Yeah these type of spambots are difficult to deal with. They are usually specifically tailored to the site and are designed to read through specific reddit forums with certain keywords and such in mind - some may even look at post engagement - and take a copy of the post and title. It will then come to this site and follows the process of account creation and then makes the post. It will then wait a randomised amount of time and comes back to edit the post, to insert the malicious link at a randomly determined part of the post.
The thing about it is, the "spam detectors" are decent at standard crawler-bots, but these ones we're discussing are targeted. Some people came to the site, made accounts, testing everything, got all links, checked all code they could, and made a bot system specifically for exploiting this site. There's even been "chat bots" - no malicious links or anything, just makes replies - the purpose of these is testing the human side of spam detection. I noticed some, reported them, they went away and all bot stuff died down. And now we're getting more again. And we probably always will - it will ebb and flow.
This method often gets through most spam detection because there's no way for a system to truly differentiate between a normal user who creates an account and a bot. Even the "are you human?" checkbox can be easily bypassed for a bot tailor made to a site. Even those ones that are "select the right images" can still be fooled without too much difficulty given the availability and improvement of AI and image recognition.
Since some people do, genuinely, create forum accounts specifically to make a post, it will be difficult to make an automatic way of detecting these spambots and differentiating them from genuine real people. Autoflagging may prove problematic too.
Unfortunately, we will always get some coming through for as long D&D Beyond remains popular and the best method we have is for people to recognise them, since we can do so better than any automatic system, and report/warn as necessary.
Rollback Post to RevisionRollBack
Click ✨ HERE ✨ For My Youtube Videos featuring Guides, Tips & Tricks for using D&D Beyond. Need help with Homebrew? Check out ✨ thisFAQ/Guide thread ✨ by IamSposta.
My work regularly employs email bots to test staff for their ability to recognize potential phising or malware attempts. DDB could fight the bots by using the bots. :P
Click a link found in one of their posts and it takes you to a DDB page that basically says "You just failed an insight check in detecting a bot. This was a simulation but had it been real, well... let's not think about what would have happened had it been real. Or maybe do, so you don't make the same mistake in the future."
My work regularly employs email bots to test staff for their ability to recognize potential phising or malware attempts. DDB could fight the bots by using the bots. :P
That sounds a little like the origin story of the robot uprising. Like they band together and decide that don’t need us anymore.
So we can as users show admin and the mods the problem, but we really can not stop it?
The first organized attempt to stop email spam was in 1996. Email spam is still with us. No-one has ever come up with a means of stopping spam that doesn't also stifle legitimate discourse.
So we can as users show admin and the mods the problem, but we really can not stop it?
This is how the world works. As common sense dictates, no enforcement body, be it an internet moderation team or a police force, can function effectively without community reporting. Those who enforce the rules are not all-knowing and they are not always present and thus rely upon users hitting the report button or calling 911.
Accordingly, it does fall on users to be part of the solution—users need to be able to identity and report problems and they need to know enough to mitigate their own exposure to harm during the period before the moderation team can respond. This is just the reality of the world we live in—and a reality you already know, as someone who was not born yesterday.
For DDB, they could probably catch the vast majority of them by having the system auto-flag any account that posts to the forums without ever using the character builder.
The problem with this is that it would turn a lot of people away. I didn't try the character builder until a month or two of being here. I originally came because of the Essentials Kit, and my initial posts were to ask about DDB (particularly about the book formats) and game rules. I wasn't overly interested in the character builder and only tried it later when I realised that I had an additional three adventures here.
If I'd been flagged as a bot and stopped from posting, I probably wouldn't have stayed and DDB would not have taken my money.
That said, to stop the bots, you have to make it not worth their while. Stopping them from getting marks to be baited into clicking their links is the main thing. Another thing Modiphius does, which is more of a viable measure, is the prevention of editing for new accounts. Once a certain level of interaction is reached, that privilege is granted, but until then, none of this nonsense of posting scraped posts then editing them to retcon them into spam.
Doing so reduces the return on making the bots. Starve them of marks and eventually people stop bothering.
If you're not willing or able to to discuss in good faith, then don't be surprised if I don't respond, there are better things in life for me to do than humour you. This signature is that response.
I want to preface this that I'm speaking outside my role as a moderator and more from my previous experiences in related fields;
There is something I want to point out when it comes to stopping bots (and non-bot malicious posters) is the 'arms race' the comes about. With every bot counter-measure the mod team could introduce, eventually it will be overcome; either by adapting the bots, or introducing a human element. This is an inevitability because the ROI on improving these bots is very high.
