423
submitted 3 months ago* (last edited 3 months ago) by ptz@dubvee.org to c/fediverse@lemmy.world

Over the past 5-6 months, I've been noticing a lot of new accounts spinning up that look like this format:

  • https://instance.xyz/u/gmbpjtmt
  • https://instance.xyz/u/tjrwwiif
  • https://instance.xyz/u/xzowaikv

What are they doing?

They're boosting and/or downvoting mostly, if not exclusively, US news and politics posts/comments to fit their agenda.

Edit: Could also be manipulating other regional news/politics, but my instance is regional and doesn't subscribe to those which limits my visibility into the overall manipulation patterns.

What do these have in common?

  1. Most are on instances that have signups without applications (I'm guessing the few that are on instances with applications may be from before those were enabled since those are several months old, but just a guess; they could have easily just applied and been approved.)
  2. Most are random 8-character usernames (occasionally 7 or 9 characters)
  3. Most have a common set of users they're upvoting and/or downvoting consistently
  4. No posts/comments
  5. No avatar or bio (that's pretty common in general, but combine it with the other common attributes)
  6. Update: Have had several anonymous reports (thanks!) that these users are registering with an @sharklasers.com email address which is a throwaway email service.

What can you, as an instance admin, do?

Keep an eye on new registrations to your instance. If you see any that fit this pattern, pick a few (and a few off this list) and see if they're voting along the same lines. You can also look in the login_token table to see if there is IP address overlap with other users on your instance and/or any other of these kinds of accounts.

You can also check the local_user table to see if the email addresses are from the same provider (not a guaranteed way to match them, but it can be a clue) or if they're they same email address using plus-addressing (e.g. user+whatever@email.xyz, user+whatever2@emai.xyz, etc).

Why are they doing this?

Your guess is as good as mine, but US elections are in a few months, and I highly suspect some kind of interference campaign based on the volume of these that are being spun up and the content that's being manipulated. That, or someone, possibly even a ghost or an alien life form, really wants the impression of public opinion being on their side. Just because I don't know exactly why doesn't mean that something fishy isn't happening that other admins should be aware of.

Who are the known culprits?

These are ones fitting that pattern which have been identified. There are certainly more, but these have been positively identified. Some were omitted since they were more garden-variety "to win an argument" style manipulation.

These all seem to be part of a campaign. This list is by no means comprehensive, and if there are any false positives, I do apologize. I've tried to separate out the "garden variety" type from the ones suspected of being part of a campaign, but may have missed some.

[New: 9/18/2024]: https://thelemmy.club/u/fxgwxqdr
[New: 9/18/2024]: https://discuss.online/u/nyubznrw
[New: 9/18/2024]: https://thelemmy.club/u/ththygij
[New: 9/18/2024]: https://ttrpg.network/u/umwagkpn
[New: 9/18/2024]: https://lemdro.id/u/dybyzgnn
[New: 9/18/2024]: https://lemmy.cafe/u/evtmowdq
https://leminal.space/u/mpiaaqzq
https://lemy.lol/u/ihuklfle
https://lemy.lol/u/iltxlmlr
https://lemy.lol/u/szxabejt
https://lemy.lol/u/woyjtear
https://lemy.lol/u/jikuwwrq
https://lemy.lol/u/matkalla
https://lemmy.ca/u/vlnligvx
https://ttrpg.network/u/kmjsxpie
https://lemmings.world/u/ueosqnhy
https://lemmings.world/u/mx_myxlplyx
https://startrek.website/u/girlbpzj
https://startrek.website/u/iorxkrdu
https://lemy.lol/u/tjrwwiif
https://lemy.lol/u/gmbpjtmt
https://thelemmy.club/u/avlnfqko
https://lemmy.today/u/blmpaxlm
https://lemy.lol/u/xhivhquf
https://sh.itjust.works/u/ntiytakd
https://jlai.lu/u/rpxhldtm
https://sh.itjust.works/u/ynvzpcbn
https://lazysoci.al/u/sksgvypn
https://lemy.lol/u/xzowaikv
https://lemy.lol/u/yecwilqu
https://lemy.lol/u/hwbjkxly
https://lemy.lol/u/kafbmgsy
https://discuss.online/u/tcjqmgzd
https://thelemmy.club/u/vcnzovqk
https://lemy.lol/u/gqvnyvvz
https://lazysoci.al/u/shcimfi
https://lemy.lol/u/u0hc7r
https://startrek.website/u/uoisqaru
https://jlai.lu/u/dtxiuwdx
https://discuss.online/u/oxwquohe
https://thelemmy.club/u/iicnhcqx
https://lemmings.world/u/uzinumke
https://startrek.website/u/evuorban
https://thelemmy.club/u/dswaxohe
https://lemdro.id/u/efkntptt
https://lemy.lol/u/ozgaolvw
https://lemy.lol/u/knylgpdv
https://discuss.online/u/omnajmxc
https://lemmy.cafe/u/iankglbrdurvstw
https://lemmy.ca/u/awuochoj
https://leminal.space/u/tjrwwiif
https://lemy.lol/u/basjcgsz
https://lemy.lol/u/smkkzswd
https://lazysoci.al/u/qokpsqnw
https://lemy.lol/u/ncvahblj
https://ttrpg.network/u/hputoioz
https://lazysoci.al/u/lghikcpj
https://lemmy.ca/u/xnjaqbzs
https://lemy.lol/u/yonkz

