Ask HN: Who runs the spam bots? And why?

15 points by preciousoo ↗ HN
Mostly thinking out loud here, but this is the best place I know to ask about things like this.

Ive been on the internet for a while and one thing that’s stayed consistent are the chat bots. From large social media to forums for friends only, the bots will come. I’ve always theorized about who runs them and why. From running my own web server and seeing logs, I figure they find forums the same way they find vulns, by crawling for forum software signatures.

But why? What is the return on this kind of enterprise? Why do large social media platforms have such a hard time finding and banning them?

From my knowledge of how gaming admins run things, they don’t instantly ban cheaters on detection, but do random waves, as not to give information away.

But some platforms have had bots for years! Twitter has had a huge bot problem basically forever, and the bots have gotten bolder and more diverse since Elon took over. There are the verified LLM powered bots (again, how can they afford to spend money on a Twitter and LLM agent, while still getting decent returns? They’re usually onlyfans bots so I assume they get good returns, but what’s the scale?)

Then there’s the low effort scam/porn/ad bots, who mostly tweet in similar manners. They’ve become such a meme that an official Twitter account made a tweet in the same manner as the bots!

Facebook in the same vein, had a “love spell” bot problem for a year+, they’ve only recently got rid of them. But for a year!!

I’ve also seen those love spell bots move to niche forums I spend time on. Again, why? Who is the target audience? What are the returns?

11 comments

[ 3.1 ms ] story [ 37.9 ms ] thread
And why do social media platforms have such a hard time banning them?
I’m not sure they do. I think some platforms are eager to onboard as many people as possible quickly. Those that aren’t so keen have very minimal spam.
Its a constant game of cat and mouse with most things of this nature; ad blocking, spam/scam bots, etc.

Admin finds a particular string of scams, adds it to their checker. Scammer gets blocked. Scammer changes wording, starts again. Rinse, repeat. Add to that, that many sites are not designed in ways that prevent signing up multiple times, and you get the ability to create botnets with ease.

Also, spam accounts for -so much- traffic and posts, that companies would lose large portions of their userbase by just blasting every scam/spammer away in one go, which looks bad (in their eyes).

Not-so-fun fun-fact: Spam email accounts for 45-51% of all email transit.

While mail is pretty low byte count, simply killing all spam mail would leave places like google mail with half their infra unused, which again, might look bad in their eyes

I always assumed that the "hard time" was fictional. That is, social media platforms could find and ditch bots easily, but there's some benefit (probably monetary) to the platform. I suppose the benefit could take the form of a bribe of the Right People.

I've thought this ever since it was revealed that Uunet had a high dollar contract with Serdar Argic's humans. Later we found out Uunet had many pink contracts with spammers.

I believe a lot of early ISPs has such contracts.

This doesn't answer why, or how spammers and bot herders make money, though.

They're trying to get you to open a file or click on something to run a zero-day exploit so they can hack your system.
Burning a zero day on an internet spam bot sounds even more insane! Theres no way they make any real money doing that, especially when there are valuable diplomats/large corp execs to target
ok, replace zero-day with unpatched. Plenty of people running old OS.
It’s just money, same as advertising. 1 in X impressions results in a click, action or something.

If it is, in aggregate, basically free to splash your message all over the internet and generate X impressions, then you’ve got a click/action/whatever.

So now you monetise that click: you sell the clicks to a third party who attempts to compromise the users with some packaged n-day exploit system, or buy one yourself, or do something else malicious. Or if they are really stupid just try and sell them crypto.

Once they have “converted”, bundle the data up (CCs, creds, data, whatever) and sell that on. Rinse and repeat.

This makes a bit more sense. I just can't see anyone clicking on these obvious scams, especially when they show up over and over. But who knows, if they're persisting there must be some profit
Never underestimate idiots in large amounts. It's a matter of "when", not "if".
I’d love to understand the economics of stock pump n dump bots