I did a similar investigation into a couple of fake profiles that are also on LinkedIn and some customers of us got spammed by them. Turns out there's a company with a facade called "whitehallmedia dot co dot uk" and they are hugely involved in the spam game.
They seem to have actual people that contact accounts/leads and their contexts from somewhere in India, and those people share spam accounts. Initially they try to sell you some tickets to an analytics and cyber security conference at first, but then they try to contact C-staff as soon as you start reacting.
The C-staff members then get trapped into the selling and audit game, so they offer free pentests / IT audits and "cyber security software" that can fix the problems (duh).
I created a honeypot with a fake domain and a fake company that doesn't exist, with emails that cannot be guessed blindly and with an email server that doesn't list its account names (and account names are not bruteforceable and neither guessable). Zero links on the internet, domain isn't even google-able.
Once I trapped them with private linkedin profiles and the people of whitehall media contacted the fake accounts, the spam arrived in masses. I'm not talking about 10 or 20 a day but in the thousands per day. And their network of hosts that they operate is _huge_.
My current guess is that they abuse administrative access to their customer's servers (the analytics/cybersecurity/IT-security forefront) to install their malware and send spam on their customers' behalf without them even knowing about it. We contacted our customers afterwards and asked all others whether or not they had contact to them; and if so that they start to double-check on their server infrastructure because it was very likely that they got infiltrated.
"rel=nofollow" is the only somewhat standard one. I have never heard of "rel=ugc" and I wonder if google made it up, does that work on bing and yandex?
I mostly use "rel=nofollow noopener noreferrer" which should cover most "use-cases" of spammers.
That won't stop the spam appearing, and the spam accounts to generate it, it'll just remove (most of) the benefit to the spammer.
It takes less faf for them to just post anyway than to check if you use nofollow/other, and they may still get a small side benefit if a blog-spam scraper or such takes your content and reposts it without the extra directives.
Solution: for free accounts, only show links with the appropriate tags so they don’t improve ranking. This was clear a decade ago, did we go backwards?
Spammers don't fill comment sections with spam to improve the ranking of that website, they fill comment sections with spam to target the users of that site.
Yeah, but they don't bother checking for nofollow attributes. Not spamming people who enforce nofollow attributes would just encourage more people to adopt it, which the spammer doesn't want.
Either way, the spammer rarely spams his own thing. They spam what someone else pays them to spam, and don't care if it actually works as long as their customer believes it works (much like legal advertising).
nofollow will prevent links being counted but it doesn't stop you being spammed.
Spammers don't bother checking existing links at their target site since indescriminate spamming at scale obviously works and doesn't need such finese.
It seems to me like spammers like the one behind this, put enough effort into it that they could probably make more from legitimate activity. It's like there's a "scam premium", where some people pay extra (or work extra for free) just to feel they're outsmarting people.
It’s also likely that these spammers live in places like Eastern Europe where legitimate software dev salaries are lower than in places like the U.S., so the relative value of scamming is higher.
A ton of automated attacks happen in the logs as well - constant barrage of bots looking for crypto wallets and doing POST requests to index, registration urls, wordpress registration and admin paths, any vulnerable middle layer standard urls as well.
What process do you have to stop this spammer sighing up again. It sounds like you already have some automation, but in this case it got flagged for manual review.
"They immediately generated enough audio readings to max out the free tier"
It seems this is part of the automation, it got flagged based on this.
By the way, I am quite happy with JavaScript based spamfilters, they work quite well for small websites. The service Stop Forum Spam is something that seems fit for this, also at bigger scale. I assume Akismet might be good too, but it is somewhat leaky in privacy, depending on what you send to it.
Stop Forum Spam looks nice. It's great they're giving the data like this. In fact, I'm somewhat surprised there's no software download to self-host. Seems rather easy to make, given the data files.
I'm wondering how much a Hashcash implementation would help. The approach doesn't seem to be widely attempted. Maybe because we assume spammers are using botnets anyway and don't care about computational cost?
Running a consumer site that has plenty of user generated outgoing links but doesn’t give any exposure to new accounts I’ve seen a lot of different spam tactics as well. The one thing that has worked reliably is building a repository of bad IPs or potentially domains that are doing the spamming and blocking those. I wonder if a central repository of bad actors with this type of activity can be made for multiple UGC platforms to share. Wouldn’t be surprised if Akismet and other spam blockers already surface those. Bonus points if each entry provides details on the kind of attack vector used by each spammer and the sites who add to the list are also vetted/penalized for bad entries. Plus entries have a way of appealing if needed. Multiple layers of accountability built in. Unique ids won work - too dangerous and likely to be abused by advertisers or centralized entities trying to track individuals.
My favorite technique (in terms of "how the heck did they think of that") is Google analytics referral spam. Spammers use bots to generate visits to your website, coming from a site they own that sells something. You (a website owner) see a referrer you don't recognize sending you traffic so you go see what it is. I fell for it a few years back (granted it was obvious when I visited the "referring" site that it was spam).
It doesn't seem scalable but I guess if you're targeting website owners and able to automate this at huge scale it prob has some success?
I don't think the point was to get visitors directly from those links, but to hope that the referer URLs were ending up in some kind of publicly visible page (e.g. the logs directory of the HTTP website being exposed), have those pages indexed by search engines, and get a URL reputation boost from those inbound links.
