Jump to content

Theme Designers 'Top Downloads' panel - count spamming. STOP!


Wayneo

Recommended Posts

Today I left a comment on the Top 5 themes in the panel and the 2 prior top, that there's blatant spamming occurring.

Some designers are spamming the system in various ways to make it to that top panel on the front page. JUST STOP!

Some of the more ridiculous are designers reviewing their own theme with a 5 star rating. Seriously! Or how about an update on a theme that's supposed to be an unmodified 'original'. How does that get an update?  Done only to make it to top of the updated list.

Why would a Theme Designer download his own creation? JUST STOP!
The behavior is clear, even if you try to hide behind a VPN because you're just not that smart. JUST STOP!
The behavior is clear, even if you download as a Guest because you're just not that smart. JUST STOP!

A 'good' theme, over time, by word of mouth or promotion will rise up to the top.
 

  • Like 5
Link to comment
Share on other sites

>designers reviewing their own theme with a 5 star rating
I've left one on my theme as a joke/protest. I agree with you. This should not be possible at all and just seems like a very silly oversight.

You can see the reply I left to myself is "WFT, why are you leaving reviews on your own theme?".

If you couldn't tell from my post I don't try to take myself or my theme very seriously. It's full of emojis and memes.

Anyhow I did some testing and the current system is extremely easily exploitable. Even just clicking edit and then saving it immediately without ANY changes will work completely fine and will boost your listing up to the top of the new. I'm pretty sure a few themes are doing exactly this.

That is before you look into actually performing an actual actual attack and not just clicking.

You can see it's got a CSRF key at the end of the URL:

https://forum.evolvapor.com/files/file/1196-neo-cloudz-on-crack%E2%84%A2-dna250c-dna75c/?do=download&csrfKey=7d443771196c5e0e5da05e71c005f365

But I don't think it's doing anything. You can just spam the URL and the downloads will go up.

This leave it open to attacks via a simple CURL HTTP request or any type of simple net scripting at all. Which is to say if the attacker is competent and uses actual web techs like https://www.selenium.dev/ which can simulate full browsers...

The forum is fucked basically.

Anyhow, I don't think this will be fixed. It's simply not really a big enough issue for Evolv to fix. And to fix it it's not going to be an easy fix. It's a multitude of analytics and back end work. And even if it is fixed. It's a cat and mouse game.

And we can't really point fingers unless Evolv digs up the server logs. Even then, it's hard to say who the culprit is since they can just spam other themes. RN, certain themes have far too high of a view / download ratio (I'm pretty sus, or maybe my theme is just bad idk lol). I think it would be very easy to filter out real from fake downloads given server logs. Fake downloads will probably just spam the URL and not bother to simulate user actions since it's not needed.

BUT, in the case that Evolv does want to fix this I would love to help. I can code and would love to work for you guys :)

  • Like 2
Link to comment
Share on other sites

What a great comment. We moderators have been aware of the issues, but we'd prefer Evolv spend their time working on meaningful things instead of wasting time on stuff like this. Hell, one had a view count of ~260 with a download count of ~400. Obvious much.

You were not the only person to comment/review their own theme, which was called out by another developer.

Don't take this personally. Have any suggestions?

Hell, if I knew where those counts were kept, a one line script in a Linux /etc/rc2.d file could keep it clean. (depending, depending, depending) 

  • Like 1
Link to comment
Share on other sites

37 minutes ago, Wayneo said:

What a great comment. We moderators have been aware of the issues, but we'd prefer Evolv spend their time working on meaningful things instead of wasting time on stuff like this. Hell, one had a view count of ~260 with a download count of ~400. Obvious much.

You were not the only person to comment/review their own theme, which was called out by another developer.

Don't take this personally. Have any suggestions?

Hell, if I knew where those counts were kept, a one line script in a Linux /etc/rc2.d file could keep it clean. (depending, depending, depending) 

Na, it's fine. I didn't think you were trying to go after me for the review. I'm just putting it on the table to to be known. I think it's stupid and should not have even been possible at all.

Quote

Have any suggestions?

1) Stop self reviews, should have never been a thing.

2) Just put a captcha on the download page. Simple drop in solution.

3) First log the CSRF keys and as much user info(such as user agent and IP etc. not sure if this is GDPR tho) as possible. Then after a week of (silent) surveillance change the keys to be ephemeral and unique by IP / browser fingerprint.

