Sunday, March 22, 2015

The Ayatollah's Spam Bots

I noticed a few hours ago a rash of spam bots on Twitter promoting Ayatollah Khamenei's letter 'To the Youth in Europe and North America' while searching for something which would seem to be completely unrelated. The bots appear to be using the reasonable hashtags #Letter4u and #LetterForAll in every tweet along with a mixture of completely irrelevant (and nonsensical) ones such as #CNN, #Canada and #StandWithIsrael, and a photo with a quote from Khamenei. In every tweet there is a shortened link which redirects to Khamenei's website and the letter.



The bots seem to be on some sort of cycle where accounts post a pattern of tweets in a particular order.


There are hundreds if not thousands of accounts, most of them with over 10000 tweets. Twitter has a limit of 1000 tweets per day, and the accounts seem to have been created with this in mind.

Many of the accounts use fake photos taken from a variety of places. Some of them show celebrities, while others journalists or other media personalities.



.@AndrewWrites thought you should be aware of this: someone using your photo and spreading pro-#Iran govt propaganda pic.twitter.com/2BXUdBZSR5
— Morgan Carlston (@MorganCarlston) March 22, 2015




As far as I can tell, the bots started around 10 days ago and have continued tweeting incessantly. The timing makes me think that this is in response to the letter from the 47 GOP senators, but as Holly Dagres noted in early February of this year, something similar happened on Instagram with spammed photos and quotes and hashtags. Perhaps it is just a coincidence, but I believe there is a connection to the letter.


UPDATE #1: Some of the hashtags used by the spam bots (in addition to #Letter4u and #Letter4all). From my count that is 67 hashtags co-opted by the spam bots (not counting the 2 'letter' ones). They appear to repeat every hour or so on a loop.






































UPDATE #2:
Quite a few of the accounts sending the spam have been suspended! I've been on a mission tweeting to people whose photos were used by the attackers, and it looks like at least quite a few of the fake accounts are suspended. Twitter searches for "Iron Dome" and "Stand With Israel", "Netanyahu", #GazaUnderAttack, #CharlieHebdo, and #JeSuisCharlie don't result in hundreds of spam tweets anymore. Unfortunately hashtags like #BBCNews, #AFP, #IslamicState, are still clogged, but kudos to Twitter and the support folks for finally doing something about this obnoxious nonsense.

UPDATE #3:
There is a new set of spam bots that has been operational for just over a week which I'd not seen yet.

They also link to some youtube videos, and a file at 4shared.com which is apparently owned by someone who is named here. The name again seems to be a fake.



They use an entirely different set of hashtags including:















I hope that Twitter does something about this parallel set of spam bots, and if this is a real name they are dealt with appropriately.

UPDATE #4:
All of the spam bot accounts that I have seen are suspended! I've tried searching for all the various hashtags and nothing shows up. Hopefully this is permanent and the spam bots don't start up again.

UPDATE #5:
The bots are back in town


UPDATE #6:
More bots
they appear to be using some strange service or hack to post these tweets. usually TweetDeck will tell me what app or site the user is using to post their tweets (so here is my tweet showing I use TweetDeck). When something like this showing "TweetDeck" or "Twitter Web Client" shows up, the text is a clickable link. These clickable links either don't lead anywhere or they redirect to sites that have invalid security certificates. 

UPDATE #7:
The bots are still going and Twitter doesn't care. Just counting these 10 accounts there are close to 900k tweets now (this screenshot was taken a few days ago and each bot posts just under 1k tweets per day)

Including this other account which I neglected to include there are over 1 million spam tweets. I find it strange that they wouldn't care about halting this.

UPDATE #8:
The bots have evidently ceased tweeting. They appear to be still active accounts and not banned or suspended, but none of the ones I am familiar with have tweeted in 15 hours. Hopefully this is the end of the plague, but they've proven malleable and capable of change so I am not too optimistic.


