Who is the Fake Diploma Forum Spammer? (dyellihhi001)
On my previous blog, I had written several times about a bot that posts spam all across the internet, especially on forum sites. The YouTuber Barely Sociable had done a video about this bot/person in 2019: The Fake Diploma Forum Spammer – Internet Oddities.
While spam is obviously not uncommon, particularly in email form and on social media sites, the strange thing about this bot is that it seems skilled at getting past captchas and other forms of verification. Here are a few of the sites on which the bot has posted:
Retrohealth: fake diploma posts
Wiscobrews: fake diploma posts
As Barely Sociable points out in his video, many of the bot's forum posts are related to fake diplomas, and are written in Korean. According to some sources, fake diplomas are a particularly lucrative type of crime in South Korea, where there is a lot of pressure to attend a prestigious university.
Oddly enough, I had first seen the bot's posts prior to the video, on a site called WritersCafe.org, which is a site for publishing poetry, stories, and articles. On this particular site, the bot would create fake writer profiles (accounts), and then post its spam links as “stories” or “poems.” While the site's administrators attempted to close some of the accounts, the bot creates them at such a rapid rate that it's difficult for a human to keep up with it. Some of the usernames that the bot generates are variations on the name “dyellihhi001” or something similar, which appears to be random, almost like a keysmash.
Some of the other email addresses that the bot has generated are dyellogfhf001@hotmail.com, dyellogfhf002@outlook.com, and dyelltgtgt004@outlook.com, so they may even be created sequentially. A Scribd upload has a txt document with some or all of these email addresses; this document was reposted on pastebin as well: The Forum Spammer Txt Document. Most of the diploma-related posts also have a WeChat ID in the description, which is “501058216,” and usually reference the name “Andy.” It's possible that “Andy” is one of the people responsible for sending out these bot posts.
As Barely Sociable also mentioned in the video, there's a possibility that some or all of these posts are being done with bots made by BotmasterLabs, such as XRumer or XEvil. These bots are specifically designed to recognize more than 8400 captchas, hence their ability to post on forums even when anti-spam measures are taken. In fact, there is even a YouTube video with a tutorial on how the bot works: XRumer 12.0.9: how to get about 100.000 profiles on forums and blogs! This gives a good explanation as to how it has been able to post on so many different websites in such a short amount of time, as well as how it gets around many websites' security measures. If it is unsuccessful in posting to one website, it merely moves onto the next one on the list.
On Tor, some site administrators have been able to defeat similar bots by making more complex captchas that the bots aren't able to read, and thus greatly reducing the amount of spam – though sometimes frustrating human users when they can't read the captchas.
In addition to fake diplomas, the organization(s) using this bot for spam posts also appear to be behind other businesses, such as escort services, casinos, and possibly hookup sites as well. This doesn't seem that surprising in retrospect, however. In all likelihood, if these sites are all run by the same group, then it seems that they have their fingers in several different areas of illegal or dubious businesses. For instance, on the forum 2VEE, the bot has posted hundreds of times with links to the casinos and escort sites.
The mysterious parts are: who is behind all of these spam posts? Is it one person, or an organization? Beyond that, is the same bot still sending out spam posts at this very moment, or have website administrators found a way to curb the spam onslaught? If anyone has further information about this, it would be interesting to hear.