Topic: Spam from @AlexPromotion | About 800 accounts nuked | Thanks Mods! (Read 745 times)

You can nuke him too. My file:///tmp/patrol/download_profiles/1678045.html shows the same spam, I guess it got deleted before he got nuked.

Thanks... They are now resting in peace except - https://bitcointalksearch.org/user/conpavodpanc-1678045 ...

This will help, I found 175 more accounts to nuke:
inregunti
buidamtener
stucinetna
plicmibisra
muscboupedi
gregathmoro
rosunglibi
fentisongsua
evfipukipp
sanheamamu
sieclosunmes
intuticon
huustelsifa
bracerfoobi
podcpocpeche
hilcogenca
pubditamu
deiplorinco
actweakreiryn
phentneppakur
lintobure
travechthogbo
nasdilectles
elpaimapam
genlinslenlang
inesdiaba
promconsooti
lyncpaticul
ratermirot
kudisvitho
lanconetpta
kitmolene
zieterstiter
vocysene
diebrocafar
zerdfebeco
critexdilan
propfethinre
forlinogi
boepaithana
valrbrasinov
quistopomsur
reibatinghar
nesrialikar
wafamilhind
diasiweakke
chestblutdardpanp
itdugoodscom
biolaluvi
conpavodpanc
brelalibva
nfuldaisperok
heuplatnaki
tretmorere
diostalselbni
westbegmortbeech
varegthouta
inmeaviltomw
duppalapea
olcallere
fusstounraro
provabelphin
kecocugar
eratimen
forkakitne
diugioscamav
raucuchoopto
toppwylreto
verthankhasdia
skelgormtotar
resvingdustrem
knowivbolpay
stichloziro
festzenose
chetemroma
zenttopullri
karlichinoc
aranversamp
tokothingma
crosicorpo
faldefortrics
piopammocum
tuvalposig
bitubugtha
dysfericen
providmurpa
sandmistlifilt
remutasu
piaricharbatht
schicamteso
beaupodhoti
sichihampkas
proxcalgoro
fecdauturnding
pecalamo
longgopove
gonarthbackbi
theorapennhe
warbtumama
addilibar
chiffborkompno
eltadiftou
jhandownresbe
stephmontbrasal
grafartura
quinechartnest
raipridmapar
clasasenur
stikinacmei
deripalne
tiberquiplan
trijhardflatin
tiahizbimos
iczonwyebe
nutciomenbarn
houcicorest
kaihopgaipris
tedarliver
vietenpogu
asliheadti
buydupningnonp
deticliaprog
kamplirapsa
crazenabas
setermeyre
alsirafwork
noitrapjeanle
pickgibrlvilbath
dumbpipaci
phopalinlo
meseamanvi
warafagla
thumblescgige
treadviechena
iczuvescho
kranenfolet
logovavi
dalkoresi
simduckflorel
inulinhea
diepreaddisre
terfsuppbookpta
terpcasbezip
idsumaju
lamocorpse
vueprojbackna
arhuraha
paikhanasag
leogreenheartcen
allooooperback
avetasway
prolmeschconri
andepkede
iniggipi
nobcompbodi
pandielota
flicorucstor
avmimopo
vabcondkingres
haharival
diololecla
fijodilca
abfothiro
manegpexi
dismotofra
plememsides
lendisadif
profibschachzo
frositphone
reaclesssubsring
wollchandfitro
unanemin
estagvollkil
hongfestifec
nsurytcaso

These are all accounts from cesmimero to kwormatcure that (still) spam AlexPromotion. I'll keep monitoring for new spam.

Thanks for nuking so many of them!

Yup, and it's hard to find them when they are not in the patrol page anymore...

I've seen up to 12 spam-posts per account now, I assume that means not many people bother to report them.

I've downloaded the post history for all accounts created from cesmimero to kwormatcure.
Most of the spam-accounts have posted January 13 already (unless the post got deleted). Unless he has many "unused" accounts left, I hope I can cover almost all of them now, but I'm afraid it's only the tip of the iceberg: it's 3595 accounts from cesmimero to kwormatcure, all created within the same day.

