Over the past months I’ve been monitoring a situation across my matrix rooms that makes me a bit uncomfortable. A growing number of bots that join a those smaller communities and do nothing but lurking, resulting in higher server loads and unnecessary message distribution.

It even caused me to update the rules for my rooms, to require people to provide a short introduction of themselves in order to hang around.

The bot signature

To begin with, let’s talk about the bots’ signature. While monitoring the situation I was able to pick up some good indicators which accounts seem to be part of this botnet(?), or at least the same group of bots, that I call lurker bots.

The most present indicator and source of the name, is the fact that those bots lurk. They join the room, never send any message or interact with anyone or anything inside the room. While this might be common in larger rooms, it seems a little bit odd in smaller rooms. By itself it’s definitely no reason to kick a user, but a first indicator.

The next indicator is their name. Usually users come up with some “cool” nickname for themselves, like “aligator69”, those bots use randomly-picked, generic real-life-inspired names. Real-life-inspired, because the names they use sometimes, are so old fashion that I doubt that there are more than a handful of people on the planet named that way. And even less like, all decide to join a community that is made of ~30-100 People and not about rare names. To bring up some real examples: Starting from generic names like “joe”, over older German names like “gisela”, quickly drifting into super old-fashion German names like “kunigunde”, more likely to be found in a book about the 13th century than in any classroom these days.

Further one can look at the read indicator. The read indicator usually marks the last position a user has read in the channel, or at least it travels to the position of the last message of a user. In case of those bots, it sticks to join position, as the bot never performs any interaction, and doesn’t seems to provide read indicators, as it would be the case with most regular clients for humans.

Additionally the homeservers they are coming from are further indicators for bots. All homeservers of those bots support open registration and from a random selection of bots, my probes indicate that all those homeservers have no additional verification or bot protection, such as a CAPTCHA, enabled on sign-up.

And finally, thanks to another vigilant user, another indicator for these kinds of bots is the absence of any client or the existence of a single active client with no identifier whatsoever. Which is also highly unlikely for regular, human users.

All in all, this makes 6 indicators for a bot user. None of them is enough to conclude that the account is a bot, but in sum, they drastically indicate that those are bots.

Real impact of those bots

Obviously now that the bots are identified it’s time to ask, what’s the impact of their existence. As with aliens arriving on earth, one asks themselves the questions: Who are they? What do they want? Are they peaceful?

To none of those question I could find any answer. Currently they are there, lurking in rooms and do nothing. But they still have an impact.

First of all, they cost all participating homeserver resources because messages are spread to more homeservers than before, resulting in additional HTTP requests on each message as well as taking up space on the receiving homeserver.

Then it spreads the content of the messages to unneeded third-parties. The rooms are open for everyone to join, so one could argue that there is no damage done, but the room history is usually still limited to members and if a homeserver doesn’t need the history, why risk it to be part of a data breach, if it’s not necessary?

And finally, the biggest impact: It just feels odd. It’s like someone is constantly monitoring you and you have no idea what they are up to. That simply makes me, and other people in those rooms uncomfortable, which is not what those rooms are for.

Possible impact of those bots

In this part, I want to speculate a bit about possible impacts of those bots. Those bots have to exist for a reason, and for whatever reason, it’s not just “for fun”.

1. Monitoring room activities. The simplest and straight forward assumption is, that those bots just collect data about rooms. Who writes what, who is member of a room, etc. Regular data mining. Creepy.

2. Preparation for spamming. Generally speaking, it doesn’t make a lot of sense, but it’s still possible that it’s a preparation to spam rooms with some sort of nonsense at some point. It’s much harder to remove bots once they have been around in a room for weeks, months or even years. You risk a very high false-positives rate. So the theory is that those bots represent “the foot in the door”.

3. Other attacks on rooms. From room takeovers to DoS attacks against rooms or homeservers, those bots are well connected and could take advantage of vulnerable room and homeserver versions. Again, having a foot in as many rooms as possible is a powerful tool and should not be underestimated.

All in all, I think the first version is the most likely. If it’s an ongoing data collection or a one-time data collection is something up to your imagination. both would be possible.

Actions against the bots

Currently I have taken simple measures against those bots. In some of my rooms I decided to enforce the rule of introduction and kicking people out, that match the bot signature and ask them to rejoin and provide a quick introduction of themselves or at least why they want to hang out in the room.

I also talked about it in the German Synapse-admins room, where people suggested to write a script that could take care of kicking people matching the indicator, but so far, no script has been produced.

Conclusion

I currently hope, that there is a point where those bots just disappear and whoever runs them gets tired of it, but there is reason to doubt it. Therefore at some point I guess I have to sit down and automate it.

But those bots are just creepy to me and I don’t enjoy having them in my rooms, therefore if you ever get kicked due to matching such indicators, please don’t be angry or disappointed, join and introduce yourself and it should be all fine.

One last sentence: If you know anything else about them, feel free to join my main matrix room and talk with me about it, I’m always interested. Or maybe you just want to hang out, that you are obviously also welcome.

Photo by JØNΛS. on Unsplash