gather even more information. Our software is also currently only configured to moderate new users if their IP number has been reported twice in the last 100 days.

    In general, though, only a small proportion of the internet signs up for forums and only a very small proportion of all IP numbers gets listed on Stop Forum Spam or another IP Number blacklist. Hence, when someone has recently been reported to Stop Forum Spam and is signing up for our forum, my gut says that it is very likely (though not conclusive) that they were the source of the Spam. It just seems like whenever I see someone on Stop Forum Spam, I also see other information that arouses suspicions.

    There are tough judgment calls involved and that is hard, especially for a TMSer. Some forum admins will block entire high-spam countries because they just don't want the hassle of dealing with the spam. On a forum like this, having good moderators ensures that we don't have to take steps like that and instead can carefully investigate each person who is flagged and then send out a challenge email. As a mission driven nonprofit, we want to ensure access as widely as possible, but we have limited human and financial resources, so we can't do everything!

    Tech note: Bruce may already know this, but DHCP is a way of assigning IP numbers to internet connected devices. Because the number of available IP numbers is limited to 4.2 billion (which isn't enough for the modern internet), DHCP is involved in ways that people can "share" IP numbers. As a result, sometimes people's IP numbers change. This is why it is important to emphasize recent reports of forum spam instead of old ones.
  9. Forest

    Forest Beloved Grand Eagle

    For the record, I did some follow-up investigation and this person was definitely an affiliate marketer. Whoever they are, they filled out their member profile page with just a single link to an affiliate marketing site. They also filled in their website with a link to the same site.

    Links are a currency on the internet, so he or she was probably just trying to get free links from us. They were probably hoping that the links would improve their Search Engine Optimization by increasing their PageRank.

    Unfortunately, just as the link could help their Search Engine Optimization, it can harm ours. Google notices spammy links and if we link to spammy, criminal or pornographic sites, Google may conclude that we are a low quality site. As a result, it will send fewer people to us and we will find it harder to achieve our mission of educating people about TMS.

    I rejected the account. It's gone now.

    Here's some information from Google if you'd like to learn more:
  10. Forest

    Forest Beloved Grand Eagle

    The spam situation has continued to evolve. Right now, we are getting on average two registrations every day from two different teams of spammers. One team is from the Phillipines and the other is from India.

    The team from the Phillipines creates an account and then ads a link to their "My Story" and "Home Page." Basically, someone is hiring them to add links like that because they think that it will make Google and other search engines like them more. This type of profile page spam is fairly benign, but it does clutter up our site. They typically use fairly "anglo" names for their usernames and email accounts. Less than 1% of our members set a "Home Page" in their profile either because they don't have one or because they want privacy. I've written about this type of spam here:

    The team from India is the one that was responsible for the recent spam outbreak about watching videos that I mentioned in the first post. They are easy to identify because they are from Punjab, near Ludhiana. I've set it so that I currently have to manually approve all new registrations and by the time I get to it, they've already spammed other forums using the same username (which seems dumb, but spammers are often dumb), so it is easy to identify them and report them.

    I've contacted email addresses associated with both teams to let them know that we are on to them and are reporting their IP numbers and email addresses. Hopefully, when they figure this out they'll eventually realize that it isn't profitable to spam this forum and will move on. We'll see. I'm willing to keep this up for as long as it takes and am investigating a variety of software to beef up our defenses. (169)
  11. Forest

    Forest Beloved Grand Eagle

    For anyone who is following this thread, I couldn't resist sharing the following ad from a very large software company called Adobe. It's hilarious:

    Adobe sells a program called Adobe Acrobat and are now trying to sell marketing services. Here's an ad they have that parodies people who buy "clicks" or "Facebook likes." The companies that spam our forum are similar to the ones who use "bots" to create fake clicks or likes. They differ in that what they are paid for is to give people links from independent trusted websites. It turns out that many people think that links from trusted websites like ours are very valuable for making their own sites come up higher in search engines like Google.

    It turns out that they are largely wrong because our links have something called a "nofollow" tag applied, but that's a big part of why they spam our forums and in particular why they create profile page spam. The spammers definitely are pretty shady, though.

    Here's another version with a slightly different ending:


Share This Page