If the bot is setup in a static way with static URL we will be able to immediately catch them upon the deployment of the new ephemeral keys. They will request a URL that no longer exists and then CSRF key can be correlated to a user request on the server.

My URL for my download has been the same this entire time so if download links are per user and unique then perhaps the attacker has already revealed themselves.

I highly doubt the attacker has made a fully dynamic bot for this. The IP, user agent and browser would probably be all the same. If it's not just a simple curl/wget loop since that works just fine without auth.

HOWEVER. I should note. DO NOT BLOCK TOR OR VPNs. This is a stupid and a cop out way of "security", people actually need Tor and VPNs for things. They might not be able to even use Evolv products otherwise. Given a good system this sort of gate keeping is completely unnecessary and cuts out good users as well.

Edited by Skit
  • Like 1
Link to comment
Share on other sites

I never said the word 'attacker'. More some internet glory and fame seeker. Just saying, the ONLY PERSON that would want multiple downloads of a particular Theme would be the owner. Except in this case. This was clearly done to right a perceived wrong.

I actually applaud the person because it's so glaringly obvious for all to see.

We do log and can see quite a bit of information. I won't tell you what, but I will tell you the most outrageous is a user that downloaded his own theme >3,000 times.

But here we sit and ponder the future of these 7.
Do we hide them for a week from downloads. Let innocent downloaders get a 404?
Do we start manually monitoring any theme that hits the top of the Top? And then what? Moderators leave a count and a 1 star review with that count? 3 days in a row, hide it (timeout) for a week.
Do we remove that panel altogether?

Thank you, I hope others speak up. 

  • Like 1
Link to comment
Share on other sites

1 hour ago, Wayneo said:

I never said the word 'attacker'. More some internet glory and fame seeker. Just saying, the ONLY PERSON that would want multiple downloads of a particular Theme would be the owner. Except in this case. This was clearly done to right a perceived wrong.

I actually applaud the person because it's so glaringly obvious for all to see.

We do log and can see quite a bit of information. I won't tell you what, but I will tell you the most outrageous is a user that downloaded his own theme >3,000 times.

But here we sit and ponder the future of these 7.
Do we hide them for a week from downloads. Let innocent downloaders get a 404?
Do we start manually monitoring any theme that hits the top of the Top? And then what? Moderators leave a count and a 1 star review with that count? 3 days in a row, hide it (timeout) for a week.
Do we remove that panel altogether?

Thank you, I hope others speak up. 

"Attacker" is just a technical term for the person performing the action on your network. Well, penetration tester. It's just that when I usually talk about cyber security it's actually something serious and not a vape theme lol.

Simplest solution would be to just remove the downloads. This should be done at least. The rest is up to you. I'm just some nerd who likes to vape.

Edited by Skit
  • Like 1
Link to comment
Share on other sites

55 minutes ago, Skit said:

............. What do you mean by these 7?

The 7 themes that I left the same discreet comment on.

The 7 theme owners should all be aware as they were probably notified like you were, yet only you are commenting here..
In your opinion, would you consider this a respectful conversation? I do.

Another option would be for us to completely delete the Themes and recreate them, attributed to the respective owner. Download count would start a zero. No comments, no reviews, no followers

And I do agree, a captcha seems rather elegant as a start.

 

  • Like 1
Link to comment
Share on other sites

Just now, Wayneo said:

The 7 themes that I left the same discreet comment on.

The 7 theme owners should all be aware as they were probably notified like you were, yet only you are commenting.
In your opinion, would you consider this a respectful conversation? I do.

Another option would be for us to completely delete the Themes and recreate them, attributed to the respective owner. Download count would start a zero. No comments, no reviews, no followers

And I do agree, a captcha seems rather elegant as a start.

 

Yeah, I think this was a good way to notify the users affected.

I don't think it would be fair to me and other users who have worked so hard to gain so much traction on their theme and yet to be just wiped. I feel gutted and I've only had my theme up for a few months. Please don't do this!!!

  • Like 1
Link to comment
Share on other sites

Ich möchte, ich muss mich schuldig bekennen, ebenfalls meine eigenen Themes vielfach selbst heruntergeladen zu haben, als auch (zuletzt) unverändert an die Spitze der Übersicht gebracht zu haben... 