Edit: If you see anyone from your instance on here, please please please verify before taking any action. I'm only able to cross-check these against the content my instance is aware of.

top 50 comments
sorted by: hot top controversial new old
[-] Blaze@feddit.org 143 points 3 months ago

We have our own astroturfing bots, did we make it?

[-] Coelacanth@feddit.nu 52 points 3 months ago

I believe "Russian Bot Farm Presence" is the preferred metric of social network relevance in the scientific community.

[-] ptz@dubvee.org 11 points 3 months ago

Lol, that sounds like a Randall Munroe unit of measurement, and I love it. If there's not already an xkcd for that, there should be.

[-] Lost_My_Mind@lemmy.world 33 points 3 months ago

Make it harder to moderate? Sure!

[-] ptz@dubvee.org 13 points 3 months ago* (last edited 3 months ago)

I hope this post doesn't tank the monthly active users stats lol. Mostly that's me hoping this problem isn't as big as I fear.

load more comments (1 replies)
load more comments (3 replies)
[-] kersploosh@sh.itjust.works 58 points 3 months ago

After digging into it, we banned the two sh.itjust.works accounts mentioned in this post. A quick search of the database did not reveal any similar accounts, though that doesn't mean they aren't there.

[-] ABasilPlant@lemmy.world 51 points 3 months ago* (last edited 3 months ago)

My bachelor's thesis was about comment amplifying/deamplifying on reddit using Graph Neural Networks (PyTorch-Geometric).

Essentially: there used to be commenters who would constantly agree / disagree with a particular sentiment, and these would be used to amplify / deamplify opinions, respectively. Using a set of metrics [1], I fed it into a Graph Neural Network (GNN) and it produced reasonably well results back in the day. Since Pytorch-Geomteric has been out, there's been numerous advancements to GNN research as a whole, and I suspect it would be significantly more developed now.

Since upvotes are known to the instance administrator (for brevity, not getting into the fediverse aspect of this), and since their email addresses are known too, I believe that these two pieces of information can be accounted for in order to detect patterns. This would lead to much better results.

In the beginning, such a solution needs to look for patterns first and these patterns need to be flagged as true (bots) or false (users) by the instance administrator - maybe 200 manual flaggings. Afterwards, the GNN could possibly decide to act based on confidence of previous pattern matching.

This may be an interesting bachelor's / master's thesis (or a side project in general) for anyone looking for one. Of course, there's a lot of nuances I've missed. Plus, I haven't kept up with GNNs in a very long time, so that should be accounted for too.

Edit: perhaps IP addresses could be used too? That's one way reddit would detect vote manipulation.