The new list is still processing (it's very inefficient scripting, I didn't optimize it at all), but it also overlaps the previous list that rickbig41 is now nuking. To be continued...

I had them all listed already, but I get that it's easy to miss a few while nuking such a long list.

I'm on it... Thank you...

here's more....

biaberdesgkamp
oravtreatap
quefranfighpa
surtydurrio
taibloomeden
kitmolene
topsrakinsa
waylescampdist

Good work! The spam continues with new accounts though. Do you (or another Mod) mind nuking a "few" more?
These accounts are still all created on January 13. Some were on my previous list but weren't nuked yet, most are new (on my radar).

Please nuke:
nrennigaty
amifseerap
leulisursi
clicicovtio
fudddorari
inbomhifo
naereibulcoi
dondigeca
tingnistiduc
stepoutaceh
zilringnapin
provkabrotas
kitmolene
raiwritadros
imteasrehi
valrbrasinov
raicheccessga
racebofi
ffeckewolfdun
biolaluvi
maconnale
serpogeri
hiafratokcon
nornareka
depudinut
festzenose
agusinin
eniminva
bunrajeka
berchecknore
adiralov
biaberdesgkamp
surtydurrio
imafanos
pavenasi
bicederen
arzakolep
mauwresunroy
stephmontbrasal
grafartura
crawdewise
topsrakinsa
casrasornipp
raipridmapar
clasasenur
tiberquiplan
nutciomenbarn
quilasvega
vietenpogu
silknigndarti
slazisamclean
taibloomeden
idsumaju
stocatsoka
hotkiddsarma
andepkede
iniggipi
pandielota
kpotounanam
profibschachzo
quefranfighpa
treadfichsare
tracbarbotfdi
ziakactiti
hairimembme
franlipsbeper
reaclesssubsring
lingnijajets
wollchandfitro
hobbbratedcan
olsifiwith
bioconcida
faipresunit
aroutterpo
unanemin
niratibfo
swanwebsony
inocpekon
mcarytarin
glosavelga
chrissaseno
estagvollkil
waylescampdist
madivewi
ortancomprass
hongfestifec
partcasothe
nsurytcaso
heurexzadu
inzaubermi
zimelifor
borgandfullta
atabmite
bokuhbpesi
teubrochwafich
polmiadescli
oravtreatap
ualprimbarlia
racmafemam
siebaconpa
ygonconte
carcheleghound
hausithoro
bitwatchpurbvi
isinenves

I agree, and I'd be happy to do my share in approving/rejecting new users too. Unfortunately, all I can do for now is make very long lists to be nuked.

I think it's time to bring newbie jail back in some capacity. I've previously suggested that all new users are essentially shadowbanned and their posts don't show up to anybody but themselves until a moderator checks their account for abuse and then whitelists them (or nukes them). This would put a stop to all bots and stuff like ref spam and people asking them same questions about activity/ranks and other such stupid threads time after time.

Yep.. Nuked and still nuking... Thanks LoyceV...

Checking some of the accounts on my list in modlog, I noticed many of them have posts deleted (by Mods). As far as I know, all Mods can nuke Newbies, so why aren't they nuked on sight instead of deleting their posts? The spambot just continues posting the same posts again, until the account gets banned.

Downloading patrol actually paid off: Alex started a new spam round. So far I found 447 accounts.
I've only checked a few manually, it could be someone who quotes the spam gets listed too, but it's unlikely as all accounts are registered on January 13.
He's currently still posting new spam with these accounts. The total number of accounts doesn't go up. After nuking all, he may need to create new accounts before he can spam again.

