Over the past 5-6 months, I’ve been noticing a lot of new accounts spinning up that look like this format:
https://instance.xyz/u/gmbpjtmt
https://instance.xyz/u/tjrwwiif
https://instance.xyz/u/xzowaikv
What are they doing?
They’re boosting and/or downvoting mostly, if not exclusively, US news and politics posts/comments to fit their agenda.
Edit: Could also be manipulating other regional news/politics, but my instance is regional and doesn’t subscribe to those which limits my visibility into the overall manipulation patterns.
What do these have in common?
- Most are on instances that have signups without applications (I’m guessing the few that are on instances with applications may be from before those were enabled since those are several months old, but just a guess; they could have easily just applied and been approved.)
- Most are random 8-character usernames (occasionally 7 or 9 characters)
- Most have a common set of users they’re upvoting and/or downvoting consistently
- No posts/comments
- No avatar or bio (that’s pretty common in general, but combine it with the other common attributes)
- Update: Have had several anonymous reports (thanks!) that these users are registering with an
@sharklasers.com
email address which is a throwaway email service.
What can you, as an instance admin, do?
Keep an eye on new registrations to your instance. If you see any that fit this pattern, pick a few (and a few off this list) and see if they’re voting along the same lines. You can also look in the login_token
table to see if there is IP address overlap with other users on your instance and/or any other of these kinds of accounts.
You can also check the local_user
table to see if the email addresses are from the same provider (not a guaranteed way to match them, but it can be a clue) or if they’re they same email address using plus-addressing (e.g. user+whatever@email.xyz, user+whatever2@emai.xyz, etc).
Why are they doing this?
Your guess is as good as mine, but US elections are in a few months, and I highly suspect some kind of interference campaign based on the volume of these that are being spun up and the content that’s being manipulated. That, or someone, possibly even a ghost or an alien life form, really wants the impression of public opinion being on their side. Just because I don’t know exactly why doesn’t mean that something fishy isn’t happening that other admins should be aware of.
Who are the known culprits?
These are ones fitting that pattern which have been identified. There are certainly more, but these have been positively identified. Some were omitted since they were more garden-variety “to win an argument” style manipulation.
These all seem to be part of a campaign. This list is by no means comprehensive, and if there are any false positives, I do apologize. I’ve tried to separate out the “garden variety” type from the ones suspected of being part of a campaign, but may have missed some.
[New: 9/18/2024]: https://thelemmy.club/u/fxgwxqdr
[New: 9/18/2024]: https://discuss.online/u/nyubznrw
[New: 9/18/2024]: https://thelemmy.club/u/ththygij
[New: 9/18/2024]: https://ttrpg.network/u/umwagkpn
[New: 9/18/2024]: https://lemdro.id/u/dybyzgnn
[New: 9/18/2024]: https://lemmy.cafe/u/evtmowdq
https://leminal.space/u/mpiaaqzq
https://lemy.lol/u/ihuklfle
https://lemy.lol/u/iltxlmlr
https://lemy.lol/u/szxabejt
https://lemy.lol/u/woyjtear
https://lemy.lol/u/jikuwwrq
https://lemy.lol/u/matkalla
https://lemmy.ca/u/vlnligvx
https://ttrpg.network/u/kmjsxpie
https://lemmings.world/u/ueosqnhy
https://lemmings.world/u/mx_myxlplyx
https://startrek.website/u/girlbpzj
https://startrek.website/u/iorxkrdu
https://lemy.lol/u/tjrwwiif
https://lemy.lol/u/gmbpjtmt
https://thelemmy.club/u/avlnfqko
https://lemmy.today/u/blmpaxlm
https://lemy.lol/u/xhivhquf
https://sh.itjust.works/u/ntiytakd
https://jlai.lu/u/rpxhldtm
https://sh.itjust.works/u/ynvzpcbn
https://lazysoci.al/u/sksgvypn
https://lemy.lol/u/xzowaikv
https://lemy.lol/u/yecwilqu
https://lemy.lol/u/hwbjkxly
https://lemy.lol/u/kafbmgsy
https://discuss.online/u/tcjqmgzd
https://thelemmy.club/u/vcnzovqk
https://lemy.lol/u/gqvnyvvz
https://lazysoci.al/u/shcimfi
https://lemy.lol/u/u0hc7r
https://startrek.website/u/uoisqaru
https://jlai.lu/u/dtxiuwdx
https://discuss.online/u/oxwquohe
https://thelemmy.club/u/iicnhcqx
https://lemmings.world/u/uzinumke
https://startrek.website/u/evuorban
https://thelemmy.club/u/dswaxohe
https://lemdro.id/u/efkntptt
https://lemy.lol/u/ozgaolvw
https://lemy.lol/u/knylgpdv
https://discuss.online/u/omnajmxc
https://lemmy.cafe/u/iankglbrdurvstw
https://lemmy.ca/u/awuochoj
https://leminal.space/u/tjrwwiif
https://lemy.lol/u/basjcgsz
https://lemy.lol/u/smkkzswd
https://lazysoci.al/u/qokpsqnw
https://lemy.lol/u/ncvahblj
https://ttrpg.network/u/hputoioz
https://lazysoci.al/u/lghikcpj
https://lemmy.ca/u/xnjaqbzs
https://lemy.lol/u/yonkz
Edit: If you see anyone from your instance on here, please please please verify before taking any action. I’m only able to cross-check these against the content my instance is aware of.