Now, you may think I'm saying "Oh, it's hard so don't bother" which would be a valid interpretation. But that's not what I'm saying.
The point I'm making is "keep the bots simplistic so they're easy to spot and this will keep the community safer"
If you drive up the complexity of the countermeasures, you drive up the complexity of the spam. If you drive up the complexity of the spam, you make it harder for a layperson to spot. This means it's more of a risk to the community. In fact, this new trend is just that, a new step of complexity that is harder to spot that previous versions of spam. I've fallen for it myself. Ultimately, if you treat counter-bot measures as an arm race, you may very well make the problem worse without any possibility of actually solving it.
I want to preface this that I'm speaking outside my role as a moderator and more from my previous experiences in related fields;
There is something I want to point out when it comes to stopping bots (and non-bot malicious posters) is the 'arms race' the comes about. With every bot counter-measure the mod team could introduce, eventually it will be overcome; either by adapting the bots, or introducing a human element. This is an inevitability because the ROI on improving these bots is very high.
Now, you may think I'm saying "Oh, it's hard so don't bother" which would be a valid interpretation. But that's not what I'm saying.
The point I'm making is "keep the bots simplistic so they're easy to spot and this will keep the community safer"
If you drive up the complexity of the countermeasures, you drive up the complexity of the spam. If you drive up the complexity of the spam, you make it harder for a layperson to spot. This means it's more of a risk to the community. In fact, this new trend is just that, a new step of complexity that is harder to spot that previous versions of spam. I've fallen for it myself. Ultimately, if you treat counter-bot measures as an arm race, you may very well make the problem worse without any possibility of actually solving it.
Honestly,, my guess is that the bots will be bolstered either way. And bots that are more complex on bypassing filters or other stuff - and I've seen some pretty obvious junk get past some filters here, so I dunno what the filters are - are not necessarily better at being more human, but instead at bypassing whatever complex and wacky security regulations have been made to place the automated goobers behind some shiny digital bars.
Likely, adding more systems to prevent this will actually deter whoever's making and updating the robots code: After all, why would someone bother scratching their head and spending hours on bypassing complex codes here if they can just go over to Twitter X and harm a much broader audience with a modicum of this level of work? Additionally, when they're updating the bots to loop around the security, then they'll have less time to make the robots more humanlike and might ultimately not have the expertise to keep preying on the users here.
I have less experience on this - well, I actually have about no experience on this - so I appreciate your input. However, it would be nice if you could at least pass on this feedback to the higher-level Wizards in charge of the Coast, and they might reach the same conclusion as you but I hope they at least are in charge of making the conclusion (haha, see this wordplay!). Anyways, at a minimum, this thread ought to be pinned.
Rollback Post to RevisionRollBack
BoringBard's long and tedious posts somehow manage to enrapture audiences. How? Because he used Charm Person, the #1 bard spell!
He/him pronouns. Call me Bard. PROUD NERD!
Ever wanted to talk about your parties' worst mistakes? Do so HERE. What's your favorite class, why? Share & explainHERE.
After all, why would someone bother scratching their head and spending hours on bypassing complex codes here if they can just go over to Twitter X and harm a much broader audience with a modicum of this level of work?'
Because of the fungible nature of code developments. Once you've developed a bypass system for one type of anti-bot measure, you can employ that bypass anywhere that uses a similar countermeature. If you instead just hop from vulnerable target to vulnerable target, you'll eventually exhaust your pool and have to do the work anyway.
For DDB, they could probably catch the vast majority of them by having the system auto-flag any account that posts to the forums without ever using the character builder.
The problem with this is that it would turn a lot of people away. I didn't try the character builder until a month or two of being here. I originally came because of the Essentials Kit, and my initial posts were to ask about DDB (particularly about the book formats) and game rules. I wasn't overly interested in the character builder and only tried it later when I realised that I had an additional three adventures here.
If I'd been flagged as a bot and stopped from posting, I probably wouldn't have stayed and DDB would not have taken my money.
That's why I said flag, not ban, which seems to not have been clear. Telling the moderators to check your post to see if you're human. My assumption (which may not be true) is that it'd get relatively few humans, because the main appeal of this site is the tools, not the forums.
That said, to stop the bots, you have to make it not worth their while. Stopping them from getting marks to be baited into clicking their links is the main thing. Another thing Modiphius does, which is more of a viable measure, is the prevention of editing for new accounts. Once a certain level of interaction is reached, that privilege is granted, but until then, none of this nonsense of posting scraped posts then editing them to retcon them into spam.