Nuke please (I choose clickable over code-tags):
cesmimero
forfaiconlei
odgridfilmtool
bodenetu
handlatercoa
lopwebpkitkey
manicksutha
laratusen
clatrezcode
fighcounrebur
flachbanktacun
raimerinheart
spelenracti
oropholyz
contrerecon
ithpiddaibo
vilvoivearas
kadmasiri
provgourkuti
dufrerihot
marrearati
poiterpaype
neradcontbarw
rahizamonth
trelkeysonssour
suppdurbarkhe
lamiswojspros
pudenivers
simpcedroataf
coimanvaho
fuzcompblacyl
ebysenllan
predisobaz
neupoiseaga
parestmafoot
viripede
blenalamal
conkeeteke
tingmilucall
terpbekinut
stabamines
cyporfernster
jenylpostca
turhodgfenback
tiofencahot
boablitocor
flaveremga
asarsercent
ryacroupparboy
gortonoda
kingsurpthingadf
founvepapa
ismornedes
respculpdeled
stilexapse
buyslurexsi
adstepineth
storiljanrest
crisadverri
tisrlothiro
ragateker
rompframachan
stopacenos
raltiiforthcost
clubbinomil
doispinopra
vocysene
nierisfipen
temblerdicoun
talcdealpankfa
preemrounddoughtu
arschedanka
momanapro
fenptokevul
webrabudde
caltichalso
carddefoval
haksidega
grafheelftinet
boepaithana
porpasidiff
patgolfwhepert
schoolxentfilta
boysewertlu
ocavtikows
clevocunin
ourakreta
cockpesysre
blotinanach
uaranorad
diasiweakke
ffeckewolfdun
biolaluvi
maconnale
statefpaho
conliafronet
tuselisouff
utahdoubwobb
gitraavicback
leicredkeylear
heuplatnaki
secdanecsuck
pretconwepou
bioflanarbraz
verrinahyd
rossifastman
siheamatnews
hostluraman
roygrisgenmett
varegthouta
exinunun
serpogeri
inmeaviltomw
vabitsema
pueransberquo
canmobagho
olcallere
bancazusthe
purlittceca
fiygregyror
resvingdustrem
punkdoherburg
prorgemecond
aterlital
premlefupel
rakuatofu
vercpresverte
reseponu
mindbumoces
mysqmojacon
zenttopullri
mainitaro
tinecobyc
jouatingrisi
flumquidreadom
aminortys
untomidsfest
tokothingma
faisoftperco
neufihodde
retacheanes
stapoginun
oproggasuc
nifiracpart
bitubugtha
limicharcltim
dischfollitea
ohununnu
rihomeding
concheamosea
proxcalgoro
rotinordta
naitsadexke
inbruxponri
esensulxa
tettertresve
fulldelocan
erelkharun
dirorandsist
stinpawerverb
dicathoter
providthochee
lainorthcarhoy
mirhautravti
whifflighwapsu
sonirepfo
tiochemtena
diageopanet
clinarinlu
cockcompkepi
bicederen
gaicleariqten
presrasurpsusb
riabrugnowsy
quospirenpros
ketpmipita
grafartura
riatoherjeff
quinechartnest
conspartcenxing
hemsiolaju
phowordogour
idcicade
sichesiscount
casrasornipp
raipridmapar
clasasenur
raslipuncgrap
catilora
riadescunan
ketrocamo
tiberquiplan
sosandrido
abenabel
ralegiti
laysigeshist
ecmavagurg
abedinvi
denwootode
workdedisa
anitcihan
thyisindabol
otbermachi
kingnadavi
exoperzar
theidowelvi
smaremcredem
bichadowso
cycdeftmana
ulticpaibes
tedarliver
slovonacun
gisnarasep
azmarmainia
inligualo
nyasteerconba
writfilroment
stamapaler
acisibta
consetachuc
gentregrali
erenextio
