Have also seen them. They all have the same name with numbers at the end. Also getting a lot of "sorry we can't service your request responses" this past half hour or so.
What a mess, this is literally the first time I saw something like this on HN. They've even started posting on this thread! HN has been running slow since the flood started and I wonder if it's causing a mini-DDoS effect.
The usernames of the spammers are "2genders<number>", "SEXMCNIGGA<number>", and "indianmilf<number>"; for some strange reason they keep the same prefix and just alter the number so it should be easy for admins to block them. Some of them are posting Twitter links as well.
Unfortunately there's no proof that the spam accounts are linked to said site.
If I were a competitor to the linked account and wanted to cause then damage, I could run a bot campaign purporting to be from them in order to get them kicked off their provider.
That’s possible, and is why the providers investigate (using the account history that we don’t have access to). Often, other customer data - or a 5 minute phone call - is enough for the provider to tell the difference.
I laughed pretty hard when I noticed the same issues and clicked the 'discuss' link and found that your post had been inundated with the comments you are referring to XD
Anyone have some insight into the motivation of spam bot behavior? It doesn't make sense to me that they'd intentionally re-post the same link on a story 100+ times. Perhaps repeating the same link is good for SEO farming? Or somehow there's a belief that 100+ identical comments is more effective than just a few?
Also the comments all seem to end with a 15 character random string, which I assume is just there to add entropy and avoid identical comment detection.
Just a guess: a teenager who learned to script and thought this was novel. This isn't an organized marketing campaign, it's a DoS with some links for amusement. Other than the volume, it's not even script kiddie level. Presumably they have access to proxy servers, though.
This forum is built with early 2000s technology. It doesn't even use two-factor authentication or captchas for creating accounts. This was honestly bound to happen sooner or later.
> but they should definitely have a captcha of sorts to limit bot accounts
Captchas don't do much, they're super cheap to solve with services like 2captcha, capmonster, etc.
You can get recaptcha solved for $0.6/1k, hcaptcha for $0.8/1k or cheaper. (email is pretty cheap too, but still more expensive than captcha solving)
Requiring phone verification would be the most effective out of those because it's pretty expensive for the attacker, something like $0.02-$0.11 per verification is usually what I see
I feel strongly about privacy and I always loved the fact that I can post pretty much anonymously on HN (I don't mean this account - it's pseudonymous at best). It's sad bad actors get to ruin this.
I don't know... Hacker News keeps complaining that they want the old 90's web experience back, now it feels like some shitty PHP messageboard from back in the day getting pwned by script kiddies. Enjoy the nostalgia while it lasts I guess.
I clicked on the Discord link in the spam message for fun, entered a random username, and immediately got asked to verify with my phone number before I could even read the messages in the chatroom. HN doesn't need to do that and I don't want them to do that, but a simple captcha or a proof of work algo like what Cloudflare uses would at least slow down the flood of bot accounts.
That’s the Orwellian way that discord cracks down on users that it deems, for whatever reason, “suspicious”. It is tied to the IP address and anything else associated with it, but if you had an existing account before the flag then that account won't be flagged, only new accounts. There is no appeal process and they won’t even tell you what your offense was.
Unfortunately I’ve had to pay for an extra cell phone line just to use the app for work. VOIP numbers are rejected and must be unique per account. In my case it was likely because I had the audacity to back up my chat messages with a script. After a few years I can make new accounts again but I feel like I’m playing Russian roulette every time I do.
If you don’t use separate accounts for privacy someone can dump a list of potentially any known server you’ve ever been in. I knew it would be only a matter of time until something like this would happen: https://www.reddit.com/r/privacy/s/A5nvuZBLab
This "suspicious activity" can even be triggered if you click the wrong invite link, although you have no way to tell where it leads you anyway.
Discord sadly was pretty successful to lure in users and even a lot of devs build their community there. I think it is a bad choice because of lacking discoverability and the proprietary nature of the platform. It feels lively because it is a chat. But otherwise most projects are better hosted elsewhere.
I don't use Discord anymore but the phone number thing seems new, in the past I was able to visit as a guest and be able to read messages but not chat. Then again Twitter and Reddit are doing the same thing now and forcing people to log in, so I'm not surprised.
Considering how many community groups and open source projects now use a Discord in place of a public forum this looks like a disaster going forwards since all the information in there will become locked up. And of course the chats and internal discussion threads aren't indexed by search engines.
I tried to join Discord during the pandemic when I lived in China and they forced phone number verification both on and off VPN (presumably because both VPNs and China IPs are considered untrustworthy, which annoyingly defeats the point of using VPN). Then I went to Canada and bought a local prepaid SIM, but the area code was not recognized as a valid phone number so I still couldn't sign up.
It's very frustrating as a user to be region-locked on the supposedly open internet, but the real feeling of violation happens when companies layer phone number requirements on top of the region lock, which in many countries means that your government ID is now linked to the account, because you cannot buy a SIM without linking it to your ID. Truly a cyberpunk dystopia.
Oh - perhaps? I feel sure I ran into one I couldn't see recently but would need to check.
A lot of discord servers require you to send a message or add a reaction to indicate agreement with their rules before you can even see the list of actual channels. I wonder if reactions are also blocked?
Yes, reactions would be blocked if the server requires a phone number verification to send messages, and it would prevent the channels from being seen.
Pretty sure I remember hacker news having cloudflare captchas some time ago. Maybe they enabled the "attack mode" back then? Not sure why it wasn't enabled today. @dang could answer maybe.
