Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Is Hacker News under attack from spam bots?
207 points by joeyhage 6 months ago | hide | past | favorite | 145 comments
Seeing a lot of spam comments in the last few minutes from accounts that all have similar names. Omitting name since it is NSFW.



It sure looks like it; every front page post has a dozen or so comments from unique bot accounts.

Hopefully we don't see a 'Show HN: I created a spam bot service to advertise on every HN post' soon.


Have also seen them. They all have the same name with numbers at the end. Also getting a lot of "sorry we can't service your request responses" this past half hour or so.


Already was : https://news.ycombinator.com/item?id=39981911

Claimed at the time to be working on HN support


I remember that website. I reported it to the moderators the same day and all related accounts got suspended.


This very thread is under attack by spam bots...


What a mess, this is literally the first time I saw something like this on HN. They've even started posting on this thread! HN has been running slow since the flood started and I wonder if it's causing a mini-DDoS effect.

The usernames of the spammers are "2genders<number>", "SEXMCNIGGA<number>", and "indianmilf<number>"; for some strange reason they keep the same prefix and just alter the number so it should be easy for admins to block them. Some of them are posting Twitter links as well.


The reason is that they are just trying to cause chaos. They do not have any real goal other than that.


Agreed, they should ban Twitter links.


Yup. The site being advertised is proxied through Cloudflare, and they're also using Supabase.

Anyone from Cloudflare or Supabase care to remove your abusive customer? Also reported.


Unfortunately there's no proof that the spam accounts are linked to said site.

If I were a competitor to the linked account and wanted to cause then damage, I could run a bot campaign purporting to be from them in order to get them kicked off their provider.


That’s possible, and is why the providers investigate (using the account history that we don’t have access to). Often, other customer data - or a 5 minute phone call - is enough for the provider to tell the difference.


You say this from experience? As a spammer or service provider investigator?


Any other possible actions we can take for punishing these sorts of bad actors?


The founders are "John Smith" and "Jane Doe", and they're incorporated in Malta.

Anyone who does business with this outfit has it coming.


Not all John Smiths are bad, promise.


I'm partial to the John Smith in The Man in the High Castle. I'm sure you are fine too but this spammer is besmirching your family's good name.


I laughed pretty hard when I noticed the same issues and clicked the 'discuss' link and found that your post had been inundated with the comments you are referring to XD


Has been loading slow for me. Also reddit seems to be down. And Google login on Twitter hung for me.


Anyone have some insight into the motivation of spam bot behavior? It doesn't make sense to me that they'd intentionally re-post the same link on a story 100+ times. Perhaps repeating the same link is good for SEO farming? Or somehow there's a belief that 100+ identical comments is more effective than just a few?

Also the comments all seem to end with a 15 character random string, which I assume is just there to add entropy and avoid identical comment detection.


Just a guess: a teenager who learned to script and thought this was novel. This isn't an organized marketing campaign, it's a DoS with some links for amusement. Other than the volume, it's not even script kiddie level. Presumably they have access to proxy servers, though.


A teenager who just learned to script bested a forum for (and by!) the Silicon Valley elite?

Shameful if true. But unsurprising.


Isn’t that every hacker lore story ever? It’s always David and Goliath. Script kid vs fbi vs nsa vs Microsoft/xbox vs etc.

It’s an elegant story arc.


Per https://news.ycombinator.com/newcomments the flood stopped 2 minutes ago.


https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

For historical purposes

Edit: nope, it's still ongoing, there are spam comments on this very thread from 2 minutes ago. The new comments link doesn't show dead comments.


It seems to be going in waves, and it also appears they are getting removed in batches.


On this post alone, there are several of those comments after that. So, it's not stopped.


Might not be a 'coordinated attack' so much as the consequence of a referral[0] program in the age of AI

[0] https://docs.google.com/forms/d/e/1FAIpQLSe52_7L-JqY6OqhL0FJ...


Would love to see a postmortem once it's dealt with.


This forum is built with early 2000s technology. It doesn't even use two-factor authentication or captchas for creating accounts. This was honestly bound to happen sooner or later.