greenhofcongpup
ourigrasu
quejutactba
looksmamofes
teitersrete
ancataphi
sosopersoft
konroaneret
misptimuco
consubsrofen
proctorjecyn
liatersico
wemaverte
lassthearwhibe
worlsalrasi
ferettige
normediste
driplosgabi
erenjuero
recurtecil
diotolanso
jacktasempde
rexihohi
slughipmaca
bupetiwhi
fusslicancou
bartcarlhuckcap
railassema
sasbikagor
henspassducke
writbecatni
headnarthcafi
fehenslichrunt
laumuditi
adflutevsub
buihosmompcom
faitensaro
scenazanov
mbolrechunga
mangsidesi
guibobbgaphil
bineconbo
lighsidapop
fullmowebsfroth
bactiotuvi
babdekato
vocomquimul
ithelpaihu
mileakelgcrer
bloopnewsmesu
rearbansteva
kyvinese
nseranlynmo
emmonneuha
raffpillata
skimanerprech
maynogongsmok
envamughsi
recnoyranhost
stanchandrolce
ventiotanmeo
resthedina
bernportnaver
tetixofa
oternetri
treamcepcampche
ilabinra
bokettpygnesl
saufonrakas
windrifelsjek
breakcanlico
enounimfue
sudholelo
bioblacinduc
onracilmelt
photohisna
silettifer
creashellrena
sacmeltcleaneb
fihoufuncpi
sorjuedeter
datspapepfai
trimirkeetas
tieperplearca
deostabinco
kivultymen
dersraltheotran
stifoozmonfe
sandconrila
riacamvewa
tiilislire
mietaloolis
siguaporgai
baupotire
sormedecvern
slumcharlenont
trudartomderw
hipgemewhipp
ciemasroxis
rojebancu
frolconsbribom
bedcaicoote
klesofchabor
kiehuigetbei
bernservtiri
flexabbibee
decoremag
avecagni
myegourilon
ogcudanews
garepoca
arencali
westxandescnewl
lopyperdai
courtliwarde
teaunoripo
kininomul
viowidmaba
fermwarpema
knicgoldbote
tofwiversjam
winsrescdersgo
avquovinra
licomlinet
aronperpa
humidistu
miacokadol
husdyfizent
beschsecompgwen
tyventgrowti
gatytabke
loadarnidisf
tingramite
leiriformea
perscerana
pfehemclinbo
ticomteco
asypapex
dacagapen
parfigenhi
aginprimcu
gaiprememsap
abaqaban
mitsovesli
geobalaxels
lachuckknocper
cuetetiboul
quaiblissamphigh
gelareti
erprimgendi
laslidandprog
peorebambnten
tiodelota
cabnepearbull
tolongcompge
erafschocre
mumbbladunys
rickdidownpenn
taphihanga
razzperrrowcau
encorassle
tersiromo
crafunanan
pregunsligit
kahandsate
wedvichana
raiplenarrei
epleerestda
tingdisberfhoo
pippiticu
ceteburlens
orupener
taucrowicin
globwithscontgrav
isradizi
jennatitpo
thirsnorelo
libenewpbur
weilanrirec
darkgygeti
rahearpupa
viofitzrenma
trepimpyru
tempburtbergo
liansadranbai
sogrevican
signtituhyd
mostsencatib
slediltiport
roewreakinun
hanheyfiram
besdetonec
puimontperdia
storpatuasa
diasafidis
siconnasa
enterveters
puffnolewach
bertvantforve
wyouhaimyostal
ciohonehac
ducmiliva
gravinason
whistgrizzeoter
gielagmawedd
hotnorthrabuzz
fulgesttese
waitingningpe
saleckingval
hirslinheysun
flamatavje
diefidingfo
itspooreasit
rietratvesnue
beckziranpurp
humphxesiti
gueperodti
hedbiolaci
turtlazdownjin
tiopsychnonsli
atcaconsge
bersdemeness
grehdownlane
mokampowom
kwormatcure

