186

Super User got hit by another batch of spammers creating profiles. They've got accounts on other sites from what I've heard from other mods and from the comments here.

Last time it was streaming. Now it's insurance sales... with phone numbers (as of december, looks like they're spamming scammy finance too). I had 160+ pages of users from that search (though I've deleted a good chunk of them since it was posted, and on the aggregate we have none left) , and a quick look suggests most of them are spammers. Comments from this post indicates it's network wide - and a quick check indicates Stack Overflow has a handful of these too, though not as many as we have.

While the powers at be have been taking action, both directly, and indirectly, it feels like between shared IPs and search, mods might be able to take a good chunk of these out if we can somehow have a way to delete accounts somewhat in bulk. You guys are awesome. But these... People keep doing it still, and it would be nice to see their works undone.

Unlike our streaming spammers, they've switched to phone numbers, presumably because Adam so kindly blocked links.

Screenshot of profile spam

There's a few good suggestions at mitigating these - but ideally - I've heard from fellow mods that we want them gone.

They add to the broken window effect - which we can't do anything about due to sheer volume, and they probably poison our search engine results.

We can probably reduce the risk of oops by filtering by IPs (clearing everything on an IP lets me whack, 10, or so users at once, rather than clicking through 3-4 pages a user) and optionally selectively not deleting accounts that seem legit, we can probably clear out a bunch of these without really needing CM intervention. It does make it a little too easy, but these incidents, well kinda need a flamethrower's gentle warmth.

I'm cool with a no. I'm probably going through the usual channels in future. Would be nice to have something that lets mods deal with this effectively though.

Related:

Improve this question
34
  • 5
    Get a goat that doesn't run away so much :P
    – ArtOfCode
    Commented Nov 27, 2017 at 15:01
  • 65
    That is 164 pages of car insurance spam profiles, and 36 per page for ~5,900 total. Good grief...
    – doppelgreener
    Commented Nov 27, 2017 at 15:18
  • 9
    Devil's advocate here, but who's paging through new-user listings to see what kind of random noise inactive non-users have left in their profile? Does anybody see it? Is there a use case to browse through profiles with ZERO content? This feels like a "if a tree falls in the woods..." situation to me, but maybe it gets fixed. I just hope you're not spending any time actively seeking this out to clean up what feels like a non-issue — unless I am missing something here.
    – Robert Cartaino
    Commented Nov 27, 2017 at 16:12
  • 13
    @RobertCartaino not actively hunting it, but I noticed it while looking at a badge I was awarded and saw a lot of new "autobiographer" badges being awarded to spam profiles. Check the right hand side, still more spam being seeded: superuser.com/help/badges
    – Mokubai
    Commented Nov 27, 2017 at 16:19
  • 8
    @RobertCartaino Okay not a lot of people may browse to the badges page on a regular basis but the fact that a lot of spam shows up there makes it a real issue to me rather than a non-issue. From that page it makes it look like we accept spam in this form and that we actively reward it by giving it a badge, much like Twitter and their "verified" badge being mistaken for their acceptance of unsavoury people rather than the real meaning of "they are who they are"...
    – Mokubai
    Commented Nov 27, 2017 at 16:33
  • 78
    @RobertCartaino Google bot is paging through those listings, and indexing them (which is the whole point of these profiles; stuffing keywords in there so that search for those words leads to phone numbers). If Google starts thinking of SU as a keyword-stuffing spammy site, that won't help SU's search rankings.
    – user315433
    Commented Nov 27, 2017 at 16:44
  • 3
    Fair enough....
    – Robert Cartaino
    Commented Nov 27, 2017 at 16:49
  • 4
    @RobertCartaino Not really worth the time manually nuking these for me. Maybe when I'm really bored but after about 200 or so... I got really bored. It is a problem we've made the CM team aware of in the past, and some mitigations are in place. These crafty chaps seem to actually adapted to the lack of links, and have roughly the same MO....
    – Journeyman Geek
    Commented Nov 27, 2017 at 23:49
  • 6
    I've deleted a bunch on each of the five sites where I have diamonds. I'd say it's network-wide by now.
    – Monica Cellio
    Commented Nov 29, 2017 at 4:28
  • 14
    They've finally started to post actual spam.
    – Glorfindel Mod
    Commented Nov 29, 2017 at 10:45
  • 5
    I am positive that with all the data SE should have available even a simple SPAM filter could be developed here (with Naive Bayes for example, the out-of-the-box implementation for that)... I really hope this spam profiles are being saved somehow for analysis... I see that the spam is no new story, and that in the past the community was open to considering spam filter ideas ... are we still open for such thing? A spam filter could also be applied to posts from users with few interactions, in case it was needed.
    – DarkCygnus
    Commented Nov 29, 2017 at 18:10
  • 3
    A variation on the theme - meta.stackoverflow.com/questions/360042/possible-spam-accounts
    – ChrisF Mod
    Commented Nov 30, 2017 at 16:51
  • 5
    @6'whitemale I just tried a Google search for "car insurance stack exchange", and the 5th hit was a spammer's profile.
    – Rand al'Thor
    Commented Dec 1, 2017 at 13:47
  • 5
    Superuser now has 396+ pages of this, for a estimate of somewhere north of 14,000 spam profiles. This isn't slowing down any time soon.
    – Mokubai
    Commented Dec 2, 2017 at 17:18
  • 6
    Now 529 pages for 19,000 spam profiles.
    – doppelgreener
    Commented Dec 6, 2017 at 12:56