Sigh…
I’ll look into it. Thanks for pointing them out.
Edit: I’ve banned some obvious ones. I’ll have to look into it more when I get home.
We have our own astroturfing bots, did we make it?
I believe “Russian Bot Farm Presence” is the preferred metric of social network relevance in the scientific community.
What surprises me is that these seem to be all on other instances - including a few big ones like just.works - rather than someone spinning up their own instance to create unlimited accounts to downvote/spam/etc.
Not really: if you’re astroturfing, you don’t do all your astroturfing from a single source because that makes it so obvious even a blind person could see it and sort it out.
You do it from all over the places, mixed in with as much real user traffic as you can, and then do it steadily and without being hugely bursty from a single location.
Humans are very good at pattern matching and recognition (which is why we’ve not all been eaten by tigers and leopards) and will absolutely spot the single source, or extremely high volume from a single source, or even just the looks-weird-should-investigate-more pattern you’d get from, for example, exactly what happened to cause this post.
TLDR: they’re doing this because they’re trying to evade humans and ML models by spreading the load around, making it not a single source, and also trying to mix it in with places that would also likely have substantial real human traffic because uh, that’s what you do if you’re hoping to not be caught.
Thank you for the list, we’ll remove the Jlai.lu account
I strongly advise verifying first, but yes.
I can only verify them based on the posts/comment votes my instance is aware of. That said, I do have sufficient data and enough overlap to establish a connection/pattern.
I swear I’m not a bot.
01000001 01110010 01100101 00100000 01111001 01101111 01110101 00100000 01110011 01110101 01110010 01100101 00111111 00100000
How did you discover this? I wonder if private voting will make it too difficult to discover
As an end user, ie. not someone who either hosts an instance or has extra permissions, can we in anyway see who voted on a post or comment?
I’m asking because over the time I’ve been here, I’ve noticed that many, but not all, posts or comments attract a solitary down vote.
I see this type of thing all over the place. Sometimes it’s two down votes, indicating that it happens more than once.
I note that human behaviour might explain this to some extent, but the voting happens almost immediately, in the face of either no response, or positive interactions.
Feels a lot like the Reddit down vote bots.
But this is SOO tedious. The annoying bit is it could just be one person who set it up over a weekend, has a script that they plug into when wanting to be a troll, and now all admins/mods have to do more work.
You’re fighting the good fight! So annoying that folks are doing it on freaking lemmy.
I wonder if there’s a way for admins to troll back. Like instead of banning the accounts, send them into a captcha loop with unsolvable or progressively harder captchas (or ones designed to poison captcha solving bots’ training).
Not sure if shadowbanning can work here. Wasting each instance’s limited pool of resources is not what we want to encourage.
Yeah not to mention it’s not that hard to detect a shadowban if you’re aware of the possibility. Lemmy doesn’t even fuzz vote totals, so it would be trivial to verify whether or not votes are working.
Is there any existing opensource tool for manipulation detection for lemmy? If not we should create one to reduce the manual workload for instance admins
If there were, upbotters would use it to verify that new bottling methods weren’t detectable. There’s a reason why reddit has so much obfuscation around voting and bans.
I mean if a new account or an account with no content on it starts downvoting a lot of things or upvoting a lot of things that’s generally a red flag that it’s a vote manipulation account. It’s not always but it’s usually pretty obvious when it actually is. A person who spends their entire time downvoting everything they see, or downvoting things randomly is likely one of those bots.
Could they come up with ways around it? Sure by participating and looking like real users with post and comment history. Though that requires effort and would slow them down majorly, so it’s something that they’re very unlikely to do.
Good point, but is it then possible to come up with detection algorithms that makes it hard for upbotters even if they know the algorithm? I think that would be more ideal than security through obfuscation but not sure how feasible that is
I don’t know honestly. Really, with AI it would be pretty difficult to be foolproof. I’m thinking of the MIT card counting group and how they played as archetypal players to obscure their activities. You could easily make an account that upvoted content in a way that looked plausible. I’m sure there are many real humans that upvote stories positive to one political party and downvote a different political party. Edit: I mean fuck, if you wanted to, you could create an instance just to train your model. Edit 2: For that matter, you could create an instance to bypass any screening for botters…
I think what we need is an automated solution which flags groups of accounts for suspect vote manipulation.