Ich fühlte mich aus niederen Beweggründen getrieben. Zum einen gibt/gab es einen Nutzer, welcher über nicht nachvollziehbare Downloads die Tabelle seit Monaten beständig dominiert/dominierte. Zum anderen habe ich auch den Eindruck, dass zur Zeit die Themenübersicht regelrecht zugemüllt wird mit Stockthemes, bei welchen lediglich das Wallpaper geändert wird, oder immer neue Versionen als neues Theme eingestellt werden. Ich befurchtete, das neue User nach kurzer Zeit gelangweilt die Freude verlieren und ihnen verborgen bleibt, wieviel Arbeit sich ein Teil von uns macht, gemacht hat. 

Mein eigenes Fehlverhalten entstand aus einer Mischung von Eitelkeit und Kränkung. 

Mit einem User bin ich auch in persönlichen Kontakt getreten und habe ihn gebeten, zukünftig nicht jedes Wallpaper als neues Theme einzustellen - es stellte sich heraus, dass dies für viele wohl bereits eine Herausforderung darstellt. Einerseits freut mich natürlich der Enthusiasmus der User, andererseits sollte vielleicht doch die Schöpfungshöhe neuer Themes bewertet werden, bevor diese für das Forum freigeschaltet werden. 

  • Like 2
  • Sad 1
Link to comment
Share on other sites

@gwyarThank you for your honesty. I can certainly understand the frustration you feel. Hopefully this topic will be the basis we all move forward from. Comrade @zark used to be the unofficial critique master. Because I'm a 'moderator' I try to stay out of reviewing or commenting on the work of others. I look at many themes but only commented publicly on two or three.

That 'top panel' is a running weekly count usually hovering mid 80's to the odd 120's, so to see a theme jump over 120 in 12 hours is alarming. To see a theme jump 400 in a day is ludicrous, 600 is just downright crazy. So when 5 jump high I cannot sit back and turn a blind eye.

Your themes were all originals IIRC, and I've looked deep into at least one. 👍My fear has always been that programmers like you would lose interest, and stop or leave due to the dishonesty of others. You're still a good man in my eyes.
 

  • Thanks 1
Link to comment
Share on other sites

On 4/14/2021 at 6:00 PM, Wayneo said:

the ONLY PERSON that would want multiple downloads of a particular Theme would be the owner.

Here's a look at where we were, and where we are now. These are the 7 mentioned, and once again, I'm only taking a look at theme downloads since the incident. Names sorted alphabetically.

Commodore theme. April 11, > 400 download count spamming, since then ~8 total and none since the 15th.
Frank theme. Just way too many. Since then >20 spammy on the 15th. Otherwise, total ~20 normal.
Khaled theme. starting around 7:30am > 700 download count spamming  since then ~8 total
mr.bottomfeeder theme. Since then 4 look normal, ~20 look spammy.
Sk1t theme. starting around 7:30am > 200 download count spamming, since then ~13 total
Stepladder theme. 9 look normal, ~20 look spammy.
Zark theme. Just way too many. Since then zero downloads.

And 3 more themes, looking back to the 11th (2 days before the incident and skipping the 13th maybe). Based on their prevalence on being on the "Top Downloads" list. NO NAMES ATTACHED

Example 1 theme. 15th 4 normal, zero spammy. 14th 1 normal,  zero spammy. 13th part of spam attack. 12th 1 download. 11th 5 normal, 27 spammy

Example 2 theme. 15th 1 normal, zero spammy. 14th 2 normal,  zero spammy. 13th 2 normal, 16 spammy. 12th 2 download. 11th 2 download.

Example 3 theme. 15th 8 normal, zero spammy. 14th 9 normal, zero spammy. 13th 2 normal, 34 spammy. 12th 3 normal, zero spammy. 11th 11 normal, 20 spammy.

Clearly behavior is changing. Every theme on that TOP PANEL I'M GONNA GIVE THE COUNT ON YOUR THEME FOR THE PRIOR DAY, MAYBE AS A REVIEW OR A COMMENT. Let's see who makes it to the TOP starting the 21st.