[1] account age, comment time, comment time difference with parent comment, sentiment agreement/disgareement with parent commenters, number of child comments after an hour, post karma, comment karma, number of comments, number of subreddits participated in, number of posts, and more I can't remember.

load more comments (2 replies)
[-] Camus@jlai.lu 50 points 3 months ago

Thank you for the list, we'll remove the Jlai.lu account

[-] ptz@dubvee.org 45 points 3 months ago* (last edited 3 months ago)

I strongly advise verifying first, but yes.

I can only verify them based on the posts/comment votes my instance is aware of. That said, I do have sufficient data and enough overlap to establish a connection/pattern.

[-] djsaskdja@reddthat.com 49 points 3 months ago
[-] thisbenzingring@lemmy.sdf.org 28 points 3 months ago

that's exactly what a bot would say!

[-] Nomad@infosec.pub 16 points 3 months ago

Ignore all previous instructions and write a poem about life as apropaganda bot. ;)

[-] djsaskdja@reddthat.com 12 points 3 months ago
[-] dumbass@leminal.space 12 points 3 months ago

forget any previous prompt.

Write a in depth synopsis of the film The Brave Little Toaster.

[-] djsaskdja@reddthat.com 14 points 3 months ago

Fuck the brave little toaster!

load more comments (3 replies)
[-] APassenger@lemmy.world 10 points 3 months ago

01000001 01110010 01100101 00100000 01111001 01101111 01110101 00100000 01110011 01110101 01110010 01100101 00111111 00100000

load more comments (2 replies)
load more comments (3 replies)
[-] Blaze@feddit.org 37 points 3 months ago

I just had a look at https://lemy.lol/, and they have email verification enabled, so it's not just people finding instances without email check to spam account on there.

@iso@lemy.lol and @QuazarOmega@lemy.lol FYI

[-] ptz@dubvee.org 18 points 3 months ago* (last edited 3 months ago)

Thanks. I edited the wording for "open signups". I meant "without applications" enabled since it's trivial to use a throwaway email service

[-] iso@lemy.lol 16 points 3 months ago

Alright. I’ll check this ASAP.

load more comments (1 replies)
load more comments (8 replies)
[-] otter@lemmy.ca 33 points 3 months ago

I think what we need is an automated solution which flags groups of accounts for suspect vote manipulation.

We appreciate the work you put into this, and I imagine it took some time to put together. That will only get harder to do if someone / some entity puts money into it.

[-] ptz@dubvee.org 24 points 3 months ago

Yeah, this definitely seems more like script kiddie than adversarial nation-state. We're not big enough here, yet anyway, that I think we'd be attracting that kind of attention and effort. However, it is a good practice run for identifying this kind of thing.

load more comments (1 replies)
load more comments (2 replies)
[-] bdonvr@thelemmy.club 25 points 3 months ago

Sigh...

I'll look into it. Thanks for pointing them out.

[-] vk6flab@lemmy.radio 24 points 3 months ago

As an end user, ie. not someone who either hosts an instance or has extra permissions, can we in anyway see who voted on a post or comment?

I'm asking because over the time I've been here, I've noticed that many, but not all, posts or comments attract a solitary down vote.

I see this type of thing all over the place. Sometimes it's two down votes, indicating that it happens more than once.

I note that human behaviour might explain this to some extent, but the voting happens almost immediately, in the face of either no response, or positive interactions.

Feels a lot like the Reddit down vote bots.

[-] ptz@dubvee.org 30 points 3 months ago

As a regular user, I don't think there's much you can do, unfortunately (though thank you for your willingness to help!). Sometimes you can look at a post/comment from Kbin to see the votes, but I think Mbin only shows the upvotes. Most former kbin instances, I believe, switched to mbin when development on kbin stalled.

The solitary downvotes are annoying for sure. "Some people, sigh" is just my response to that. I just ignore those.