As I understand it, this is not usually about getting people to follow links. It's about google juice. It might be about google juice for malicious links, but they don't necessarily care if anyone here follows it.
Just as a counter-example, I rarely use the tools here. I play in person with my family and have only had a little tinker with the character builder for fun. I joined to be able to view the 1D&D UA and now participate in the forum.
The point I'm making is "keep the bots simplistic so they're easy to spot and this will keep the community safer"
No, really, it won't. Spammers' success metric isn't "got through security", it's "link actually followed", so if making the bots harder to spot improves response rate by enough to justify the extra work they'll do it whether or not automated spam detection gets better.
After all, why would someone bother scratching their head and spending hours on bypassing complex codes here if they can just go over to Twitter X and harm a much broader audience with a modicum of this level of work?'
Because of the fungible nature of code developments. Once you've developed a bypass system for one type of anti-bot measure, you can employ that bypass anywhere that uses a similar countermeature. If you instead just hop from vulnerable target to vulnerable target, you'll eventually exhaust your pool and have to do the work anyway.
Fair enough, but I doubt DD&B uses the exact same methods with the exact same workarounds as other sites. If that's the case, there might be an issue. And the goofy goober whose programmed these Reddit spam monsters doesn't seem like a tech genius to me, so I think we can probably stop them.
Anyways, you've only responded to a select section of my post. And could you please pass on the feedback in this thread at least? :)
After all, why would someone bother scratching their head and spending hours on bypassing complex codes here if they can just go over to Twitter X and harm a much broader audience with a modicum of this level of work?'
Because of the fungible nature of code developments. Once you've developed a bypass system for one type of anti-bot measure, you can employ that bypass anywhere that uses a similar countermeature. If you instead just hop from vulnerable target to vulnerable target, you'll eventually exhaust your pool and have to do the work anyway.
Fair enough, but I doubt DD&B uses the exact same methods with the exact same workarounds as other sites. If that's the case, there might be an issue. And the goofy goober whose programmed these Reddit spam monsters doesn't seem like a tech genius to me, so I think we can probably stop them.
Anyways, you've only responded to a select section of my post. And could you please pass on the feedback in this thread at least? :)
Well...
DDB is built on the bones of three different open source, long term program sets that I can see. Customized, no doubt, but generally there's a certain limit to that sort of thing. It is a better target from a monetizable position, and at least some folks are able to rapidly take data directly from it and pirate it, so it isn't a strictly proprietary system at all.
Rollback Post to RevisionRollBack
Only a DM since 1980 (3000+ Sessions) / PhD, MS, MA / Mixed, Bi, Trans, Woman / No longer welcome in the US, apparently
Wyrlde: Adventures in the Seven Cities .-=] Lore Book | Patreon | Wyrlde YT [=-. An original Setting for 5e, a whole solar system of adventure. Ongoing updates, exclusies, more. Not Talking About It / Dubbed The Oracle in the Cult of Mythology Nerds
I have noticed a rash of these threads over the past couple of days, as well as a number of folks falling for them. Wanted to remind folks to be vigilant, lest you wast you time writing something destined for oblivion.
Yeah these type of spambots are difficult to deal with. They are usually specifically tailored to the site and are designed to read through specific reddit forums with certain keywords and such in mind - some may even look at post engagement - and take a copy of the post and title. It will then come to this site and follows the process of account creation and then makes the post. It will then wait a randomised amount of time and comes back to edit the post, to insert the malicious link at a randomly determined part of the post.
The thing about it is, the "spam detectors" are decent at standard crawler-bots, but these ones we're discussing are targeted. Some people came to the site, made accounts, testing everything, got all links, checked all code they could, and made a bot system specifically for exploiting this site. There's even been "chat bots" - no malicious links or anything, just makes replies - the purpose of these is testing the human side of spam detection. I noticed some, reported them, they went away and all bot stuff died down. And now we're getting more again. And we probably always will - it will ebb and flow.
This method often gets through most spam detection because there's no way for a system to truly differentiate between a normal user who creates an account and a bot. Even the "are you human?" checkbox can be easily bypassed for a bot tailor made to a site. Even those ones that are "select the right images" can still be fooled without too much difficulty given the availability and improvement of AI and image recognition.
Since some people do, genuinely, create forum accounts specifically to make a post, it will be difficult to make an automatic way of detecting these spambots and differentiating them from genuine real people. Autoflagging may prove problematic too.