Link to comment
Share on other sites

Я согласен с тем, что многие авторы пользуются уловками, чтобы подняться вверх списка. Я и сам пользовался подобными не очень красивыми приемами. Но я однажды имел печальный опыт, когда моя тема была удалена по глупой случайности, и это было очень печально. После повторной  публикации темы, прошли долгие месяцы, что бы собрать количество пользователей которые дают советы и комментарии по моей работе. Каждый автор имеет амбиции и эти цифры загрузок, комментарии подписчиков, живое общение в конце концов, очень важно для авторов. У меня одна из немногих тем на русском языке, мои пользователи очень немногочисленны на форуме и результаты которые я имею очень воодушевляют. Я согласен с тем, что мне не стоит ввязываться в дисскусии, по тому что меня все воспринимают как хейтера, но уверяю, это не так. Я готов прекратить  участие в дисскусиях, но обнуление статистики моих тем для мня неприемлемо. Если  модераторы готовы к уничтожению статистики, то я готов покинуть этот форум, на который я потратил тысячи часов свой жизни. Я считаю этот форум самым адекватным, не дайте мне разочароваться .

печать.jpg

Link to comment
Share on other sites

@zark: "Ich stimme zu, dass ich mich nicht auf Diskussionen einlassen sollte, weil mich jeder als Hasser wahrnimmt, aber ich versichere Ihnen, das ist nicht so"

Du bist sehr ehrlich mit Deinen Kritiken und manche Menschen können damit nicht umgehen. Dies ist aber nicht Deine Schuld. Auch wir beide sind/waren nicht immer einer Meinung, dennoch nehme ich gerne Kritik von Dir an. Es wäre sehr schade, wenn Du das Forum verlassen würdest. Ich denke, es bietet die beste Plattform für Dein Theme in Deiner Sprache. 

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Я не хочу покидать форум, но решение обнулять статистику,  которое предлагают модераторы, для меня неприемлемо. Я не верю, что нет более гуманного выхода из этой ситуации. Если известны даты спама, легче удалить статистику за эти дни. Но блокировка и полное обнуление это недопустимо, это унизительно, это признание бессилия модераторов и администраторов форума. Это очень печально.

печать.jpg

Link to comment
Share on other sites

@Wayneo я часто бывал в ситуации, кода бездействовать нельзя, но не всегда можно найти виноватого или доказать вину, в таких случаях я наказывал ВСЕХ ОДИНАКОВО, при этом негативные последствия наказания были не так морально тяжелы для невиновных, а виноватые ещё больше осознавали свою вину.

Давайте уничтожим ВСЮ СТАТИСТИКУ ФОРУМА в разделе количество загрузок, начнем с нуля, это будет менее обидно для авторов и это будет новый этап соревнования за лидерство (ИМХО).

НО, ПОЖАЛУЙСТА, ДАВАЙТЕ ПРОВЕДЕМ ОБСУЖДЕНИЕ ЭТОЙ СИТУАЦИИ НА ФОРУМЕ

печать.jpg

Link to comment
Share on other sites

@zark

I/we are not blaming anyone. I personally would not want YOU to leave. Fudging the download count, for any reason is WRONG and deceitful. We are not ready to destroy anything, but even you must admit that if the download count of a theme such as yours is >20% wrong then that statistic has no value

You are an engaged user and very helpful on many topics, including themes. I can only think of one user that might have a negative perception of you, and that is HIS problem.

We look after an entire small community and will not play favorites. We try to be fair to everyone, but until we can stop this bad behavior, your theme like the other 6 will show a daily count of spammy and normal downloads until different themes make it onto that panel. Any new theme making it onto that panel, I'll do a 7 day look into the downloads and make it public. 

... the ONLY PERSON that would want multiple downloads of a particular Theme would be the owner. Except in this case. This was clearly done to right a perceived wrong.

Link to comment
Share on other sites

28 minutes ago, Wayneo said:

ЕДИНСТВЕННЫМ ЧЕЛОВЕКОМ, которому требуется несколько загрузок определенной Темы, будет ее владелец . За исключением этого случая. Очевидно, это было сделано, чтобы исправить предполагаемую ошибку.

А не совсем понял смысл Вашего сообщения (гугл переводчик сильно искажает смысл), но я не понимаю, почему не удалить статистику за последние дни, а после этого добавить капчу и ограничение на изменения на определенний период времени (так делают большинство сайтов, значит это работает).

Почему я нервничаю из за того, что могу потерять плоды многолетней работы? Почему вы предлагаете решение с которым может согласиться только автор не имеющий реальной статистики? Почему я должен страдать от от действий других? Почему я должен опуститься в самый низ рейтингов?