6 Answers 6

Reset to default
186
+50

Maybe SE simply shouldn't publicly show profiles for users that have no interaction at all on the site. Users that have never voted, posted or done anything at all are just noise in the user listings anyway. Of course the user itself should be able to see their own profile, but there is really no reason why anyone else would look at it.

Looking for this kind of spam profile is a huge time sink, and not really worth the effort. But leaving lots of this kind of spam visible is also not really a good option. Not showing these profiles at all publicly would mean they only waste a few bytes in the database, which is probably irrelevant. But it would mean there is no need for any moderators or CMs to waste time on this.

Improve this answer
24
  • 55
    I was essentially thinking the game thing, like just bumping editing profile information to 5 reputation or something.
    – animuson StaffMod
    Commented Nov 27, 2017 at 15:43
  • 29
    @animuson I thing that would give the person responsible for the new user engagement a heart attack. I suspect you don't want to put any barriers towards new users adding more information about themselves ;-).
    – Mad Scientist
    Commented Nov 27, 2017 at 15:45
  • 30
    I doubt many new users would even notice a 5 rep limitation. They should really be posting a question or answer first, getting an upvote or two, noticing their profile and then telling us about themselves. Any user that has gained 5 rep on any site gains the ability to copy their profile across the network so thats not really a limitation for them either. It feels like this would be a good way to go to me.
    – Mokubai
    Commented Nov 27, 2017 at 15:49
  • 9
    +1. 5 rep is one question upvote. This should be no challenge for any real user.
    – AAM111
    Commented Nov 27, 2017 at 19:27
  • 7
    Honestly it's probably enough to just remove them from robots.txt so that Google doesn't index them. You don't even need to go so far as preventing anyone from ever seeing the profiles (not that I'd have a problem with that either).
    – Servy
    Commented Nov 27, 2017 at 22:23
  • 2
    Both those solutions are pretty clever. Also, easier than what I suggested. Possibly not the answer I asked for, but potentially the answer I need ;p
    – Journeyman Geek
    Commented Nov 27, 2017 at 23:33
  • 9
    @Servy: No need to mess with robots.txt. A noindex meta tag on low-rep user profiles should do the trick, without harming user experience in any way.
    – Ilmari Karonen
    Commented Nov 28, 2017 at 4:08
  • 2
    I'm completely biased towards the nuclear option here :(. But yeah, that would probably take away the incentive to do so. And alternate ideas are totally why something like this is best asked on meta. Top minds and all that :)
    – Journeyman Geek
    Commented Nov 28, 2017 at 4:34
  • 25
    Similarly, such users shouldn't gain any publicity (e.g. listing in badges page) when they earn badges like Autobiographer.
    – Nate Eldredge
    Commented Nov 28, 2017 at 7:09
  • 16
    @MadScientist except for moderators. Moderators should always be able to see profiles, because sometimes information there is needed for things like investigating fraud.
    – Monica Cellio
    Commented Nov 28, 2017 at 15:45
  • 1
    @Servy: It wouldn't, but it would be maintenance nightmare. Unless you mean just categorically disallowing indexing of all user profiles, which would be easy enough to implement but would seem like throwing out the baby with the bathwater.
    – Ilmari Karonen
    Commented Nov 28, 2017 at 16:35
  • 5
    @Servy - Some users (like me) actually prefer having their profiles indexed for various reasons. Plus with SE Careers, people's profiles are the sort of thing SE would want showing up in search results. I would definitely lean towards dealing with this situation with 'surgical precision' not 'nuclear bomb'.
    – Robotnik
    Commented Nov 29, 2017 at 2:54
  • 4
    @Robotnik Does your account actually have activity, or is the profile that you want indexed a user that hasn't actually interacted with the site in any way? I feel like having a single post is a low enough bar for having your profile indexed.
    – Servy
    Commented Nov 29, 2017 at 14:13
  • 2
    @MadScientist I really, really like this solution. However, I'd bet that to get around this, spammers will post utter garbage as questions and have another spammer upvote it (maybe the same spammer under a different account). Now, that's a lot more work, so there'd definitely be less spam, but it would come at the expense of more trash in questions. Is this a better outcome (genuinely asking)? Is it potentially easier to deal with?
    – Lord Farquaad
    Commented Dec 1, 2017 at 18:57
  • 1
    If they post, we can nuke em. I suspect its cause SE anti spam measures - both official and non official are pretty effective that these folks are being forced to adapt.
    – Journeyman Geek
    Commented Dec 3, 2017 at 8:00
101
+50