Unfortunately, we will always get some coming through for as long D&D Beyond remains popular and the best method we have is for people to recognise them, since we can do so better than any automatic system, and report/warn as necessary.
Click ✨ HERE ✨ For My Youtube Videos featuring Guides, Tips & Tricks for using D&D Beyond.
Need help with Homebrew? Check out ✨ this FAQ/Guide thread ✨ by IamSposta.
My work regularly employs email bots to test staff for their ability to recognize potential phising or malware attempts. DDB could fight the bots by using the bots. :P
Click a link found in one of their posts and it takes you to a DDB page that basically says "You just failed an insight check in detecting a bot. This was a simulation but had it been real, well... let's not think about what would have happened had it been real. Or maybe do, so you don't make the same mistake in the future."
DM mostly, Player occasionally | Session 0 form | He/Him/They/Them
EXTENDED SIGNATURE!
Doctor/Published Scholar/Science and Healthcare Advocate/Critter/Trekkie/Gandalf with a Glock
Try DDB free: Free Rules (2024), premade PCs, adventures, one shots, encounters, SC, homebrew, more
Answers: physical books, purchases, and subbing.
Check out my life-changing
So we can as users show admin and the mods the problem, but we really can not stop it?
CENSORSHIP IS THE TOOL OF COWARDS and WANNA BE TYRANTS.
That sounds a little like the origin story of the robot uprising. Like they band together and decide that don’t need us anymore.
The first organized attempt to stop email spam was in 1996. Email spam is still with us. No-one has ever come up with a means of stopping spam that doesn't also stifle legitimate discourse.
This is how the world works. As common sense dictates, no enforcement body, be it an internet moderation team or a police force, can function effectively without community reporting. Those who enforce the rules are not all-knowing and they are not always present and thus rely upon users hitting the report button or calling 911.
Accordingly, it does fall on users to be part of the solution—users need to be able to identity and report problems and they need to know enough to mitigate their own exposure to harm during the period before the moderation team can respond. This is just the reality of the world we live in—and a reality you already know, as someone who was not born yesterday.
The problem with this is that it would turn a lot of people away. I didn't try the character builder until a month or two of being here. I originally came because of the Essentials Kit, and my initial posts were to ask about DDB (particularly about the book formats) and game rules. I wasn't overly interested in the character builder and only tried it later when I realised that I had an additional three adventures here.
If I'd been flagged as a bot and stopped from posting, I probably wouldn't have stayed and DDB would not have taken my money.
That said, to stop the bots, you have to make it not worth their while. Stopping them from getting marks to be baited into clicking their links is the main thing. Another thing Modiphius does, which is more of a viable measure, is the prevention of editing for new accounts. Once a certain level of interaction is reached, that privilege is granted, but until then, none of this nonsense of posting scraped posts then editing them to retcon them into spam.
Doing so reduces the return on making the bots. Starve them of marks and eventually people stop bothering.
If you're not willing or able to to discuss in good faith, then don't be surprised if I don't respond, there are better things in life for me to do than humour you. This signature is that response.
I want to preface this that I'm speaking outside my role as a moderator and more from my previous experiences in related fields;
There is something I want to point out when it comes to stopping bots (and non-bot malicious posters) is the 'arms race' the comes about. With every bot counter-measure the mod team could introduce, eventually it will be overcome; either by adapting the bots, or introducing a human element. This is an inevitability because the ROI on improving these bots is very high.
Now, you may think I'm saying "Oh, it's hard so don't bother" which would be a valid interpretation. But that's not what I'm saying.
The point I'm making is "keep the bots simplistic so they're easy to spot and this will keep the community safer"
If you drive up the complexity of the countermeasures, you drive up the complexity of the spam. If you drive up the complexity of the spam, you make it harder for a layperson to spot. This means it's more of a risk to the community. In fact, this new trend is just that, a new step of complexity that is harder to spot that previous versions of spam. I've fallen for it myself. Ultimately, if you treat counter-bot measures as an arm race, you may very well make the problem worse without any possibility of actually solving it.
Find my D&D Beyond articles here
Honestly,, my guess is that the bots will be bolstered either way. And bots that are more complex on bypassing filters or other stuff - and I've seen some pretty obvious junk get past some filters here, so I dunno what the filters are - are not necessarily better at being more human, but instead at bypassing whatever complex and wacky security regulations have been made to place the automated goobers behind some shiny digital bars.