I don't want them to require a email/phone for privacy's sake, but they should definitely have a captcha of sorts to limit bot accounts.


> but they should definitely have a captcha of sorts to limit bot accounts

Captchas don't do much, they're super cheap to solve with services like 2captcha, capmonster, etc.

You can get recaptcha solved for $0.6/1k, hcaptcha for $0.8/1k or cheaper. (email is pretty cheap too, but still more expensive than captcha solving)

Requiring phone verification would be the most effective out of those because it's pretty expensive for the attacker, something like $0.02-$0.11 per verification is usually what I see


I feel strongly about privacy and I always loved the fact that I can post pretty much anonymously on HN (I don't mean this account - it's pseudonymous at best). It's sad bad actors get to ruin this.


that seems reasonable to me


I don't know... Hacker News keeps complaining that they want the old 90's web experience back, now it feels like some shitty PHP messageboard from back in the day getting pwned by script kiddies. Enjoy the nostalgia while it lasts I guess.


I clicked on the Discord link in the spam message for fun, entered a random username, and immediately got asked to verify with my phone number before I could even read the messages in the chatroom. HN doesn't need to do that and I don't want them to do that, but a simple captcha or a proof of work algo like what Cloudflare uses would at least slow down the flood of bot accounts.


That’s the Orwellian way that discord cracks down on users that it deems, for whatever reason, “suspicious”. It is tied to the IP address and anything else associated with it, but if you had an existing account before the flag then that account won't be flagged, only new accounts. There is no appeal process and they won’t even tell you what your offense was.

Unfortunately I’ve had to pay for an extra cell phone line just to use the app for work. VOIP numbers are rejected and must be unique per account. In my case it was likely because I had the audacity to back up my chat messages with a script. After a few years I can make new accounts again but I feel like I’m playing Russian roulette every time I do.

If you don’t use separate accounts for privacy someone can dump a list of potentially any known server you’ve ever been in. I knew it would be only a matter of time until something like this would happen: https://www.reddit.com/r/privacy/s/A5nvuZBLab


This "suspicious activity" can even be triggered if you click the wrong invite link, although you have no way to tell where it leads you anyway.

Discord sadly was pretty successful to lure in users and even a lot of devs build their community there. I think it is a bad choice because of lacking discoverability and the proprietary nature of the platform. It feels lively because it is a chat. But otherwise most projects are better hosted elsewhere.


I don't use Discord anymore but the phone number thing seems new, in the past I was able to visit as a guest and be able to read messages but not chat. Then again Twitter and Reddit are doing the same thing now and forcing people to log in, so I'm not surprised.

Considering how many community groups and open source projects now use a Discord in place of a public forum this looks like a disaster going forwards since all the information in there will become locked up. And of course the chats and internal discussion threads aren't indexed by search engines.


I tried to join Discord during the pandemic when I lived in China and they forced phone number verification both on and off VPN (presumably because both VPNs and China IPs are considered untrustworthy, which annoyingly defeats the point of using VPN). Then I went to Canada and bought a local prepaid SIM, but the area code was not recognized as a valid phone number so I still couldn't sign up.

It's very frustrating as a user to be region-locked on the supposedly open internet, but the real feeling of violation happens when companies layer phone number requirements on top of the region lock, which in many countries means that your government ID is now linked to the account, because you cannot buy a SIM without linking it to your ID. Truly a cyberpunk dystopia.


It's a per-server setting. Ranges from phone verification to email verification to minimum account age.


That isn’t what is being discussed. This is a separate account-wide lockout.


Worth noting that in GP's case it may "only" be that the people running that specific server turned on the phone number requirement to view messages.


I thought that the server setting covered sending messages only, not reading them

https://support.discord.com/hc/en-us/articles/216679607--Ver...

> Verification Levels refer to the levels of security a user must meet before they're allowed to send text messages in a channel.


Oh - perhaps? I feel sure I ran into one I couldn't see recently but would need to check.

A lot of discord servers require you to send a message or add a reaction to indicate agreement with their rules before you can even see the list of actual channels. I wonder if reactions are also blocked?


Yes, reactions would be blocked if the server requires a phone number verification to send messages, and it would prevent the channels from being seen.