Или мы признаем победу спама?

Я очень, очень огорчён, тем более, что это не первая ситуация с резким увеличением количества загрузок. Почему раньше не были приняты меры? Почему я вижу, что 7 авторов, могут лишиться рейтинга? Если Вы Уверены, что это действия какого то автора, то, я думаю, Вы уже знаете кто это, так к чему все эти игры? Это не коммерческий сайт и я не думаю, что били использованы очень сложные схемы работы ботов, поэтому Вы сможете установить истинного виновника, не спешите уничтожать авторов, это будет проигрыш всего форума перед спамом.

печать.jpg

Link to comment
Share on other sites

@zark  Here it is again. Hopefully in very plain English.

The themes get recognized by their download count. The only reason for anyone to fudge or fake or inflate a download count would be for internet glory or fame to make it to that panel. Except in this case it was not done singularly. 5 themes were done one shot to hide (or highlight) the prior top 2, perhaps. That is why the prior top 2 were included. And so we end up at 7.

I do not know why you are nervous. Don't be nervous. Nothing has been done yet. We are just getting comments.

The only suffering for you would be if some 'hater' spammed your theme to the top. See how silly that sounds? I hate @zark, let me spam his theme download count so it goes HIGHER.

We/I can only do our best with the tools we have. I'm too old to play games. Nothing was done before because we hoped it would die off. I have personally spoken to 3 users on that panel right now about this issue. You being one of them long ago.

NO, we do not recognize the victory of spam. We will recognize their counts daily at the top of a new post I will create next week for all to see, until Evolv can fix this issue. (For the Top Downloads panel). I have no idea who did this.

Any author is certainly free to hide their themes from public viewing or downloading at their leisure. I can think of 2 who have done this long ago. Maybe their reason was out of disgust at outrageous numbers.

Both you and @grass had noticed. Look at his words

On 4/14/2021 at 7:58 PM, gwyar said:

On the one hand, there is / was a user who has consistently dominated the table for months via incomprehensible downloads.

This is THE DISCUSSION.

  • Like 1
Link to comment
Share on other sites

Спасибо за разъяснения.

Меня Вообще не интересует количество скачиваний моей темы, меня больше радует быть в рейтинге по отзывам и комментариям. Но при этом я понимаю, что если я не буду иметь большого количества скачиваний, и не буду обновлять тему, то моя тема станет " невидимкой " для новых участников форума. Это дилемма и мы должны играть в эту игру.

печать.jpg

Link to comment
Share on other sites

Unfortunately one can only use 8 rudimentary sorting options when looking at the 1,116 themes on the board. And just like many users never change/select the 'any' default regular search criteria, to 'all', in this instance they don't (in my opinion) change from 'recently updated' for Themes. Look at the options, is there a better option?

Would it be good to make every downloader have to sign up, and request they leave a review?
Under the About File for a theme should we request every Designer ask users to do the above, before making the public?
Should I/we add that text to any theme that reaches the Top Panel if it's not there?

A good designer interacts with both commenters on his theme and elsewhere. I see that often from a handful of you guys. The standard Top 5 all did that at some point. Being helpful to other Designers. I have respect for all those true Designers, you and @gwyar @Mr.Bottomfeeder@Jetro @formula 1 all included. 

IMHO a good theme should be simple in style with complexity in its execution. Look at vaping right now. Auto draw pods. No screen at all. A tiny % even use TC or Replay.

  • Thanks 1
Link to comment
Share on other sites

@Skit Please self edit your post. Leave only positive thoughts and suggestions. For about the gazillionth time this must remain respectful. Please and Thanks man 👍

Tomorrow you will see the downloads for each of the 7 (for the 16th), and moving forward, HERE.

  • Like 2
Link to comment
Share on other sites

А почему нельзя запретить скачивание незарегистрированным пользователям. При таком условии поиск спама будет прост и очевиден.

печать.jpg

Link to comment
Share on other sites

2 minutes ago, zark said:

А почему нельзя запретить скачивание незарегистрированным пользователям. При таком условии поиск спама будет прост и очевиден.

печать.jpg

While I agree with this as it would "fix" the problem it just makes it so that they will have to make an account for each download. This has more damage to a regular user than a bad user however. I don't think this should be the case.

  • Confused 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...