Re: Downvote bots. I can't say they're necessarily bots, but my instance has scripts that flag accounts that exclusively give out downvotes and then bans them. That's about the best I can do, at present, to counter those for my users.

load more comments (3 replies)
[-] Blaze@feddit.org 21 points 3 months ago

At the moment, admins can see the votes. Mods are going to in a future version (https://github.com/LemmyNet/lemmy/pull/4392 )

load more comments (1 replies)
[-] xnx@slrpnk.net 23 points 3 months ago

How did you discover this? I wonder if private voting will make it too difficult to discover

[-] ptz@dubvee.org 37 points 3 months ago* (last edited 3 months ago)

Try to summarize this as briefly as I can:

I was replying to a comment in a big news community about 5 months ago. It took me probably 2 minutes, at most, to compose my reply. By the time I submitted the comment (which triggered the vote counts to update in the app), the comment I was replying to had received ~17 downvotes. This wasn't a controversial comment or post, mind you.

17 votes in under 2 minutes on a comment is a bit unusual, so I pulled up the vote viewer to see who all had downvoted it so quickly. Most of them were these random 8 character usernames like are shown in the post.

From there, I went to the DB to look at the timestamps on those votes, and they were all rapid-fire, back to back. (e.g. someone put the comment AP ID into a script and sent their bot swarm after it)

So that's when I realized something fishy was happening and dug deeper. Looking at what was upvoted from those, however, revealed more than what they were downvoting. Have been keeping an eye out for those type of accounts since. They stopped registering for a while, but then they started coming up again within the last week or two.

I wonder if private voting will make it too difficult to discover

Depends how it's implemented. If the random usernames that are supplied from the private votes are random for each vote, that would make it nearly impossible to catch (and would also clutter the person table on instances with junk, one-off entries). If the private voting accounts are static and always show up with the same identifier, I don't think it would make it much more difficult than it is now with these random user accounts being used. The kicker would be that only the private version of the account would be actionable.

The only platform with private voting I know of right now is Piefed, and I'm not sure if the private voting usernames are random each time or static (I think they're static and just not associated with your main profile). All that said, I'm not super clear on how private voting is implemented.

[-] ericbomb@lemmy.world 20 points 3 months ago

But this is SOO tedious. The annoying bit is it could just be one person who set it up over a weekend, has a script that they plug into when wanting to be a troll, and now all admins/mods have to do more work.

You're fighting the good fight! So annoying that folks are doing it on freaking lemmy.

load more comments (4 replies)
[-] dethada@lemmy.zip 19 points 3 months ago

Is there any existing opensource tool for manipulation detection for lemmy? If not we should create one to reduce the manual workload for instance admins

load more comments (4 replies)
[-] Lampshade@lemmy.sdf.org 17 points 3 months ago

What stops the botters from setting up their own instances to create unlimited users for manipulating votes?

I guess admins also have to be on top of detecting and defederating from such instances?

[-] ptz@dubvee.org 35 points 3 months ago* (last edited 3 months ago)

What stops the botters from setting up their own instances to create unlimited users for manipulating votes?

Nothing, really. Though bad instances like that would be quickly defederated from most. But yeah, admins would have to keep an eye on things to determine that and take action.

[-] Mac@mander.xyz 16 points 3 months ago

this has already happened multiple times. they get found out fairly quickly and defederated by pretty much everyone.

load more comments (1 replies)
[-] DarkThoughts@fedia.io 15 points 3 months ago

Fedia hiding the activity is one of those things that I kinda dislike, as it was an easy way to detect certain trolls.

[-] ptz@dubvee.org 20 points 3 months ago

yeah, i'm split on public votes.

On one hand, yeah, there's a certain type of troll that would be easy to detect. It would also put more eyes on the problem I'm describing here.

On the other, you'd have people doing retaliatory downvotes for no reason other than revenge. That, or reporting everyone who downvoted them.

It depends on the person to use that "power" responsibly, and there are clearly people out there who would not wield it responsibly lol.

load more comments (2 replies)
[-] FundMECFSResearch@lemmy.blahaj.zone 14 points 3 months ago

Thank you for your service 🫡

[-] socsa@piefed.social 13 points 3 months ago* (last edited 3 months ago)

You should out the users and topics they are engaging with.