A further refinement to Ilmari Karonen's answer (which refines Mad Scientist's): make profiles of new accounts that haven't done anything visible only to logged-in users.

This does a few things:

  • Keeps them out of Google. No 'noindex', no robots.txt -- Google just can't see it. That's gotta be more reliable.

  • Keeps spammers from being able to send their employers a link to a public post so they can collect their bounties. (I've been told that spammers need to be able to prove they were successful.)

  • Keeps the information visible to anybody on the site who might need to look at it. That's probably just moderators (for certain kinds of fraud investigations) and yes you could make an exception for moderators, but maybe having fewer exceptions is better.

  • We already have some behaviors that change based on whether you're logged in (front-page view is different, "join" button, tour invitation), so there's logic to hook into.

This question focuses on the spammer profiles. Spammy names can still show up in the list of new users and the badge lists (Autobiographer in particular for this attack). I don't know what is reasonable to do for those exposures -- reasonable in terms of both UX and code complexity. We should identify all the places the names show up before deciding (is it just those two or are there more?).

Improve this answer
10
  • Great idea, I just explained why I downvoted Mad's answer, and this idea is even better.
    – Shadow Wizard
    Commented Nov 28, 2017 at 15:56
  • 4
    One idea behind my more radical approach was that it completely eliminates the need for any action on those profiles. If logged-in users can still see them, there is still a minor reason left to remove them. I wanted to also remove this time sink for mods that just can't let spam stand, even if it is hardly visible.
    – Mad Scientist
    Commented Nov 28, 2017 at 18:54
  • 3
    Or just to hide them from anyone but the user themselves or mods until they've performed some postive action - an edit, or a post. That said the reason these things are so insidious is they're hard to find unless you're looking at the user page. Then maybe clean up accounts with 0 actions other than profiles every year or so.
    – Journeyman Geek
    Commented Nov 29, 2017 at 2:11
  • @JourneymanGeek 1-rep accounts with 0 actions do get cleaned up, IIRC after 6 months, or at least used to.
    – Monica Cellio
    Commented Nov 29, 2017 at 2:17
  • 1
    I wasn't aware. Seems a neat way to handle this if these profiles are inaccessible
    – Journeyman Geek
    Commented Nov 29, 2017 at 2:18
  • 17
    My only real problem here is that it doesn't really deal with the problem of seeing all these profiles being awarded a badge and showing up on the badge page. The profiles may not be visible but their existence can still be seen on the badges page even without being logged in: superuser.com/help/badges
    – Mokubai
    Commented Nov 29, 2017 at 7:27
  • @Mokubai: I don’t know whether it’s technically feasible, but couldn’t we also remove these users from all lists (badges, new users). So the only way to get to the profile is typing a link with a matching user ID. This way, those users can show their profile to their employers, but it won’t disturb anybody else.
    – Wrzlprmft
    Commented Nov 29, 2017 at 11:19
  • @Mokubai is the appearance of bogus accounts on the Autobiographer badge page important? (Do people look at that list?) That said, a more disruptive place where they show up is the new users page, which some people monitor so they can give (legitimate) new users a helping hand. It's a pity there's no way to flag users (with corresponding on-click destroy for the mods handling the flags).
    – Monica Cellio
    Commented Nov 29, 2017 at 15:30
  • 1
    @MonicaCellio it might not be common, but it's how I personally noticed it and it was also noticed a day or so ago by other users on SU (meta.superuser.com/questions/12774/…). My concern is that even this "leak" would be enough for these spammers to get their verification and carry on doing it. It also feels a bit like we don't mind our site being polluted by garbage so long as we don't go poisoning Google. Sure we reduce the benefit to the spammers, but we are allowing the dilution of of our existing systems: specifically the value of the badge.
    – Mokubai
    Commented Nov 29, 2017 at 16:08
  • 11
    Inactive profiles are no longer deleted, this is a relatively recent change. (cc: @JourneymanGeek)
    – user315433
    Commented Nov 29, 2017 at 17:40
44