The well-known timing attack which allows you to completely deanonymize the user if you control the guard and the server (or server's ISP) does not require JS. For example, if the NSA wanted to know everyone who visits antiwar.com regularly, they'd observe antiwar.com's ISP and set up Tor non-exit relays such that you have a 5-10% chance of choosing one of the NSA's relays as a guard every time you start Tor. Over time they'd build a complete list of all IPs for Tor users who visit antiwar.com. It's almost trivial. I'd be surprised if the NSA is not doing this already, possibly for large sections of the entire Internet (especially centralized things like Cloudflare).

VPN/HTTP proxy: a little lock on a diary
Tor: A Master lock. (Note: look up lockpicking videos for Master locks.)

There is currently no anonymity technology which is secure in the way that Bitcoin is secure (against different attacks). Anonymity research is weak, and implementation is even worse. For example, there's something from academia called Riffle which fixes some of Tor's many problems, but nobody's bothered implementing it in a usable form even years after it was published.

But all this is still assuming that JS is enabled right?
Even on the main torproject website some huge headline warns people about JS.
Who in their right mind uses TOR with this enabled? I guess its even off by default now (but I might be wrong).
Yet thanks for this short guide, a little off topic though  

---

Also reported few accounts with this massage. Guess its gone... for now.
How about experimental shutdown for new accounts? No more newbies? (account dealing inducing)

edit: O. and BTW staff member is wearing scam(ish) signature @ #11
       100% proven, at least for me.

A year or two ago I was researching fingerprinting techniques that'd work against pretty much anyone with JavaScript enabled, and I found several promising leads on that front. But then it occurred to me that I don't really want bitcointalk.org to be known as the #1 forum on the leading edge of de-anonymization technology, so I stopped pursuing it seriously...

IMO The most interesting idea I had was that you could probably fingerprint based on latency even via Tor using long-term data collection. A Tor connection looks like:


The latencies of connections A, B, and A+B are good fingerprint values; ISPs should have statistically-significant differences in latency to the server if the latency can be determined with enough accuracy. Latency will also uniquely vary over time; ie. latency will go up slightly when your ISP is busy, the schedule of which will be distinguishing. Additionally, Tor selects a handful of guards when it starts and then uses only those, so if you can figure out the complete list of guards, this fingerprints a long-term Tor session across sites and logins.

Connection E can be directly measured, as can A+B+C+D+E if JS is enabled. That alone may be enough for fingerprinting A+B if you collect data over a long period of time. You'd roughly model the random latency distribution of C+D across the entire Tor network (which is not that large and is predictable in several non-obvious ways); then since you have a whole bunch of A+B+C+D+E and E measurements, you can get a good idea of A+B.

You might be able to do even better by taking into account these facts: Tor changes to a new random Mid and Exit every 10 minutes, but it only affects new TCP connections. So you can usually control the timing exactly by opening TCP connections via JS. And it chooses a random Guard only from a small set, with that set being chosen only at the start of the long-term Tor session. So you might be able to get the guard identities (or a fingerprint of the guard identities) and info about the latencies by collecting latency data every 10 minutes via JS and looking at the clusters formed by the handful of different guards.

On a MITM attack, you can do even better. If you control both Mid and the server, then you know C, D, E, and the Guard identity. A+B is then trivial to calculate. There are only about 6000 Tor nodes, so if you only run one Tor non-exit node, you have something like a 1/6000 chance every 10 minutes to fingerprint the user this way. (That's a really rough estimate; the odds are better because you can exploit Tor behaviors like its IP-space diversity requirements, but worse because selection is not random, and is also based on things like seniority and bandwidth.) Additionally, if a user happens to choose your node as a guard when he starts his Tor session (so a smallish chance ~per day rather than per 10 minutes), then you can completely deanonymize him (ie. get his IP address) when he visits the site; this is a well-known attack which the NSA & friends are probably doing all the time on a very large scale.

Last time I searched on Google, there were 200+ hits, now it's 600+.

Humans can't win a fight against a spambot. I'll test something: every 5 minutes I download patrol, if AlexPromo is still posting I'll script all usernames out of there and give you a nice list to nuke.
I'll let this run for a couple of days.

I spent my session today nuking more than 50 of them and I know there are many more accounts to be nuked. I will probably look into this matter again tonight.

Actually, as a matter of fact they do, most of them at the least, they just don't reveal such information to their users.
I meant that to be done only so that banned users cannot come back but theymos would not want to do such, so what else can one do?

---

Sadly this guy's legion of accounts doesn't end up here, LoyceV mentioned that he had reported around 100 users related to Alex promotion , but there is a possibility of Alex promotions and hypebtc to be interconnected, as they both follow some what the same pattern.

Followed this guy because I thought that I found a pattern (like they signed up 1 account/hour) but it turns out that there is no pattern. Nuked more than 2 dozen of them already.

You can of course disable WebRTC.
A good VPN doesn't keep logfiles, so there's nothing to subpoena.
Aside from technical possibilities, theymos values user's privacy. That alone is a reason not to do this. And in the end I don't expect it'll stop spam anyway, it's the core business for spammers.