50 Ways to Leave Your Lover
Spot a Spammer

50 Ways to Spot a Forum Spammer

Until the spam appears on your forum's 'latest posts' list, or it's been weeks since someone joined, filled his profile with URLs and never returned, you cannot be 100% sure that a new registrant is a spammer (unless, of course, the details already appear on the SFS Forum Spammer Database).

But a potential spammer has to give you a fair amount of information before it defecates on your carpet, and there are often clues that all isn't well with that new member - and I'm not just talking about the smell.

This article looks at the spammer's application, and what should make you pause. Some behaviours are so weird that no desirable member would go there - so we're talking a risk of 7-9 on a scale of 1-10. These ratings are purely arbitrary, being based solely on my own experience.

Others aren't quite so weird, but they are common spammer moves, so it is likely that they aren't here for the beer - spammer risk 5-7 out of 10.

Which leaves the 'slightly odd' behaviours - but if there's a couple of oddities, you can feel the circumstantial evidence building - spammer risk 2-4 out of 10.

Once the risk factors build up to 15-20 (out of ten!), then you shouldn't be surprised to see guano on the carpet.

This article is built on a discussion at StopForumSpam, and I've credited members who contributed ideas I've used in {brackets}

Forum Behaviour

Watching the Defectives - Weird behaviour seen on 'Who's Online' - especially trying to view banned profiles and removed posts that only a spammer could know about. [SR=9-10]. {MtnVision}

Overall View of the Profile

Paris's New Best Friend - Spends hours crafting a complete and plausible profile, complete with matching avatar and profile pic. No URL - but no posts either [SR=8; would be 9, but you have to allow for the Vanity Clause].

Incontinent - Email account in Europe, IP in Asia, site hosted in North America, which is a business in Australia. And he never sent me a postcard! [SR=10].

Headbanger - Most profile fields are just random characters: e.g. "asdf" - Or the URL inserted all over [SR=10]. {Dan}

User Names

Silly Name - Spammers using software need unique names - the last thing they want is to be blocked just because the username is taken. So they generate silly names [SR=5]; often unpronounceable [SR=7]{angie}. On the other hand, plenty of non-spammers use silly names for vanity or to be kewl; and some people happen to have silly names. So never take this too seriously; just consider it.

Verbal Diarrhoea - Username ends in RH7D (or any other random set of four block caps). This is beginner-level xrumer [SR=9]

Dixleslic - Nonsense user names, such as: Fabappeply1962, Onsalake, PaydayGo,f phyncTibenen, pletcherelz, PymnUnloa [SR=9]. {dmr}

Female Name - Often hides a spammer. This does, of course vary with your forum topic; it may not apply to line dancing and knitting forums. {kpatz}

Hairstylist - Their real name is two first names; e.g. "John David", "CindyAnn", etc. [SR=9]. {kpatz, Dan}

Papillon - Word or name followed by digits, such as Sandra429 or Join352 may be spammers [SR=7; risk increases as the digits increase]. {kpatz}

Dead Givaway - Names with "sale", "mobile", "phone", "invest", "buy", "backlink" within [SR=9]. {kpatz}

Dot Coming - Guy has his URL in his name [SR=9]

Spelling Bee (or Not To Bee) - Ludicrous mis-spelling of name; 'Sam Wlikinson', 'Cath Wilsno' [SR=9]. Very occasionally, this is a genuine choice by a clever dick who couldn't get the right spelling on gmail, and didn't want to use a number with his name.

Mathematical Manouvre - You banned Moron1, so here's Moron2, Moron22, whatever [SR=10]

A Policy of Diversity - A Google search reveals the same user name has registered on a large number of forums that are extremely wide-ranging in subject matter. [SR = 8]. {Sleuthmeister}

Pervert Alert - User name like BigBoobies [SR = 10]. {Sleuthmeister}

Capital Offense - xJimSmithk, WandrewjohnJ; this is basic xrumer [SR=10].

Goldfish - Banned spammer who still tries to login (3 or 4 times a week?) using the same username and IP [SR=10]. {somdcomputerguy}

Google Giveaway - Not on the database (yet) but a Google search for his weird username throws up a G+ spam account. Confirms your suspicions [SR=9], and you can make his day by reporting him to Google, too - just a couple of clicks - Google *really* don't like false names or spam in G+.

Profile Picture / Avatar

Ladyboy Ploy - Picture is an attractive young woman, but the name, birthdate or other info doesn't match [spammer risk=8].