As a subtle alternative to Mad Scientist's suggestion, we could simply add a noindex meta tag to the profile pages of users with less than some minimum amount (say, 5 or 10 points) of rep. This would keep those pages out of Google's index, and thus make them much less attractive as spam targets, without any really noticeable effects otherwise.

What this suggestion would not do is actually stop the creation of such spam profiles, or hide them in any way from normal users. But it does remove the incentive for that kind of spam, which should gradually reduce the amount of it that we'll get, as spammers notice that it's not working any more. And in the mean time, we'd at least be making the Internet a slightly better place by keeping spam out of search engine indexes.

Improve this answer
5
  • 13
    Some such logic already exists: links in site profiles of users with <= 10 rep are rendered as plain text. Adding noindex to them makes perfect sense.
    – user315433
    Commented Nov 28, 2017 at 6:38
  • 2
    While de-emphasising them for Google is a Good Thing and would likely reduce the level of "win" for the spammers in the long term it doesn't really change the fact that they are easily accessible to users, easy to stumble upon and apparently easy to create en-masse. Chances are they'll just keep doing it as long as it confers even the slightest public presence regardless of whether we defend Google from the tide of crap. We need to deal with the problem here, not just before it heads out the door to your friendly local search engine.
    – Mokubai
    Commented Nov 28, 2017 at 8:22
  • 5
    @Mokubai: I'm certainly not against taking measures to prevent those spam profiles from being created in the first place. That said, this form of phone number spam is purely an attempt at search engine index stuffing, so if we can keep Google from seeing it, we'll have solved 99% of the problem. Nobody's likely to call a tech support / insurance scam number because they saw it on a Stack Exchange user profile; the goal of the s[pc]ammers is to get those numbers to show up when someone Googles for "car insurance UK" or something similar.
    – Ilmari Karonen
    Commented Nov 28, 2017 at 9:20
  • @6'whitemale Not letting them add links prevents them from giving SEO to links, but these profiles are full of phone numbers and addresses and other such information, along with keywords that the spammer wants them to be found with, which is being indexed.
    – Servy
    Commented Nov 28, 2017 at 14:18
  • 4
    This is definitely a good approach. Based on what I've seen in the past, these groups are using search engines as their proof of work - so if they can't get the pages they've spammed into Google, they're not gonna get paid. That's eventually gonna make this a waste of time no matter how cheaply they're able to post it - but if we also take steps to make it more expensive (that is, more tedious: IP-blocks / rate-limits, content checks, automated account deletions would all slow them down to a degree) then we may actually discourage further abuse.
    – Shog9
    Commented Dec 1, 2017 at 23:09
28

These profiles are starting to spill into other sites as well.

Yesterday after this meta post was made, I hopped into the user search for RPG Stack Exchange, which I moderate, and looked for profiles which mentioned car insurance. I found two, and I destroyed them both.

Today I checked again and there were sixteen:

enter image description here

These have also been destroyed. The ones I checked into in further detail also had network accounts on Super User.

A moderator on Philosophy Stack Exchange has mentioned they are also deleting 6–10 per day.

This is a drop in the ocean to Super User's several thousand, but it makes me concerned that this may just be the tip of the iceberg, and that this spam might have the potential to become less a finely focused abuse of Super User, and more a network-wide oil spill.

I like several ideas above: hiding 1-rep profiles from listings, letting only the user themselves and moderators see those profiles and/or only logged-in users, making editing your profile a trivial 5-rep privilege, and telling Google not to index these. I'm posting this because I hope to suggest the rest of the network needs a stopgap and/or full solution as well.