As a non-Discord user, I'm glad I'm a non-Discord user. That sounds hellish. Is whatever's being gate-kept worth it?


Usually it’s the only option for something. But if you don’t care about any of the something’s, then you don’t really need to be a user.

For me it’s worth it, but there’s no option either.


Pretty sure I remember hacker news having cloudflare captchas some time ago. Maybe they enabled the "attack mode" back then? Not sure why it wasn't enabled today. @dang could answer maybe.


Relying on security through obscurity goes away pretty quickly once you’re popular.


I created a new account recently and I had to complete a captcha. It was the Google kind that is easily defeated by either bots or mechanical turk, though.


It’s been happening for hours and is killing site performance. It’s all from brand new accounts. I don’t why account creation hasn’t been turned off yet.


Clearly, I'm surprised there isn't a spam filter that detects this obvious attack.


Seeing as there is usually no obvious spam attacks, there IS a filter. Assume competence :) https://paulgraham.com/spam.html


or the bot is taking advantage of holes in the existing spam filter that haven't been exploited before


Obviously you can't filter for every possibility in advance, but with a hands-on moderator and some regex it should be super-easy to throttle this. And as more than one person has pointed out, just shutting down new account creation/posting for 24 hours would be equally effective. I'm perplexed at how a mature site full owned and catering to network technologists is vulnerable to such a laughably crude attack.


but then you've shut down account creation for 24 hours. The site operators get to choose how they want to play it, but it seems they don't want to do that just yet.

You're right that it's laughably crude though. Says a lot about things that this hasn't happened until now.


but then you've shut down account creation for 24 hours.

But so what? The impact of that would be negligible, almost certainly less than that of having site performance go through the floor/become temporarily unreadable. It's not like a B2C product launch, and the target audience of HN is more or less optimally positioned to understand why one might deliberately interrupt service.


There are apps currently make multi six figures a month with "AI girlfriend services". Not for me but it apparently is worth paying for to some people. But hell, one time I was scrolling through this hot person's Instagram and it took me a good minute or two to realize the whole account was a generative AI account, almost tricked me. Give it another decade and we can reevaluate.



Yep, I am sure it happens but this is the first time I've actually seen it!



Kind of strange this is still going on. They’re all new accounts so why not just disable account creation?


Oh my god, you aren’t kidding. As of right now, there’s 350 (plus or minus a few) dead spam comments at the bottom of this page. Someone obviously misplaced a decimal somewhere - you obviously don’t want to flood a forum with THAT many bot messages.


I don't think we're dealing with the cream of the crop here. They're not even smart enough to have it make up new, plausible user names.


Their IPs and emails might tell a different story and this could also be a threat. But to what end?


Interesting that this wasn’t baked in as a preventative method for repeat usernames.

Which is also ironic because why would this guy reuse the same username for his little spam campaign when it can be nuked in one line of code…

Amateur stuff.

Never seen it happen before though!


Really wonder, if this kind of spam is the perfect application for an LLM based agent.


To be fair, this kind of spam seems like you could output it with a shellscript.


Do we lack a captcha here?


I just tried logging in and looks like there is a captcha now. There wasn't one before.


For what, the pure joy of burning money?


I mean, at least LLMs would have different text in different messages.


I’m also surprised that slurs/slang/foul language in usernames is allowed unless the server is overwhelmed and things are slipping past the validation.


https://en.wikipedia.org/wiki/Scunthorpe_problem It's almost definitely them not filtering anything and letting the community manage it.


I think the "validation" is the mods happening to notice (usually because people who create such accounts get flagged, and dang gets notified of flags) and politely telling the person such usernames aren't allowed.


I like how all of you keep demeaning the spammer as being amateur or less than script kiddie.

And yet, he bested you, the supposedly experts at web dev and hyperscaling. You create trillions of dollars of value. And yet, your social hot spot is beyond laughably bad at handling that "incompetent" attacker.


Since you are othering the parties concerned, mind sharing more info on the attacker?


Is that you? yt/@gertop6402 Just guessing.. anywho, your nick signals SEO knowledge and reasons to hide.


Why SEXMCNIGGA though? Shouldn't a bot try to pass as a user?