We appreciate the work you put into this, and I imagine it took some time to put together. That will only get harder to do if someone / some entity puts money into it.
Yeah, this definitely seems more like script kiddie than adversarial nation-state. We’re not big enough here, yet anyway, that I think we’d be attracting that kind of attention and effort. However, it is a good practice run for identifying this kind of thing.
It’s easy on Reddit because they have their own username generator when you sign up, but the usernames being used here are very telling. Random letters is literally the absolute bare minimum effort for randomly generating usernames. A competent software engineer could make something substantially better in an afternoon and I feel like an adversarial nation-state would be using something like a small language model trained solely on large lists of scraped usernames.
Users could also be doing and reporting the checking up - if votes were transparent - and they would be able to do it on far wider scale. Oh those leopards, eating your faces, vote obfuscation proponents.
Fedia hiding the activity is one of those things that I kinda dislike, as it was an easy way to detect certain trolls.
yeah, i’m split on public votes.
On one hand, yeah, there’s a certain type of troll that would be easy to detect. It would also put more eyes on the problem I’m describing here.
On the other, you’d have people doing retaliatory downvotes for no reason other than revenge. That, or reporting everyone who downvoted them.
It depends on the person to use that “power” responsibly, and there are clearly people out there who would not wield it responsibly lol.
I think retaliatory downvotes happen either way if you’re in an argument. Same with report abuse, which, if it happens to a high degree, would be the moderator’s responsibility to ban the perpetrator (reports here are not anonymous like they were on Reddit).
Also, if there’s someone with an abusive mind, they can easily use another instance that shows Activity to identify downvoters. The vote is public either way for federation purposes, they’re just hidden from certain instances - at least on the user level, but they’re still there technically.
You should out the users and topics they are engaging with.
Ethically, I can’t (and won’t). I’m only comfortable and confident enough to share the list of sockpuppet accounts I’ve confirmed and provide the information necessary to detect them. I did list the topics I’m aware of (US news and politics), but I’m only able to see activity based on what my instance knows about. So they may be manipulating other communities, but if my instance doesn’t subscribe to them (or they’re by posters that have been banned), I have no way of seeing it.
That’s actually why I posted this. My visibility is limited, so once I identified the pattern, I’m passing that along to other admins for awareness.
Don’t respond if it is mostly “Blue MAGA” and “Genocide Joe”
I’ve seen it often on pro-Israel accounts before. But they’re usually all registered a year ago and cycled through posting content.
Such as @idoubledo@lemmy.sdf.org.
What stops the botters from setting up their own instances to create unlimited users for manipulating votes?
I guess admins also have to be on top of detecting and defederating from such instances?
They usually get found out pretty easily and then defederated by everyone. There’s a service called fediseer which allows instance admins to flag instances as harmful, which other admins can use to determine if they should block an instance.
In order for that to really work they would have to rotate between a lot of domain names either by changing their own instance’s domain or using a proxy. Either way they’d run out of domains rather quickly.
It’s way easier for them to just get accounts on the big servers and hide there as if they were normal lurking users.
Project like https://gui.fediseer.com/
@ptz@dubvee.org I have cleaned these and some other bot accounts from my instance. I was ok to open registrations to this point because we were able to get reports for almost every activity and we could easily manage them. But unfortunately Lemmy does not have a regulatory mechanism for votes, so I’ll keep it manual approval until then.
Also it looks like they’re manually creating accounts since we had captcha + email approval in our instance from the beginning. So this means that even with manual approvals, a botnet can be created – just in a delayed manner.
Thanks for the follow up.
Yep, seems manual or at least only partially automated based on feedback from other admins.
Also yeah, unfortunately, Lemmy doesn’t have the ability to report users to their home admins, just content they post. Not sure if that’s a moderation feature that’s in the pipeline or not (haven’t checked for a bit).
I see an option to report a user via their profile page in Jerboa.
I just had a look at https://lemy.lol/, and they have email verification enabled, so it’s not just people finding instances without email check to spam account on there.
@iso@lemy.lol and @QuazarOmega@lemy.lol FYI
Email verification is super easy to get around. It’s practically not a barrier at all.
It’s small step, but still a step
I used to think so, but it’s barely even that.
I’ve had 3 instance admins confirm anonymously that these were using a throwaway email service.
sharklasers.com
specifically.Can some email services be blacklisted?
Some instances do, but I think it’s more of an automod configuration. AFAIK, Lemmy doesn’t have that capability out of the box. Not sure about other fed platforms.
Mastodon has the ability to blacklist certain email providers, and I think also email IP addresses.