After getting PostHog installed on my site, I was eager to get some spam[1] so that I could use the session recording to see it in action. Well, that day arrived and it’s time to watch a spammer at work.[2]
I’ll be honest, this was a little depressing to watch. It’s someone using a phone to copy and paste their message onto my site. It’s likely they will get paid a tiny amount of money to do this manually. It’s such a waste of human labor and it makes me want to cry when I put myself in this person’s shoes. I can’t imagine anyone choosing to do this day after day.[3]
Google sign in makes creating an account easy
I try to make it easy to create an account here. Normally that’s good, but it does make it easier to start spamming.
This is a classic example of the Security/Accessibility dial. I could make spam a little harder by turning off account creation with Google, but that would also make the site a little less accessible for people who are legitimate users.
On the other hand, the next thing that happens clearly helps make the site better for new users and slows down our spammer friend a bit. He needs to click a button to ignore the helpful notification about notifications.
Testing the waters with a new topic
After poking around the site a bit (mostly looking at different categories) Spam Guy makes a test post:
PostHog hides what people type into the site, which is handy for security reasons. But the when the user presses “Create topic” to send the post, we can read what he came up with:
Well, that’s nothing. My guess is that Spam Guy wants to type some gibberish to avoid a naive spam filter.
Edit in the payload
His next move is to edit in the actual spam:
I suspected this person doesn’t have a lot of experience with Discourse, because he didn’t know you can edit the title and the body of a topic at the same time with this pencil icon:
This time he adds an image to make his post stand out a bit. It takes a moment or two to upload:
After pasting in the spam, he saves his edit and verifies that it posted properly:
The phone number, which seems to be the primary payload, is formatted in an odd way:[4]
(-9234567890(@)8823456789
]=Call. Rupee Quick Loan App Customer Care Helpline Number)
Presumably this turns into a clickable phone number in some software. To find out, I searched for other sites with that payload and discovered they are all Discourse sites. Some deleted the spam between the time Google last indexed their site and when I clicked the search results. But I did find one other site that still had the initial post from the spammer:
Once again, gibberish. So Spam Guy types in this nonsense rather than pasting it in. Presumably he finds it faster to type this than to go back to document he copies spam from. Also, he apparently is targeting Discourse and just hasn’t worked out that he can edit the topic title by picking the pencil under the post.
Add a reply
Spam Guy then replied to his own post with yet another copy of the payload:
Since he edited a post, he got the Editor badge with a new notification. So he tapped on over to see what that’s all about:
Post again in another category
After bit more exploring, Spam Guy started a new topic in the Documentation category:
Given this guy has been spamming Discourse sites, he might have noticed that some sites allow duplicate titles if they are in different categories.[5] It doesn’t matter, though, since he used the same title with a few random letters appended:
Same text, but a vector stock image:
Hitting a rate limit in replies
Now Spam Guy adds a reply and hits a rate limit:[6]
Helpfully PostHog shows when an user goes inactive for a bit:
But not long enough:
And 3 seconds later:
2 seconds after that:
And again:[7]
He saw this message again, so it was almost a relief to see he finally got his (spam) reply posted.
Final topic
I won’t show this in detail, but Spam Guy added another topic in the Reviews category. It’s a category I created to test the review plugin I created. This time he was rate limited and tired at 8, 4 and < 3 seconds left. Instead of his payload, it was gibberish again. Again he edited the title and separately the body of the post. He used another vector graphic woman at a call center image. He pasted in a reply and was rate limited yet again. After scolling through to check his work, he was gone.
What I learned
This session took 4 minutes and 33 second to create three spam topics with replies. I checked my notifications 4 hours later and deleted the user and the spam after 39 seconds of investigation:[8]
I tend to think of spam coming from scripts, but this was clearly a human interaction. Rate limits didn’t stop spam, but just slowed it down. It’s not worth adding more limits. Or at least it’s not given the infrequency of spam on my site. I was glad to be a human in the loop, but there are sites out there with visible spam simply because the people who set up the site haven’t seen it yet and there aren’t enough users to self-moderate.
PostHog session recording is a wonderful tool for understanding what stands in the way of users accomplishing their goals. You can see the moment someone gives up on reading a post or struggles to find something in the interface. The utility for a designer is obvious, but it’s also useful for a community manager who wants to observe the accessibility cost of increased security. It can also be an inexpensive alternative to usability testing.
Spam is usually seen as a bad thing in communities. It is if you let it hang around. But spam means that someone out there thinks your site is a valuable vector of information, which is actually a good endorsement. ↩︎
PostHog has a feature for sharing session recordings and embedding them on a public site. To make embedding work on Discourse, be sure to add
https://us.posthog.com/
orhttps://us.posthog.com/
to yourallowed iframes
setting. By default PostHog saves recordings for a month, but you can save them to a playlist to keep them around longer. I’m going to save this recording to an animated GIF so that I can keep it indefinitely, but it won’t have some of the useful features the actual recordings offer. (Please comment if the embed stops working!) ↩︎Stack Exchange sees this happen at much larger scale. It boggles my mind. ↩︎
Numbers changed to avoid spamming my own site. ↩︎
See
allow duplicate topic titles category
if you want to allow that on your Discourse site. ↩︎It’s the
rate limit new user create post
setting, which defaults to 30 seconds. ↩︎You get “a few seconds” instead of an actual number if you have less than 3 seconds left to wait. ↩︎
This is a bit of a lie since the user wasn’t deleted due to this bug. But I clicked the button that would ordinarily fix the problem 39 seconds after visiting the site according the the session recording. ↩︎