Part Time Model - Picture - usually a pretty female - shows up in foreign dating sites or in stock photo sites, on tineye.com image search [SR=9]. {instance}

Email Address

Would-be Prisoner Email - Word or name followed by digits, such as Sandra429 or Join352 may be spammers [SR=7; risk increases as the digits increase]. {kpatz}

Username / Email Address Meaningless Mismatch - for example, username: "Aiya", email: "meelmedallo@gmail.com" [SR=8].  {kpatz}

Dead Givaway - Email address with "sale", "mobile", "phone", "invest", "buy", "backlink" within [SR=9]. {kpatz, ynotdebiantomscrap}

Up The Pole Dancer - E-mail address like bigbouncybosoms at xxxpics dot com [10+]. {Sleuthmeister}

Lost It In The Post - Ludicrous mis-spelling of email address; 'SamWlikinson@', 'CathWilsno@' [SR=9]. See also Name: Spelling Bee

G...m.a.i..l....l..+er.s - Registration address is from gmail and contains silly dots between letters. The more dots, the higher the risk [SR=9-10]. This takes advantage of gmail's silly ability to recognise multiple combinations of dots and letters as the same address, fooling some forums to accept multiple uses of one address. {krankie}

Fan Mail- Uses your forum name as email (eg stopforumspam@projectsam.net) - don't be flattered, it just makes his records easier to keep up to date [SR=8]

Lucky Number - Always registers with the same three digits before the @live.com/@gmail.com in their email address. I can't work out why they don't change it, but maybe they got lucky with it one time. [SR=10]. {angewi}

SpamMason - 15th person to register from one domain - eg eagleinbox.com - and that site has 'under construction', broken registration or no (visible) content at all [SR=9].

IP address / Location

Disoriented - He says he's from Michigan, but his IP says Mumbai [SR=7]. While some people simply think it's cool to lie about their home country (or feel deep shame), spammers lie routinely.

Trying the Flag - The location field is just a country name; usually "USA" or "UK" SR=6]. {Dan}

Danger Zone - Depending on the topic of your forum, certain countries present an obvious risk. For example, statistically, for most forums, The Phillipines, Vietnam and China are likely to be SR=9-10; Pakistan, Bangladesh, Russian Federation are likely to be SR=9; India, Central Europe are likely to be SR=8. But please note your mileage WILL vary, and you will soon learn the risk factors for your forum. {kpatz}

Big City Spanner - The location field is an iconic city; usually New York, Los Angeles or London. The names of those places are often misspelled; e.g. "the Newyork", "losanges", "londen" and the like [SR=8]. {Dan}

User's Home Page

Mobius Move - Profile link is to a seemingly unrelated person's profile at a seemingly unrelated forum [SR=9].

Living Over The Shop - The 'home page' URL is a very obvious franchise link (while the email address is off the shelf) [SR=9].

Spam Gliding - Home page is a long, spammy looking thing, ending in /landingpage.php [SR=8].

Loser - Home page is on a porn, gambling, debt or pharmaceutical scam site. [SR=10]

Referrer

Pen Pal - A registrant from a far-off land who apparently has a friend a bit closer to home [SR=7]. {Spectre}

Pen Fiend - Uses a spammer's username as referrer [SR=10]. {Spectre}

First Post

Time Travelling - His first post is an inane and pointless response to an old and long forgotten thread [SR=7]. He might just be an idiot.

Brain Dead - As above, but starts a new thread to illustrate his mind-numbingly pointless inanity [SR=7]. {angie}

Norwegian Blue - Posts are benign, but simply copy and paste from someone else; almost certainly a profile spammer [SR=9; if copied from the same thread, SR=10]

Olympic Sprint - His first post is actually three or four posts in ten minutes [SR=9]

Forst Gumpishness - Two posts in three minutes; one says 'I'm a novice, please help' the other says 'I've been doing this for years, I look forward to helping your members'. Another cut'n'paste specalist. [SR=9]

Big Bang - There may be no question that's too stupid to answer, but there are some that are too big to answer. On an SEO forum: "How do I get my site to #1 in Google", on a philately forum: "I need to know everything about stamp collecting", on a nuclear physics forum: "What was the big bang all about?".[SR=8] This may be a troll, or an idiot - but there's a good chance it's a spammer, taking advantage of everyone's tolerance to novices, to avoid being deleted and banned. Either way, it's a waste of oxygen.

Squatter - Starts by welcoming new members as if he'd been there forever, or claims to know other members really well. May be an idiot or a troll, but maybe a spammer trying to avoid deletion [SR=7]. {Maikuolan}

Boy Scout - First post is good-deed-for-the-day posting of a 'great resource'. If it's a genuinely good resource, then it all depends on your forum's link policy [if it isn't, then SR=9].

Cub Scout - First post is good-deed-for-the-day posting of a 'great resource'. But it starts with "Hey Guys, I just found this great site..." and it's the one in his profile. [SR=9].

Tag Team Leader - First post is a question that can only be answered by citing a web site. Particularly suspicious if it's a very mundane and silly question, that would have been answered by simply reading other posts in the forum [SR=7, but rises to SR=9] if rapidly followed by:

Siamese Twin - First post is a reply to the Tag Team Leader's question, citing a suitable site - but usually not the best one; for example, cites a blog that discusses the issue, rather than the source site. [SR=9]

Disclaimer

Please Remember that none of these are proof positive, merely flags. And some would disagree with some of the Fifty Ways: {Thyme Lawn}, for example, challenges FanPost - uses your forum name as email, pointing out that some genuine users will do that (or something similar) to make it easier to filter incoming messages and identify who has leaked personal information when an email address is spammed. And he's supported by {somdcomputerguy}, who does that for just about everything he has to supply an email address for.

Point is, your experience (and your spammers) may be different; this article is intended to help you weed out spammers, but ultimately, you have to make the judgement, I can't!