Interestingly, reddit seems have gone down about 30-40 minutes ago too.


It's the day after the YC application deadline, so my hypothesis is resources that would otherwise be dealing with these script kiddies spamming HN are spread thin at the moment...


At the end of each spam message there is a unique 15 character string. Anyone know what purpose the string is supposed to serve?



Poor attempt at trying to make the URL unique possibly and prevent it from being blocked. Someone could easily block the domain or use regex to block comments with that domain.


HN also seems to be responding very slowly, and in a couple of cases timing out on the request. It may be under a heavy load.


IMO there is likely huge demand for bots that are witty and can write occasional put a useful comment with a link every now and then.

It’s going to be interesting how spam evolves. At-least spammers who aren’t lazy.

Already many of the recruiting emails I get sound a lot human. They are bots though since they send at 9am everyday



Gmail's got a send at 9am feature for humans to use tho


I thought the same thing! Very interesting. I wonder if this is happening on other sites like X/Reddit.



Brave of this guy to link his Twitter. Quick way to get blackballed from every startup in the country.


We have no idea if the author of the link and the author of the twitter account and the person in the image of the twitter account are in any way related.


it's likely just some randomly selected account that's real


Are you lonely and want to do something? Flag those spam comments.

Yeah, I was surprised by the amount, it feels like an attack rather than spam.

I hope this didn't interrupt Dang from something more important.


For anyone like me, unable to figure out how to do that - you click Reply, and then there's a 'flag' link.


I tried at first. It's a losing game against this number of spammy comments.

The temporary solution is to shadow ban the comments, the usernames seems to follow 2 naming schemas. Banning them completely will alert the attacker to change the naming schema, or to make it more random, which will make stopping them even more difficult.


For a bot-based DDOS attack it's easier to to do blanket shutdowns then it is for the attacker to whip up new randomization code. If it gets really bad just shutting down new account creation for 24 hours or making a timelag beween creation and posting is effective.


Or click the timestamp.


All these approaches increase server load. You're likely not the only one doing so, so the server has to respond to a read and flag request for every person. I'm not sure how many flags it takes to kill a post, something like 6 iirc. When you multiply that by the number of spam posts it adds up to a lot.

I'm honestly perplexed that HN doesn't have any kind of string filtering facility considering its centrality in the tech ecosystem.


it's never needed it before, and it's not being run by a huge team. it's hard to make time to prepare for a thing that hasn't happened before when you're busy dealing with everything else.


This isn't the first spam/DDOS attack on HN, although it's one of the more severe. This is basic stuff for any kind of user-driven forum, going back to the BBS days. You are going to have periodic problems with trolls and spammers so you need to have some sort of mitigation process in place. That doesn't need to be some sort of top-heavy new technology, it can be as simple as the ability to add a few new scripting rules or wildcard matches on a few minutes notice, or hit the pause button on new account creation.


    function modifyElements(pSel, cSel, rxStr) {
        const regex = new RegExp(rxStr, 'i');
        const pEls = document.querySelectorAll(pSel);
        pEls.forEach(pEl => {
            const fEl = pEl.querySelector(cSel);
            if (fEl && regex.test(fEl.textContent)) {
                pEl.style.display = 'none';
            }
        });
    }
    
    let rx = /(hi are u lonely|want (an )?ai gf?)/i;
    
    modifyElements(".athing.comtr", ".comment", rx);
People can add onto the regex as needed, I guess. I haven't seen enough of the comments to be more specific since that seemed to get them. :-/


I flagged several hundred and can't find anything more to flag right now. Massive.


Hopefully after this is all over, Dan can tell us if I'm wrong, but I don't know that flagging is actually useful, since it's all so obvious. it causes additional db hits to load the page and then flag it, when a search on the back end will easily find them without us doing anything.


I'm doing so, but sometimes I can still see/reply to the comment despite me flagging it.

Is a certain threshold of users required to flag a comment before it's removed?


Reminds me of when I was working for a university in early 2000s. I set up WebBB for a student organization to use and after checking back a week later it was thousands of spam posts.


Thoughts and Prayers with Dang during this attack !


