Beware meat spammers from Serbia

Sim

Well-known member
Thanks to a simple report from one of my members who was savvy enough to pick up on an anomaly (recently joined member has a link in every post they've made in recent weeks) - I've just uncovered a meat spam network operating on one of my sites for the past 2 years. (Meat spam = human spammers, as opposed to bot spam = robot spammers).

So far I've uncovered 9 users who have made 20+ posts containing links - all from the same set of IP addresses.

From what I've worked out so far this is how they operate:
  1. they register on my (Australian) site usually using an Australian proxy server to bypass my geo-blocks
  2. since I insist on a location when registering, they always enter an Australian city
  3. they always use a realistic sounding username, usually based on what looks like a real name
  4. they always use a gmail address which matches the username
  5. they always add an avatar
  6. they usually wait a few weeks or more before posting (perhaps to "age" their accounts and make it less likely that they will be identified as spammers?)
  7. they typically post infrequently - sometimes less than once a month
  8. the posts are always on topic, short but relevant and well written
  9. the posts always contain a single link to a relevant Australian website (never the same site)
  10. the posts all come from a range of IP addresses in Serbia
  11. if you Google image search the avatar, it comes up with a bunch of blog posts by the author with the same name - on mostly the same sites, often as guest posts
  12. all the blog posts are well written, but all contain links to other 3rd party websites
  13. their profiles all claim that they are from Australia - despite the fact that none of their IP addresses ever come from Australia (other than known proxy servers). Also, reading their blogs which is full of "Australian" content - it's pretty clear they have never been here. I can point out quite a few things which makes it very clear they are not from Australia
  14. they have social media profiles which match their user profiles, but their posts only ever contain links to websites
  15. the people they retweet and who retweet them match the other users on my site who have been posting links
My conclusion is that this is an SEO driven link farming network using content sites and carefully crafted forum posts to link between them all.

Given that the sites they are linking on my site are legitimate businesses (or at least they appear to be - I've got no reason to assume they're not), with no commonality between them other than the fact that they're all property related (hence the posts on PropertyChat because it is on topic!) I'm guessing the only common factor is likely to be that these companies have all engaged SEO services at some point and that SEO company is using these link farmers in Serbia to generate backlinks.

Of course, given that user generated content on XenForo does not pass Google juice because of nofollows, it doesn't actually achieve what they want - although it may generate a few legitimate clicks because it is generally on topic.

Indeed, for many sites, given the links aren't actually "spurious" - they may not even consider them to be spam and wouldn't particularly care. This is also why they have successfully gone under the radar for so long - it's difficult for most users The only reason we really take note is that we have very strict rules about advertising and self promotion and such - so our users are generally on the lookout for people who seem to be spamming.

You know those emails you get asking if someone can post a guest post on your site with just a single link in it? That's these guys - I found so many guest blog posts containing a link to a 3rd party site from these people.

The thing is that I would guess some people who run the blogs these people are writing guest posts for, won't actually care - because they are so hungry for well written content, that they don't mind if the people writing it are getting paid to do so for the purposes of generating backlinks - so long as they get good content for their site. And that's just it - the content is good - insofar as it is well written, even though if you actually analyse the content, it's all just fluff and not exactly high quality stuff written by a subject matter expert. But I've no doubt that it's certainly good enough to fool Google which wouldn't pick up that these are actually paid link and not legitimate.

Now I have to finish banning all these users and then check all my other forums to see if they've registered there too!
 

rainmotorsports

Well-known member
If you don't mind blocking most VPN users from registering (not logging in etc). All of that proxy server carried spam is easily gotten rid of. Using TPU Detect Spam I block any data center related traffic by host name or asn when it becomes a source. The only possible people are affected are those using the same ones to register. But once people register they are free to use whatever method of connecting they wish.

I also blocked one isp in India and one in Pakistan that used to be huge sources. So with that all in place I generally run no captcha and get a spammer once every couple of months.

EDIT. On 1.x. Not sure if anyone's bothered replicating this for 2.0
 
Last edited:

Brad Padgett

Well-known member
Interesting. It's interesting the lengths people will go to create backlinks. Makes you wonder how desperate these spammers can be sometimes. I personally don't allow promotions like that on my website either and have been getting spammed by bots for the past week or so. They post like 10 posts, sometimes in chinese or japanese and at first I was erasing them one by one but then found out you can just use the Xenforo 2 spam cleaner to clean them up so I've done that now when it happens.

Though it's interesting people would go to these lengths like I said to create a backlink. Can't believe that.
 

Sim

Well-known member
If you don't mind blocking most VPN users from registering (not logging in etc). All of that proxy server carried spam is easily gotten rid of. Using TPU Detect Spam I block any data center related traffic by host name or asn when it becomes a source. The only possible people are affected are those using the same ones to register. But once people register they are free to use whatever method of connecting they wish.

I also blocked one isp in India and one in Pakistan that used to be huge sources. So with that all in place I generally run no captcha and get a spammer once every couple of months.

The problem is that there are plenty of legitimate uses for using proxy servers or VPNs - so there would be too many false positives.

My GeoIP geo blocking addon used to identify proxies via the Maxmind API, but they changed their services and the proxy identification API is now literally 50x more expensive than the country API. That being said - it's still relatively cheap overall if you cache the results like I do, so I might have to update my addon to be able to use the Precision Insights service which reports proxy servers.

Then I can flag user registrations using a proxy and place them in moderation for further checks.

Interestingly, many of these spammers on my site were actually held for moderation and approved by me because other than the IP address - they looked like completely legitimate users.
 

rainmotorsports

Well-known member
The problem is that there are plenty of legitimate uses for using proxy servers or VPNs - so there would be too many false positives.

My GeoIP geo blocking addon used to identify proxies via the Maxmind API, but they changed their services and the proxy identification API is now literally 50x more expensive than the country API. That being said - it's still relatively cheap overall if you cache the results like I do, so I might have to update my addon to be able to use the Precision Insights service which reports proxy servers.

Then I can flag user registrations using a proxy and place them in moderation for further checks.

Interestingly, many of these spammers on my site were actually held for moderation and approved by me because other than the IP address - they looked like completely legitimate users.

It only prevents registration not viewing using or logging in. Which for some people is an issue. For us it's a plus. Because if they aren't a spammer it's always someone using Tor or a VPN to rage after a ban.

It's configurable. You can auto reject or moderate or use a score. The default scoring is 3 to moderate or 6 to reject. So you can +1 high spam low traffic countries. +1 certain email providers. You +1 for reported IP addresses. So after awhile a suspicious user gets moderated on registration. We get maybe 2 moderated legit users a month. That might be a nightmare to some. But I've seen worse out of the stock SFs settings which can flag a username for being too generic lol

You can also subtract score. Like we are a heavy military userbase so I set the scoring to effectively never reject someone with a .mil address.

I just checked my logs. While foolbothoneypot has plenty of non human spammers logged. My TPU log is almost clean. I guess they gave up. It's so clean that I found a spammer that wasn't blocked. But hasn't posted content yet. They are using OVH in France. Very obvious pattern to it but they only scored a +1 on my settings and we're allowed to register lol
 
Last edited:

rainmotorsports

Well-known member
Since I have no fresh meat here is a couple of screen shots from a time Vietnamese traffic became an issue. As you say right now you are seeing normal user names that blend in. I had that issue as well from Pakistan. One of the patterns though was they were always a 23 year old female.

These don't match that pattern and they aren't using proxies. But it's an example.

This is a moderated example. Username match is always weak. Never trust it but +1 email is better but can still be a false positive. Combined with a long email name and a country we don't have any users in. It was a moderate.
upload_2016-8-1_12-3-4.png


These two had much worse SFS records so they rejected on that alone. But here you see I blocked a hostname very specifically. That alone was also enough for a reject.

upload_2016-8-1_12-20-40.png


Here is one of many settings
upload_2016-8-1_12-16-19.png


That list is actually mostly stock. But I for example added ipvanish. You might not want to. But perhaps you'd block a particular proxy that's being used only for spam.
 
Top