Improve this answer
4
  • 2
    using your trick of searching for "insurance" in user names shows that Software Engineering is also polluted by spam profiles
    – gnat
    Commented Nov 29, 2017 at 14:27
  • 10
    They're everywhere; I've deleted bunches on all five sites where I have diamonds. Super User has it worse than the rest of us, but I think all sites are infected.
    – Monica Cellio
    Commented Nov 29, 2017 at 15:33
  • PPCG is also getting infected: i.sstatic.net/9pWKR.png
    – user307833
    Commented Dec 4, 2017 at 22:18
  • 2
    I'd say almost all SE sites are affected. And from what I've seen and heard, the picture is quite comparable: 2 hidden accounts, one on "site X" and the other on Super User. Looks like they're created on SU and then "transferred" to a random site via network profile, or vice versa.
    – Izzy
    Commented Dec 5, 2017 at 10:29
6

I looked at a fair number of these car insurance profile pages and noted that they all seem to have the same phone number. I couldn't find anything interesting about that number in the phone spam database I looked at, so they may not be spamming cell phones also.

A google search on that phone number is a bit interesting. It seems to turn up a lot of spamming all over, not just SE.

It just occurred to me that this might be an attack by someone on the owner of that phone number, rather than against the site. It would probably be very effective, generating a lot of angry calls to the number. The history of the spam accounts may indicate otherwise, but the possibility should be considered.

Improve this answer
5
  • Still, SE is the first in the results. Personally I have a suspicion it's not even a real company, just a troll targeting SE in order to cause harm. (e.g. frustrated user.)
    – Shadow Wizard
    Commented Dec 4, 2017 at 12:51
  • 1
    WHoever it is is putting in a ton of resources into this. Considering the strangeness I wonder if its an attempt to soften up the target, check if its 'soft' and then spam. Certain aspects of this seem oddly targetted towards the SE 'architecture' - like the quick name changes, and focusing on profiles.
    – Journeyman Geek
    Commented Dec 5, 2017 at 10:38
  • The number begins 1-844. In the UK, all mobile numbers begin with 07. Generally, 18X numbers are special, either premium rate or free or always count as local or charge per call rather than per minute or something else special.
    – TRiG
    Commented Dec 5, 2017 at 11:35
  • The number is a North American toll free number. It is valid in several countries in NA.
    – Buffy
    Commented Dec 5, 2017 at 11:37
  • 3
    I don't know about y'all, but when I am searching for insurance companies with the best value for money, I check Stack Exchange profiles FIRST!
    – mickmackusa
    Commented May 4, 2021 at 23:14
-1

Are we applying anti-spam filters to profile descriptions? That seems important.

I notice that that these all have a similar format, littered with non-ASCII characters, phone numbers, and long run-on sentences. We could block those.

Improve this answer
6
  • 16
    Did you just change your username to answer this question?
    – Rand al'Thor
    Commented Nov 27, 2017 at 19:32
  • 4
    @Randal'Thor meta.stackexchange.com/a/26518/335772
    – Nissa
    Commented Nov 27, 2017 at 19:36
  • @Randal'Thor the change was made before this answer, as far as I can tell.
    – Shadow Wizard
    Commented Nov 28, 2017 at 15:58
  • 10
    We could, but it'd quickly end up being a cat & mouse game. I've done this before - they figure out how to work around it pretty quickly, and now you have patterns that are harder to match. Spammers have been dealing with pattern-recognition engines for a couple of decades now - they've gotten pretty good at working around the most basic checks, and throwing enough noise in that even the more serious ones end up giving you false positives. Still worth doing, but only as part of other, more effective steps to make this unprofitable.
    – Shog9
    Commented Dec 1, 2017 at 23:06
  • 1
    There are usernames out there that would defy most peoples' bets. Note this username and activity. stackoverflow.com/questions/24367710/…. I was convinced that it was spam from the username alone, but indeed there's a real post.
    – Shawn Mehan
    Commented Dec 6, 2017 at 19:52
  • Spammers are playing a money game. They will seek paths of greatest profitability. SE sites get a lot of visitors, so the caliber of resistance that SE must apply in self-defense will also need to be high to make the pursuit seem futile, unsavory, unprofitable.
    – mickmackusa
    Commented May 4, 2021 at 23:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .