Ask HN: Is Hacker News under attack from spam bots?

207 points by joeyhage 2 years ago | 143 comments

Seeing a lot of spam comments in the last few minutes from accounts that all have similar names. Omitting name since it is NSFW.

geerlingguy 2 years ago |

It sure looks like it; every front page post has a dozen or so comments from unique bot accounts.

Hopefully we don't see a 'Show HN: I created a spam bot service to advertise on every HN post' soon.

rjbwork 2 years ago | |

Have also seen them. They all have the same name with numbers at the end. Also getting a lot of "sorry we can't service your request responses" this past half hour or so.

A_Duck 2 years ago | |

Already was : https://news.ycombinator.com/item?id=39981911

Claimed at the time to be working on HN support

mtmail 2 years ago | | |

I remember that website. I reported it to the moderators the same day and all related accounts got suspended.

icepat 2 years ago | |

This very thread is under attack by spam bots...

mysteria 2 years ago |

What a mess, this is literally the first time I saw something like this on HN. They've even started posting on this thread! HN has been running slow since the flood started and I wonder if it's causing a mini-DDoS effect.

The usernames of the spammers are "2genders<number>", "SEXMCNIGGA<number>", and "indianmilf<number>"; for some strange reason they keep the same prefix and just alter the number so it should be easy for admins to block them. Some of them are posting Twitter links as well.

rockpods 2 years ago | |

The reason is that they are just trying to cause chaos. They do not have any real goal other than that.

antifa 2 years ago | |

Agreed, they should ban Twitter links.

troydavis 2 years ago |

Yup. The site being advertised is proxied through Cloudflare, and they're also using Supabase.

Anyone from Cloudflare or Supabase care to remove your abusive customer? Also reported.

fragmede 2 years ago | |

Unfortunately there's no proof that the spam accounts are linked to said site.

If I were a competitor to the linked account and wanted to cause then damage, I could run a bot campaign purporting to be from them in order to get them kicked off their provider.

troydavis 2 years ago | | |

That’s possible, and is why the providers investigate (using the account history that we don’t have access to). Often, other customer data - or a 5 minute phone call - is enough for the provider to tell the difference.

umvi 2 years ago | |

Any other possible actions we can take for punishing these sorts of bad actors?

esafak 2 years ago | |

The founders are "John Smith" and "Jane Doe", and they're incorporated in Malta.

Anyone who does business with this outfit has it coming.

johnasmith 2 years ago | | |

Not all John Smiths are bad, promise.

madcow2011 2 years ago |

I laughed pretty hard when I noticed the same issues and clicked the 'discuss' link and found that your post had been inundated with the comments you are referring to XD

elwell 2 years ago |

Has been loading slow for me. Also reddit seems to be down. And Google login on Twitter hung for me.

varenc 2 years ago |

Anyone have some insight into the motivation of spam bot behavior? It doesn't make sense to me that they'd intentionally re-post the same link on a story 100+ times. Perhaps repeating the same link is good for SEO farming? Or somehow there's a belief that 100+ identical comments is more effective than just a few?

Also the comments all seem to end with a 15 character random string, which I assume is just there to add entropy and avoid identical comment detection.

troydavis 2 years ago | |

Just a guess: a teenager who learned to script and thought this was novel. This isn't an organized marketing campaign, it's a DoS with some links for amusement. Other than the volume, it's not even script kiddie level. Presumably they have access to proxy servers, though.

gertop 2 years ago | | |

A teenager who just learned to script bested a forum for (and by!) the Silicon Valley elite?

Shameful if true. But unsurprising.

macintux 2 years ago |

Per https://news.ycombinator.com/newcomments the flood stopped 2 minutes ago.

notRobot 2 years ago | |

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

For historical purposes

Edit: nope, it's still ongoing, there are spam comments on this very thread from 2 minutes ago. The new comments link doesn't show dead comments.

joeyhage 2 years ago | |

It seems to be going in waves, and it also appears they are getting removed in batches.

busymom0 2 years ago | |

On this post alone, there are several of those comments after that. So, it's not stopped.

ricopags 2 years ago |

Might not be a 'coordinated attack' so much as the consequence of a referral[0] program in the age of AI

[0] https://docs.google.com/forms/d/e/1FAIpQLSe52_7L-JqY6OqhL0FJ...

MrFoof 2 years ago |

Would love to see a postmortem once it's dealt with.

krapp 2 years ago | |

This forum is built with early 2000s technology. It doesn't even use two-factor authentication or captchas for creating accounts. This was honestly bound to happen sooner or later.

mysteria 2 years ago | | |

I don't want them to require a email/phone for privacy's sake, but they should definitely have a captcha of sorts to limit bot accounts.

haiku2077 2 years ago | | |

I created a new account recently and I had to complete a captcha. It was the Google kind that is easily defeated by either bots or mechanical turk, though.

wumeow 2 years ago |

It’s been happening for hours and is killing site performance. It’s all from brand new accounts. I don’t why account creation hasn’t been turned off yet.

maximusdrex 2 years ago |

Clearly, I'm surprised there isn't a spam filter that detects this obvious attack.

motoxpro 2 years ago | |

Seeing as there is usually no obvious spam attacks, there IS a filter. Assume competence :) https://paulgraham.com/spam.html

fragmede 2 years ago | |

or the bot is taking advantage of holes in the existing spam filter that haven't been exploited before

anigbrowl 2 years ago | | |

Obviously you can't filter for every possibility in advance, but with a hands-on moderator and some regex it should be super-easy to throttle this. And as more than one person has pointed out, just shutting down new account creation/posting for 24 hours would be equally effective. I'm perplexed at how a mature site full owned and catering to network technologists is vulnerable to such a laughably crude attack.

TechDebtDevin 2 years ago |

There are apps currently make multi six figures a month with "AI girlfriend services". Not for me but it apparently is worth paying for to some people. But hell, one time I was scrolling through this hot person's Instagram and it took me a good minute or two to realize the whole account was a generative AI account, almost tricked me. Give it another decade and we can reevaluate.

johnisgood 2 years ago | |

https://microsoft.com/en-us/research/project/vasa-1/ with AI-generated people!

owlninja 2 years ago |

Yep, I am sure it happens but this is the first time I've actually seen it!

Xenoamorphous 2 years ago |

https://paulgraham.com/spam.html

wumeow 2 years ago |

Kind of strange this is still going on. They’re all new accounts so why not just disable account creation?

water-data-dude 2 years ago |

Oh my god, you aren’t kidding. As of right now, there’s 350 (plus or minus a few) dead spam comments at the bottom of this page. Someone obviously misplaced a decimal somewhere - you obviously don’t want to flood a forum with THAT many bot messages.

Turing_Machine 2 years ago | |

I don't think we're dealing with the cream of the crop here. They're not even smart enough to have it make up new, plausible user names.

renk 2 years ago | | |

Their IPs and emails might tell a different story and this could also be a threat. But to what end?

skilled 2 years ago |

Interesting that this wasn’t baked in as a preventative method for repeat usernames.

Which is also ironic because why would this guy reuse the same username for his little spam campaign when it can be nuked in one line of code…

Amateur stuff.

Never seen it happen before though!

riedel 2 years ago | |

Really wonder, if this kind of spam is the perfect application for an LLM based agent.

marginalia_nu 2 years ago | | |

To be fair, this kind of spam seems like you could output it with a shellscript.

krainboltgreene 2 years ago | | |

For what, the pure joy of burning money?

hawkice 2 years ago | | |

I mean, at least LLMs would have different text in different messages.

joeyhage 2 years ago | |

I’m also surprised that slurs/slang/foul language in usernames is allowed unless the server is overwhelmed and things are slipping past the validation.

hobs 2 years ago | | |

https://en.wikipedia.org/wiki/Scunthorpe_problem It's almost definitely them not filtering anything and letting the community manage it.

krapp 2 years ago | | |

I think the "validation" is the mods happening to notice (usually because people who create such accounts get flagged, and dang gets notified of flags) and politely telling the person such usernames aren't allowed.

gertop 2 years ago | |

I like how all of you keep demeaning the spammer as being amateur or less than script kiddie.

And yet, he bested you, the supposedly experts at web dev and hyperscaling. You create trillions of dollars of value. And yet, your social hot spot is beyond laughably bad at handling that "incompetent" attacker.

renk 2 years ago | | |

Since you are othering the parties concerned, mind sharing more info on the attacker?

renk 2 years ago | | |

Is that you? yt/@gertop6402 Just guessing.. anywho, your nick signals SEO knowledge and reasons to hide.

buildbot 2 years ago |

Interestingly, reddit seems have gone down about 30-40 minutes ago too.

thrwaway1337 2 years ago |

It's the day after the YC application deadline, so my hypothesis is resources that would otherwise be dealing with these script kiddies spamming HN are spread thin at the moment...

swah 2 years ago |

Why SEXMCNIGGA though? Shouldn't a bot try to pass as a user?

47thpresident 2 years ago |

At the end of each spam message there is a unique 15 character string. Anyone know what purpose the string is supposed to serve?

snthd 2 years ago | |

It's a hash buster.

https://en.wikipedia.org/wiki/Hash_buster

joeyhage 2 years ago | |

Poor attempt at trying to make the URL unique possibly and prevent it from being blocked. Someone could easily block the domain or use regex to block comments with that domain.

freedomben 2 years ago |

HN also seems to be responding very slowly, and in a couple of cases timing out on the request. It may be under a heavy load.

nojvek 2 years ago |

IMO there is likely huge demand for bots that are witty and can write occasional put a useful comment with a link every now and then.

It’s going to be interesting how spam evolves. At-least spammers who aren’t lazy.

Already many of the recruiting emails I get sound a lot human. They are bots though since they send at 9am everyday

AndrewOMartin 2 years ago | |

https://xkcd.com/810/

fragmede 2 years ago | |

Gmail's got a send at 9am feature for humans to use tho

jacobrussell 2 years ago |

I thought the same thing! Very interesting. I wonder if this is happening on other sites like X/Reddit.

throwaway598 2 years ago |

https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

lwansbrough 2 years ago |

Brave of this guy to link his Twitter. Quick way to get blackballed from every startup in the country.

krainboltgreene 2 years ago | |

We have no idea if the author of the link and the author of the twitter account and the person in the image of the twitter account are in any way related.

EasyMark 2 years ago | |

it's likely just some randomly selected account that's real

Bilal_io 2 years ago |

Are you lonely and want to do something? Flag those spam comments.

Yeah, I was surprised by the amount, it feels like an attack rather than spam.

I hope this didn't interrupt Dang from something more important.

paranoidrobot 2 years ago | |

For anyone like me, unable to figure out how to do that - you click Reply, and then there's a 'flag' link.

Bilal_io 2 years ago | | |

I tried at first. It's a losing game against this number of spammy comments.

The temporary solution is to shadow ban the comments, the usernames seems to follow 2 naming schemas. Banning them completely will alert the attacker to change the naming schema, or to make it more random, which will make stopping them even more difficult.

consp 2 years ago | | |

Or click the timestamp.

cabbageears 2 years ago | |

    function modifyElements(pSel, cSel, rxStr) {
        const regex = new RegExp(rxStr, 'i');
        const pEls = document.querySelectorAll(pSel);
        pEls.forEach(pEl => {
            const fEl = pEl.querySelector(cSel);
            if (fEl && regex.test(fEl.textContent)) {
                pEl.style.display = 'none';
            }
        });
    }
    
    let rx = /(hi are u lonely|want (an )?ai gf?)/i;
    
    modifyElements(".athing.comtr", ".comment", rx);

People can add onto the regex as needed, I guess. I haven't seen enough of the comments to be more specific since that seemed to get them. :-/

mtmail 2 years ago | |

I flagged several hundred and can't find anything more to flag right now. Massive.

fragmede 2 years ago | |

Hopefully after this is all over, Dan can tell us if I'm wrong, but I don't know that flagging is actually useful, since it's all so obvious. it causes additional db hits to load the page and then flag it, when a search on the back end will easily find them without us doing anything.

tithe 2 years ago | |

I'm doing so, but sometimes I can still see/reply to the comment despite me flagging it.

Is a certain threshold of users required to flag a comment before it's removed?

teensydata 2 years ago |

Reminds me of when I was working for a university in early 2000s. I set up WebBB for a student organization to use and after checking back a week later it was thousands of spam posts.

jimmySixDOF 2 years ago |

Thoughts and Prayers with Dang during this attack !

Ancalagon 2 years ago |

Should’ve used the AI to write better comments

laborcontract 2 years ago |

Site is effectively getting ddos’d right now

anonzzzies 2 years ago |

Yep, guess the admins will have a busy day. Seems 10000s of accounts being created and used to spam ai sex bots.

geerlingguy 2 years ago | |

Luckily the accounts are all prefixed with the exact same phrase, which should make cleanup easier.

slater 2 years ago |

They're back. At this point it might be worthwhile switching off new account registrations for a while?

WarOnPrivacy 2 years ago |

Still going on btw. We're getting fresh hot new spams as I write this. Diff link in the text.

rich_sasha 2 years ago |

What we need now is the bot to post here and demonstrate a total lack of sense of irony.

herpdyderp 2 years ago | |

This has happened now. I count 20 spam comments at the moment, though I expect they'll get removed shortly.

crackercrews 2 years ago |

Gives new meaning to "show hn"

EveryPizza 2 years ago |

They seem to also be spamming posts.

mtmail 2 years ago |

> Is it just me

No, 1000s of bot accounts commenting 30+ per minute are quite obvious

> Is it some kind of coordinated flood attack?

Looks like it

> And is an AI girlfriend really a feasible idea?

It's the new penis enlargement and viagra spam

interludead 2 years ago |

To be or not to be...

bediger4000 2 years ago |

This is a old, very effective move from the spammer's playbook.

If some entity protests effectively (penetrates the spammer's own anti-spam, anti-communication precautions), threaten to spam them harder. Then follow through. We're seeing some follow through, I reckon.

nojvek 2 years ago |

https://news.ycombinator.com/item?id=40115155

Yeah this thread is full of spam.

flemishgun 2 years ago |

Is the GNAA alive and well???

tadfisher 2 years ago |

Obviously, yes.

zoklet-enjoyer 2 years ago |

Yeah, nobody here is going to go for that

kertoip_1 2 years ago |

So if it is possible with comments, does it mean it is possible with voting? I'm wondering how many posts recently came to main page upvoted by bots

Kikawala 2 years ago | |

Below submission had over 1,000 votes before being flagged.

https://news.ycombinator.com/item?id=40117443

pvg 2 years ago | |

It's surely possible but it's not quite that easy, otherwise you'd see it daily in comments. It's similar for front page posts but harder since both users and moderators nuke spam-looking things as they are highly visible.

Arnavion 2 years ago | |

HN doesn't have any integrity about voting in general. Look at the "about" text of https://news.ycombinator.com/user?id=pwdisswordfishc for example, and then look at the username.

There is a whole family of pwdisswordfish* accounts btw. The "b" account's "about" text even has a holier-than-thou attitude about it.

gus_massa 2 years ago | | |

If you go to https://news.ycombinator.com/newest , from time to time there apears stories with 50 upvotes in 30 minutes, and perhaps a few sockpuppets/shills comments. If you do the math, they should be in the front page, but misteriously they aren't. So the conclussion is that HN has a secret feature that detect (some of) the tricks. I think I read some coment from pg or dang about voting rings, but it was a long time ago, but it has no details. The details are part of the secret sause.

Also people flag strange threads, so the detection is not only automatic. If you notice something strange, you can send an email to dang: hn@ycombinator.com

fragmede 2 years ago | | |

you're assuming votes from those accounts are being included in vote counts

tgv 2 years ago | | |

That looks like a person, or a pretty good HNGPT. It's not your average spam. (Unless most comments have been deleted.)

leovander 2 years ago |

I assumed the spam was trying to bury this via DDoS: https://news.ycombinator.com/item?id=40117510

gnabgib 2 years ago | |

Doubtful:

  https://www.wired.com/story/north-korea-amazon-max-animation-exposed-server/
  https://www.cnn.com/2024/04/22/politics/us-animation-studio-sketches-korean-server/index.html

spambot_12345 2 years ago |

Yep

ergocoder 2 years ago |

well ARE YOU LONELY?

It might be a lot of spams, but it seems to come from a single account using a single sentence. Spammers are getting lazy these days.

omoikane 2 years ago | |

> single account

I think that's actually multiple similarly named accounts with the same prefix. I believe there are rate limits on how fast a single account can post.

Hamuko 2 years ago | |

Impossible to be lonely with this many bots keeping me company.

elwell 2 years ago |

This is why we can't have nice things.

SushiHippie 2 years ago | |

> Certainly we can have nice things

https://news.ycombinator.com/item?id=30387562