Spam can be mitigated by charging money for usage. Sadly, we've got this precedent where everything on the internet either needs to be free or freemium.
Eternal debate, but the partisans of paying everything usually have Silicon Valley level salaries.
For other people there are just too many things to pay for. So it's either free or they do without.
If I take my case, C# dev in a small town in the east of France, I have about 100€ of monthly disposable income. I choose my battles huh expenses very carefully and compared to people around me I'm not an outlier.
I am not sure I would describe any of this as benign. Spamming multiple SaaS services, generating websites containing solely AI generated junk and ads, in an attempt to profit off the sales of extremely dubious products does not meet the definition of benign in my mind.
I am now under the impression that we have two solutions for spam and robocalls. Make people link some real ID to accounts, or treat spammers and robocallers like terrorist. I personally prefer the 2nd option. Once spammers fear for their lives, they will stop.
I personally am not opposed to the Idea that there be more verification involved in important things like Phones and E-Mails (as it's usually a 1-to-1 thing per person anyways) but the privacy and logistics concerns are very valid and will probably stay that way knowing this space.
Such things require either consensus or tyranny, the former of which is nigh-impossible to reach and the latter being not exactly ideal.
> Once spammers fear for their lives, they will stop.
They could just as likely just improve their methods...
The German ID card ("neuer Personalausweis") can already prove to a service that you are a real human without revealing your identity in a fully automated way. It can also verify you are 18+ years old, reveal partial data, and much more.
Sadly certification for services is not easy and very bureaucratic but then at least you as a user can be sure that nothing unnecessary gets revealed to the service.
Being a German I actually would not use a system like this. I don't need the government to provide identity verification to third parties in an automated way. I actually don't want the government to have any data on me regarding what third parties I use.
It is enough that I need to tell the German "Verfassungsschutz" all my social media networks, all my domains, all times that I was in a foreign country for an extended stay just because I work for an agency that does projects for governmental institutions. Not that it matters, as I had to do a similar strip tease when I started my university job as a student helping the professor.
Not that I have anything to hide, but I just don't see the government having a track record of safe systems. Or keeping adversarial actordout of such systems. Additionally these systems might only be an election gone south away from falling into untrustworthy hands with me not being able to delete the collected data.
I might currently be living in a relativ (pseudo-)democracy. But if history tought us anything, that is nothing to be forever certain about.
And it might be tech that is >10 old. But I believe you will be hard pressed to find a significant amount of people in Germany (especially in tech) that would want to use it. Maybe the fact that nearly nobody is using it tells a lot about if this is an idea worth pursuing.
This system is completely anonymous. The government is only involved when giving out the certificates to the services and the ID card to you.
If you don't want to use this system, you will also never be able to complain about the government not offering digital services and requiring you to physically stand in line. The nPA is the base for those services and can be used today (provided the government provides the service digitally).
I don't know how well something like this would work for an international website or service. There are a lot of challenges, like for example the centralized authority responsible for managing and creating new IDs could abuse the service. It isn't fool proof.
Not really, unless you think of PayPal and Stripe as the "centralized authorities" of credit card processing. It's still a system with multiple authorities/centers of power; you'd just be paying a third party for the convenience of integrating those multiple authorities into a single layer of abstraction. If you're worried about the aggregator somehow subverting or altering your requests, you can always cut them out of the transaction.
When a single entity is responsible for managing IDs that governments provide it is ripe for abuse still. I'm not saying it couldn't work but these issues would need to be worked out. I'd rather see a decentralized solution that allows users to pick which IDs to accept, etc.
> Once spammers fear for their lives, they will stop.
I've seen many Indonesian scams which utilizing many Blogger/Blogspot websites (which are definitely ugly) and phone numbers. Even though the government enforced all cellular phone numbers to be registered under a valid ID, this still not actually stop them to scam more people.
One of these scam sites is https://berkahmy-pertamina.blogspot.com which was published this year (see RSS/Atom feed for details) to impersonate Pertamina (national gas/petrol company) to run classic lucky draw scams.
Let see how many SIM cards you can count in this video: https://www.youtube.com/watch?v=vi4BlFXAnvI (at 3:30 and 8:40). This is from an actual Indonesian TV show about police investigation and was taken before the regulation was passed by the government.
They seem to have actual people that contact accounts/leads and their contexts from somewhere in India, and those people share spam accounts. Initially they try to sell you some tickets to an analytics and cyber security conference at first, but then they try to contact C-staff as soon as you start reacting.
The C-staff members then get trapped into the selling and audit game, so they offer free pentests / IT audits and "cyber security software" that can fix the problems (duh).
I created a honeypot with a fake domain and a fake company that doesn't exist, with emails that cannot be guessed blindly and with an email server that doesn't list its account names (and account names are not bruteforceable and neither guessable). Zero links on the internet, domain isn't even google-able.
Once I trapped them with private linkedin profiles and the people of whitehall media contacted the fake accounts, the spam arrived in masses. I'm not talking about 10 or 20 a day but in the thousands per day. And their network of hosts that they operate is _huge_.
My current guess is that they abuse administrative access to their customer's servers (the analytics/cybersecurity/IT-security forefront) to install their malware and send spam on their customers' behalf without them even knowing about it. We contacted our customers afterwards and asked all others whether or not they had contact to them; and if so that they start to double-check on their server infrastructure because it was very likely that they got infiltrated.