UPDATE #9:
Khamenei released another open letter, and coincidentally an inordinate number of bots started tweeting his nonsense. The letter was released yesterday, and the bots started tweeting immediately. The patterns of tweeting are different (it seems one account will send around 10 very quickly, and then another account will emulate this), but the fact that they are also using a service spoofer, and they seem to have started tweeting this letter almost immediately makes me think there is a connection to the regime. There are still some incompetencies including broken hashtags, but they are using mostly photos of people that appear to be moderately realistic (compare to the last set where there were photos of an Orthodox Jew tweeting Islamist rhetoric). 






Lastly the profile pictures do appear to be stolen, though as I mentioned they are much less suspicious than previous versions. 

At the same time, it appears as though several Iranian (and non-Iranians) journalists that had tweeted about the Ayatollah's letter have been suspended by Twitter per Iranian government request? At the same time Twitter ignores this same government's spam bots abusing its service? 

UPDATE #10:
Another weird development. It appears as though the spam continues, and the spamming accounts are not blocked, but their spam tweets aren't also showing up and searching for the hashtags used results in no results. To test this, I tweeted with the #Letter4U hashtag and it did show up in the search results. I also tried this with #CommonWorry and a similar thing happened




UDATE #11 (12/15/15):
Another strange development. A series of bots tweeting in Dutch about Khamenei's letter. This group has between 7000 and 63000 followers, follows 18-63 accounts, has tweeted 138-163 times (as of this update), and has 'liked' 71-79 tweets. They are all using the same service spoofing methods as previous bots. I am curious why they chose to tweet in Dutch and if there are parallel set-ups in other languages. I would suspect that the followers are bought. 




accounts used: QuyhgMelton
RebeccaOyiuhjy
NneitensteinAa
MikDean201
RarickR16
QoscarUrian
mui_rebecca
Second group:
PeterStekiel
Ania_Niedieck
Nina_Braun12
B__Muller
OY123121

Taking names and photos from different accounts to create spam accounts

UPDATE #12 (12/16/15):
I found some German spam bots tweeting about the letter: 
kluge_diana
ZManuela2
DuerrJurgen
mahler_stefanie
eric_wagner0
donnacasshrist1
flix_schulz
KrugerRobert5
tracyspeterson

They have very different metrics than the Dutch set. Namely, less followers and more tweets. 


UPDATE #13 (12/16/15):
More bots, posting graphics about Khamenei's letter, or terrorism or whatever. Using trending hashtags in all different languages.
Also the bots have figured out how to get past Twitter's filtering of the #Letter4U and #CommonWorry hashtags





UPDATE #14 (12/21/15)
The bots from Update #13 have been suspended, while the bots from Update #12 ceased tweeting 6 days ago.
However, another set of new bots with quite a few followers have emerged. These look like the most sophisticated by far, even though they clearly are bots. They tweet without links or photos at times, and do so in a way that makes it seem as though they are real users. It is clear they are not because these bots copy each other verbatim. These changes appear to have fooled whatever basic filter Twitter's staff implemented to mute them. The bots tweet in at least 2 languages, and I would suspect they use more than just these two. As the last 8 months have demonstrated Twitter has no interest in stopping regime sanctioned spam bot floods, while they BANNED Sputnik_INTL a clearly marked parody account mocking the "news" org Sputnik. Curious that their actions have supported Russia and Iran... 






UPDATE #15 (12/22/15):
There is now a group of MeK bots tweeting and retweeting each other about Iran regime abuses and various other current affairs news. They are also using the #Letter4U hashtag sometimes which the filter put in place by Twitter is incapable of catching. The bots link to an MeK site where news stories (or propaganda) are hosted. These are often taken verbatim from other sites.


UPDATE #16 (02/05/16):
The author and journalist Azadeh Moaveni wrote for Foreign Policy about attempts from Iranian intelligence to entrap her and to also get advice on how to promote the #Letter4U campaign. There clearly are major deficiencies in the execution of the outreach program. I also stumbled upon a bizarre group that set up a booth at Wayne State University near Detroit (and Dearborn, Michigan) to promote the Ayatollah's message and letters. This group seems to be affiliated with a Canadian NGO. It is unclear if any laws are being broken by promoting Iran regime propaganda, but they've not seem to gained much attention so far so I would assume its not of great concern at the moment.