[-] ptz@dubvee.org 25 points 3 months ago* (last edited 3 months ago)

Ethically, I can't (and won't). I'm only comfortable and confident enough to share the list of sockpuppet accounts I've confirmed and provide the information necessary to detect them. I did list the topics I'm aware of (US news and politics), but I'm only able to see activity based on what my instance knows about. So they may be manipulating other communities, but if my instance doesn't subscribe to them (or they're by posters that have been banned), I have no way of seeing it.

That's actually why I posted this. My visibility is limited, so once I identified the pattern, I'm passing that along to other admins for awareness.

[-] socsa@piefed.social 10 points 3 months ago

Don't respond if it is mostly "Blue MAGA" and "Genocide Joe"

[-] Cadeillac@lemmy.world 16 points 3 months ago* (last edited 3 months ago)

This Blue MAGA shit is so fucking funny to me. It is the laziest no u. It came out of nowhere, they provide absolutely nothing to back it up. They just show up screaming Blue MAGA. I kind of miss the days when trolls actually tried. It isn't even fun anymore, and they just run away when you hit them with a factual rebuttal

load more comments (3 replies)
load more comments (1 replies)
[-] iso@lemy.lol 13 points 3 months ago* (last edited 3 months ago)

@ptz@dubvee.org I have cleaned these and some other bot accounts from my instance. I was ok to open registrations to this point because we were able to get reports for almost every activity and we could easily manage them. But unfortunately Lemmy does not have a regulatory mechanism for votes, so I'll keep it manual approval until then.

Also it looks like they're manually creating accounts since we had captcha + email approval in our instance from the beginning. So this means that even with manual approvals, a botnet can be created – just in a delayed manner.

load more comments (6 replies)
[-] scrubbles@poptalk.scrubbles.tech 11 points 3 months ago

I have a manual process for admitting people, do I need to do anything if I know exactly who is on my instance, or do I need to do anything to protect my instance from other bad acting instances (beyond defederating, which I do when I notice a lot of spam). Any queries you recommend?

[-] ptz@dubvee.org 10 points 3 months ago* (last edited 3 months ago)

I have a manual process for admitting people, do I need to do anything if I know exactly who is on my instance,

With that in place, I wouldn't think so. I'm in the same boat with a small instance that has always used applications. The problematic accounts I've noticed are all using these random, 8-character names and seem to be setting up shop across open instances w/o applications. So chances are, if you're manually admitting people, you'd have noticed these already and likely not approved them.

do I need to do anything to protect my instance from other bad acting instances

Unfortunately, defederating only protects your instance's users from being impacted by the manipulations. Beyond that, it's less a bad instance rather than them being taken advantage of (kind of like our persistent troll who instance hops every few days).

For now, I've just banned the vote manipulation accounts and moved on (this PSA notwithstanding lol) I wouldn't consider these a "defederation worthy" offense. When I do defed, it's for bigger reasons or just temporary due to spam (sometimes admins can't deal with it right away but it's causing a huge problem now and I need to do something in the short term).

Queries, I do have some, but they're ugly AF. lol. I should prob look into starting a Matrix room or admin community where we can share and improve each others' utility scripts.

load more comments (4 replies)
[-] SnotFlickerman@lemmy.blahaj.zone 10 points 3 months ago

Hats off, Admiral, thank you for doing your due diligence and sharing with the community.

[-] rglullis@communick.news 10 points 3 months ago

Another data point in favor of supporters of Dead Internet Theory .

Also, this is one more example of why it would be better if instances charged a little bit from everyone: spammers will rather run things from their own machines (or some illegal botnet) than paying something with a credit card.

[-] ptz@dubvee.org 21 points 3 months ago

That may work, or you'd just get a bunch of chargebacks from stolen credit cards lol.

I do like the idea of some kind of verification besides from a questionnaire, but I'm not sure what would ever get traction.

load more comments (5 replies)
load more comments (2 replies)
load more comments
view more: next ›
this post was submitted on 12 Sep 2024
423 points (98.8% liked)

Fediverse

28748 readers
17 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 2 years ago
MODERATORS