Likely, adding more systems to prevent this will actually deter whoever's making and updating the robots code: After all, why would someone bother scratching their head and spending hours on bypassing complex codes here if they can just go over to
TwitterX and harm a much broader audience with a modicum of this level of work? Additionally, when they're updating the bots to loop around the security, then they'll have less time to make the robots more humanlike and might ultimately not have the expertise to keep preying on the users here.I have less experience on this - well, I actually have about no experience on this - so I appreciate your input. However, it would be nice if you could at least pass on this feedback to the higher-level Wizards in charge of the Coast, and they might reach the same conclusion as you but I hope they at least are in charge of making the conclusion (haha, see this wordplay!). Anyways, at a minimum, this thread ought to be pinned.
BoringBard's long and tedious posts somehow manage to enrapture audiences. How? Because he used Charm Person, the #1 bard spell!
He/him pronouns. Call me Bard. PROUD NERD!
Ever wanted to talk about your parties' worst mistakes? Do so HERE. What's your favorite class, why? Share & explain
HERE.Because of the fungible nature of code developments. Once you've developed a bypass system for one type of anti-bot measure, you can employ that bypass anywhere that uses a similar countermeature. If you instead just hop from vulnerable target to vulnerable target, you'll eventually exhaust your pool and have to do the work anyway.
Find my D&D Beyond articles here
That's why I said flag, not ban, which seems to not have been clear. Telling the moderators to check your post to see if you're human. My assumption (which may not be true) is that it'd get relatively few humans, because the main appeal of this site is the tools, not the forums.
As I understand it, this is not usually about getting people to follow links. It's about google juice. It might be about google juice for malicious links, but they don't necessarily care if anyone here follows it.
Just as a counter-example, I rarely use the tools here. I play in person with my family and have only had a little tinker with the character builder for fun. I joined to be able to view the 1D&D UA and now participate in the forum.
On the topic of the “arms race” idea, what is stopping them from improving the bots anyways, regardless of whether we actively oppose them?
No, really, it won't. Spammers' success metric isn't "got through security", it's "link actually followed", so if making the bots harder to spot improves response rate by enough to justify the extra work they'll do it whether or not automated spam detection gets better.
Fair enough, but I doubt DD&B uses the exact same methods with the exact same workarounds as other sites. If that's the case, there might be an issue. And the goofy goober whose programmed these Reddit spam monsters doesn't seem like a tech genius to me, so I think we can probably stop them.
Anyways, you've only responded to a select section of my post. And could you please pass on the feedback in this thread at least? :)
BoringBard's long and tedious posts somehow manage to enrapture audiences. How? Because he used Charm Person, the #1 bard spell!
He/him pronouns. Call me Bard. PROUD NERD!
Ever wanted to talk about your parties' worst mistakes? Do so HERE. What's your favorite class, why? Share & explain
HERE.Well...
DDB is built on the bones of three different open source, long term program sets that I can see. Customized, no doubt, but generally there's a certain limit to that sort of thing. It is a better target from a monetizable position, and at least some folks are able to rapidly take data directly from it and pirate it, so it isn't a strictly proprietary system at all.
Only a DM since 1980 (3000+ Sessions) / PhD, MS, MA / Mixed, Bi, Trans, Woman / No longer welcome in the US, apparently
Wyrlde: Adventures in the Seven Cities
.-=] Lore Book | Patreon | Wyrlde YT [=-.
An original Setting for 5e, a whole solar system of adventure. Ongoing updates, exclusies, more.
Not Talking About It / Dubbed The Oracle in the Cult of Mythology Nerds
I noticed this a while ago too.
I have noticed a rash of these threads over the past couple of days, as well as a number of folks falling for them. Wanted to remind folks to be vigilant, lest you wast you time writing something destined for oblivion.
I've been reporting the posts as I see them. No clue if they're doing anything about them though.
How to: Replace DEX in AC | Jump & Suffocation stats | Spell & class effect buff system | Wild Shape effect system | Tool Proficiencies as Custom Skills | Spells at higher levels explained | Superior Fighting/Martial Adept Fix | Snippet Codes Explored - Subclasses | Snippet Math Theory | Homebrew Weapons Explained
My: FEATS | MAGIC ITEMS | MONSTERS | SUBCLASSES Artificer Specialist: Weaveblade
Dndbeyond images not loading WORKAROUND FIXED!!! (TY Jay_Lane for original instructions)
They get vanished every time they appear, and the accounts do not seem to post again, so there decidedly is something being done!