I created a new account recently and I had to complete a captcha. It was the Google kind that is easily defeated by either bots or mechanical turk, though.
It’s been happening for hours and is killing site performance. It’s all from brand new accounts. I don’t why account creation hasn’t been turned off yet.
Obviously you can't filter for every possibility in advance, but with a hands-on moderator and some regex it should be super-easy to throttle this. And as more than one person has pointed out, just shutting down new account creation/posting for 24 hours would be equally effective. I'm perplexed at how a mature site full owned and catering to network technologists is vulnerable to such a laughably crude attack.
but then you've shut down account creation for 24 hours. The site operators get to choose how they want to play it, but it seems they don't want to do that just yet.
You're right that it's laughably crude though. Says a lot about things that this hasn't happened until now.
but then you've shut down account creation for 24 hours.
But so what? The impact of that would be negligible, almost certainly less than that of having site performance go through the floor/become temporarily unreadable. It's not like a B2C product launch, and the target audience of HN is more or less optimally positioned to understand why one might deliberately interrupt service.
There are apps currently make multi six figures a month with "AI girlfriend services". Not for me but it apparently is worth paying for to some people. But hell, one time I was scrolling through this hot person's Instagram and it took me a good minute or two to realize the whole account was a generative AI account, almost tricked me. Give it another decade and we can reevaluate.
Oh my god, you aren’t kidding. As of right now, there’s 350 (plus or minus a few) dead spam comments at the bottom of this page. Someone obviously misplaced a decimal somewhere - you obviously don’t want to flood a forum with THAT many bot messages.
I’m also surprised that slurs/slang/foul language in usernames is allowed unless the server is overwhelmed and things are slipping past the validation.
I think the "validation" is the mods happening to notice (usually because people who create such accounts get flagged, and dang gets notified of flags) and politely telling the person such usernames aren't allowed.
I like how all of you keep demeaning the spammer as being amateur or less than script kiddie.
And yet, he bested you, the supposedly experts at web dev and hyperscaling. You create trillions of dollars of value. And yet, your social hot spot is beyond laughably bad at handling that "incompetent" attacker.
It's the day after the YC application deadline, so my hypothesis is resources that would otherwise be dealing with these script kiddies spamming HN are spread thin at the moment...
Poor attempt at trying to make the URL unique possibly and prevent it from being blocked. Someone could easily block the domain or use regex to block comments with that domain.
We have no idea if the author of the link and the author of the twitter account and the person in the image of the twitter account are in any way related.
I tried at first. It's a losing game against this number of spammy comments.
The temporary solution is to shadow ban the comments, the usernames seems to follow 2 naming schemas. Banning them completely will alert the attacker to change the naming schema, or to make it more random, which will make stopping them even more difficult.
For a bot-based DDOS attack it's easier to to do blanket shutdowns then it is for the attacker to whip up new randomization code. If it gets really bad just shutting down new account creation for 24 hours or making a timelag beween creation and posting is effective.
All these approaches increase server load. You're likely not the only one doing so, so the server has to respond to a read and flag request for every person. I'm not sure how many flags it takes to kill a post, something like 6 iirc. When you multiply that by the number of spam posts it adds up to a lot.
I'm honestly perplexed that HN doesn't have any kind of string filtering facility considering its centrality in the tech ecosystem.
it's never needed it before, and it's not being run by a huge team. it's hard to make time to prepare for a thing that hasn't happened before when you're busy dealing with everything else.
This isn't the first spam/DDOS attack on HN, although it's one of the more severe. This is basic stuff for any kind of user-driven forum, going back to the BBS days. You are going to have periodic problems with trolls and spammers so you need to have some sort of mitigation process in place. That doesn't need to be some sort of top-heavy new technology, it can be as simple as the ability to add a few new scripting rules or wildcard matches on a few minutes notice, or hit the pause button on new account creation.
Hopefully after this is all over, Dan can tell us if I'm wrong, but I don't know that flagging is actually useful, since it's all so obvious. it causes additional db hits to load the page and then flag it, when a search on the back end will easily find them without us doing anything.
Reminds me of when I was working for a university in early 2000s. I set up WebBB for a student organization to use and after checking back a week later it was thousands of spam posts.
This is a old, very effective move from the spammer's playbook.
If some entity protests effectively (penetrates the spammer's own anti-spam, anti-communication precautions), threaten to spam them harder. Then follow through. We're seeing some follow through, I reckon.
It's surely possible but it's not quite that easy, otherwise you'd see it daily in comments. It's similar for front page posts but harder since both users and moderators nuke spam-looking things as they are highly visible.
If you go to https://news.ycombinator.com/newest , from time to time there apears stories with 50 upvotes in 30 minutes, and perhaps a few sockpuppets/shills comments. If you do the math, they should be in the front page, but misteriously they aren't. So the conclussion is that HN has a secret feature that detect (some of) the tricks. I think I read some coment from pg or dang about voting rings, but it was a long time ago, but it has no details. The details are part of the secret sause.
Also people flag strange threads, so the detection is not only automatic. If you notice something strange, you can send an email to dang: hn@ycombinator.com
Whatever the techbro religion is, it's seems to be lot less obvious, boring and common (at least on HN) than grandiose fearless-truthteller-of-strident-truths-the-sheeple-refuse-to-hear delusions.
Hopefully we don't see a 'Show HN: I created a spam bot service to advertise on every HN post' soon.