Mar 5, 17 / Ari 08, 01 17:10 UTC
Persistent abuse - Moderator / Admin attention required ¶
I would like to draw your attention to the following:
[MOD EDIT] [DELETED SPAM LINKS] Alan Player 7 March 2017 @ 23:18 AEDT
Notice any similarities? Took them a little while to get it with the markdown, but it became more uniform. I would not be surprised if that's the same person/team. There is clear trend and similarities. There are more in the dead thread bin, but those are the easiest to group. This indicates the banning isn't an overly effective method. The persistence suggests that so far the message you've sent is: Easy target.
Continuing to do nothing about this will not solve the problem, this will get a lot worse, unless you act soon. Ideally there are changes on the system side that can make this easier for you by removing a lot of it before it can be posted, and flagging up anything it's "not sure" about so you don't have to be digging for it. But minimally for now then some activity on your part should be required.
Yes, removing this content from public view and banning the user are both good moves - but this should not be the extent of the activities. Especially for a persistent offender it will be insufficient. In the realms of fighting software or teams, part-time moderation/admin will lose, constant and vigilant coverage required and you people have lives to attend to - a bot is relentless. Luckily automated systems have not been adapted to your registration and posting process. It will not be much longer, I assure you. However, should the current staff more agressively persue such events - clear signs to apply such behaviour would be clearly criminal activities, and obvious lack of intent for Asgardia as anything other than an advertising platform - then it's possible to get the message put out there that attempts to leverage our citizens as a harvestable source of income will result in cost instead.
This is acheived by taking away their toys, urniate in their cornflakes. In the case of residential services, this will represent a direct inconvenience. In the case of rented services, then this can get expensive when their $350/month server is ripped from under them with no refund two days into it's use and additional charges of $120 for dealing with the abuse report and $80 per spam message that left their systems. Dilligence in this action can make it economically unfeasible to persue using this as a spam platform, and any attempts to is going to directly relate in removing money from criminal enterprise.
I sense you shall be ill equipped in terms of access rights to get at the system logs - and these are the preferred citation of user abuse from people running the services these criminals and those like them use as this can then be confirmed against their own logs - but timestamps and timezone can be enough sometimes if they know what protocols they are looking for, and have a target addresses (HTTPS, https://asgardia.space/). I generally assume you have access to the user's IP but I would not be surprised if such simple moderator/admin functionality is absented. If you do not have access to this, then gaining access - for signup IP and posting IP - I suggest to be made a priority.
The IP should be able to tell you who the service provider is. If you don't have an operating system that comes with something like jwhois or are unable or unwilling to install such basic admin tools then your favorite search engine can provide. If one was to paste: whois 8.8.8.8 into your terminal emulator or search engine of choice it should return that it belongs to google(specifically, it's their public DNS). Of interest in the whois results would be OrgAbuseEmail: network-abuse@google.com
as this is the department specifically setup to handle abuse of their systems - and stopping it from their end. If you review the companies ToS and AuP(almost all have these prominently published). They have a defacto responsibility to stop abuse from their end, and this is reflected in the ToS.
Should abusive posts of arrived from there, an email to that address with log evidence - or a copy and paste of the post, with timestamps(and indication of timzone) - indicating it arrived via HTTPS to asgardia.space citing which clauses in their ToS/AuP have been violated should result in rapid termination of the service for the offender.
In the cases highlighted in the opening paragraph, specific criminal activity is offered. Even better, parts of that network appear to be operating in the jurisdictions of law that can apply most heavily to these crimes. Being responsible, this cannot be simply ignored - the outcome of that is they simply try again with slight variation. Each attempt maximises exposure and increases chances a citizen will mistakenly think it's something trustable to click on.
The body of the message offers passports for a lot of countries - they should all have offices that deal specifically with the problem of fradulent documents in circulation, as per IACO guidelines - building good relations with these bodies is an incredibly good idea for when we have such a body, we would want them telling us if they found someone producing our passports. The same goes for currencies and other fradulent materials. Otherwise crimes have specific departments for, which LEA you'd require to direct it to would be on a case-by-case basis, the area the crime was commited from is usually a clue as to where this should be directed.
Otherwise the body of the message has other clues - other things that map to ID's on other services - the email address, the phone number - the ToS/AuP on these other services likely do not condone or tollerate illegal activities, either, and on suspicion of such will revoke service access pending investigations. More things can be made awkward for them and wherever possible cost them the most amount of money you can. Once you cost them thirty grand a week and they never get anything back they tend to try fishing in another pool.
If you wanted to be extra fancy, you should get yourselves a copy of Maltego. You should be able to collaborate on a file, simply input the source of the attack and several features that define it. You can then link the attack to the service, and over time various features of various attacks will have patterns that will allow them to be grouped, and a larger picture of what you're against can be drawn. Something like: http://morrigan.armed.me.uk/Linked_attacks.png or http://morrigan.armed.me.uk/Linked_attacks1.png is a slightly zoomed in image of the same picture. As Maltego is an OSint tool, it should also allow for gaining more information when you start getting nearer valid identities, and maybe enough to get near identities if they are careless with their information. If you look at the first picture, I only really input IP address(yellow), username(turqouise), email(cyan) and spam body(purple), per "entity". The software found the rest of the data for me, with a single click.
Reason: typo. removed links to spam posts