Should’ve used the AI to write better comments


Site is effectively getting ddos’d right now


Yep, guess the admins will have a busy day. Seems 10000s of accounts being created and used to spam ai sex bots.


Luckily the accounts are all prefixed with the exact same phrase, which should make cleanup easier.


They're back. At this point it might be worthwhile switching off new account registrations for a while?


Still going on btw. We're getting fresh hot new spams as I write this. Diff link in the text.


What we need now is the bot to post here and demonstrate a total lack of sense of irony.


This has happened now. I count 20 spam comments at the moment, though I expect they'll get removed shortly.


Gives new meaning to "show hn"


They seem to also be spamming posts.


> Is it just me

No, 1000s of bot accounts commenting 30+ per minute are quite obvious

> Is it some kind of coordinated flood attack?

Looks like it

> And is an AI girlfriend really a feasible idea?

It's the new penis enlargement and viagra spam


To be or not to be...


This is a old, very effective move from the spammer's playbook.

If some entity protests effectively (penetrates the spammer's own anti-spam, anti-communication precautions), threaten to spam them harder. Then follow through. We're seeing some follow through, I reckon.


https://news.ycombinator.com/item?id=40115155

Yeah this thread is full of spam.


Is the GNAA alive and well???


Obviously, yes.


Yeah, nobody here is going to go for that


So if it is possible with comments, does it mean it is possible with voting? I'm wondering how many posts recently came to main page upvoted by bots


Below submission had over 1,000 votes before being flagged.

https://news.ycombinator.com/item?id=40117443


It's surely possible but it's not quite that easy, otherwise you'd see it daily in comments. It's similar for front page posts but harder since both users and moderators nuke spam-looking things as they are highly visible.


HN doesn't have any integrity about voting in general. Look at the "about" text of https://news.ycombinator.com/user?id=pwdisswordfishc for example, and then look at the username.

There is a whole family of pwdisswordfish* accounts btw. The "b" account's "about" text even has a holier-than-thou attitude about it.


If you go to https://news.ycombinator.com/newest , from time to time there apears stories with 50 upvotes in 30 minutes, and perhaps a few sockpuppets/shills comments. If you do the math, they should be in the front page, but misteriously they aren't. So the conclussion is that HN has a secret feature that detect (some of) the tricks. I think I read some coment from pg or dang about voting rings, but it was a long time ago, but it has no details. The details are part of the secret sause.

Also people flag strange threads, so the detection is not only automatic. If you notice something strange, you can send an email to dang: hn@ycombinator.com


you're assuming votes from those accounts are being included in vote counts


You're missing the point that I didn't need to assume it.


if you have a way to map votes to the account that made them, I'm all ears.


That looks like a person, or a pretty good HNGPT. It's not your average spam. (Unless most comments have been deleted.)


When I said "Look at the username", I meant that. You're not going to get anything by analyzing the posting style of a shared account.


[flagged]


[flagged]


Whatever the techbro religion is, it's seems to be lot less obvious, boring and common (at least on HN) than grandiose fearless-truthteller-of-strident-truths-the-sheeple-refuse-to-hear delusions.


I assumed the spam was trying to bury this via DDoS: https://news.ycombinator.com/item?id=40117510


Doubtful:

  https://www.wired.com/story/north-korea-amazon-max-animation-exposed-server/
  https://www.cnn.com/2024/04/22/politics/us-animation-studio-sketches-korean-server/index.html


Are you lonely? Do u want an AI girlfriend? https://discord.gg/candyai ufrPgQkrocBHIuijg


hi are u lonely want ai gf?? https://discord.gg/elyza -- FOLLOW THE HOMIE https://twitter.com/hashimthearab HTbemMQGnYQQkWvyr


Yep


well ARE YOU LONELY?

It might be a lot of spams, but it seems to come from a single account using a single sentence. Spammers are getting lazy these days.


> single account

I think that's actually multiple similarly named accounts with the same prefix. I believe there are rate limits on how fast a single account can post.


Impossible to be lonely with this many bots keeping me company.


This is why we can't have nice things.


> Certainly we can have nice things

https://news.ycombinator.com/item?id=30387562




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: