The Gay Pedophile at the Gates

Null said:
1. Reduce impact to regular users.
2. Increase response time
3. Decrease reliance on me.
4. Reversal of assymetrical nature of time spent (my time = valuable, his time = worthless).
5. Escalate law enforcement involvement until he is a non-factor.
Click to expand...

It sounds like you've already sorted your next steps by now, but I'll reiterate the timestamp thing for probation.

ie. new accounts are text only. To gain the ability to post images, they are prompted to hand-write a timestamp (and timezone) on a piece of paper, take a picture of it, and sneed that picture to a mod - who correlates the timestamp with the submission's date and time within an arbitrary window, let's say ten minutes.

To spoof this, the attacker would have to pay an image gen service to generate passable handwriting for every minute of every hour of every day going forward, while trying for no telltale signs of AI Gen. If he continually uses his own handwriting, he is reduced to a manual process, and mods can learn to catch it on sight. He'd also have to get the correct time to line up with the location of his bot's proxy.

Since it's just one instance of numerals, the user is sacrificing little identifiable information. They can do it left-handed if they really want.

If exif data is preserved, it gives more data to organize a blockade around. (Timestamp must be within 10 minutes of exif timestamp. Batch AI generated images would fail this unless every image exif is modified and matched with the relevant timestamp. The same model of phone would come up each time, etc.)

(Additional complexity for suspicious accounts is also very simple. Mod can request a photo of the same paper be resubmitted as crumpled and wrinkled, torn into three pieces, list the DOW JONES price at that moment, etc. Very hard for an image gen to pull off without giving up the game.)

1. Reduce impact to regular users:

Regular people gladly photoshop a throwaway meme for a laugh. A timestamp is low effort and no cost for the user in exchange for a big prize - the right to post images. (I assume KF automatically scrubs exif on upload, however you would choose to deal with that.) I can't imagine anyone ragequitting over, say, a 24 hour waiting period for a mod to review the stamp - especially when they can still text-post.

2. Increase response time and 3. Decrease reliance on null:

The capacity to release CSAM from new accounts is immediately halted, while the approval process can happen at the moderator level with trivial effort on their part - a simple visual check. Maybe a 'is this picture real' AI check.

4. Reversing the asymmetric warfare:

The single attacker is reduced to a manual process, and is outnumbered by the moderation team.
The effort to produce a spoof is disproportionate to the effort to verify the image.

5. Escalation to law enforcement:

Consistent handwriting, (and/or exif data) paired with manual entry, increases the odds of mistakes on the attackers part and the gathering of actionable information that can be presented to the relevant agency.
 
SoyQuote said:
I assumed he'd just give up after realizing the site's users were never going to see his spam but it seems the goal is to traumatize the moderators:
Click to expand...
I never would have considered this as a reason to do this but it makes sense.
 
Null said:
??? do you think I can just plug in fucking 4chan mods into xenforo????
Click to expand...
Sooty Soot said:
I think he meant asking them for hashes of images they've already marked as CP so you can plug them into your blacklist.
Click to expand...
I am suggesting establishing a formal communications line with team4chan to pool information on bad actors and how to best deal with them, with the goal of reporting them to law enforcement.
Site rivalries aside, this is a problem much larger than what a single team can deal with.
And I suggest the same thing to @SoyQuote. I trust RapeApe, who I suspect also reading, to understand.

It is like they say, apes together strong.
 
Last edited:
Null said:
It also means making it easier for admins to stop attacks than it is for him to conduct attacks. The solutions proposed need to not unduly burden normal users or people trying to register for the forum.
Click to expand...
I looked into XenForo and how to develop an addon. I've set up a simple forum in docker with v2.3.7 but for the life of me I can't seem to get any addon I develop to actually change a template for some reason. My idea was simple enough, a series of small addons that would add fields to the likes of quick_reply_macros or register_user and only cause seconds of delay for a real user but mess with and break any bots that were trying to abuse the forms. The benefit would be that you could easily tweak some options or toggle the addons on/off and break any bots that are actively trying to attack your site. I have no issue with frontend development or PHP it's just I don't know this forum software well enough.

Regardless, let me try to offer some other suggestions.

Even if you have completely locked down registration, you still have the risk of 'sleeper' accounts that have been registered, had their email confirmed (with some fake activity like reacting to posts) but are just waiting to be used. I recommend purging accounts that have been fully registered but haven't posted by a certain period. Use the database data to decide what's a good cut off. Easiest ones to delete are ones that never posted and were registered a long time ago, purge them sooner rather than later (before he has a chance to generate some fake activity). You may also opt to simply ban rather than delete, so then it's possible someone could appeal it if it's a mistake. Also collect things like emails of accounts you suspect to be sleepers, it's useful if they try to recycle emails later.

I understand your hands are tied if he's posting illegal material, that you have to take certain measures but at account registration, before he gets a chance to do those actions, you can be more, flexible.

The image you use for the KiwiFlare challenge, make it a png. Converting it gets me a 5.5kb image, that's not much at in terms of bandwidth. But one thing you can do then is, if you see IPs that are clearly trying to keep hitting your challenge over and over, resist the urge to block the IP address. Instead, what you can do is throttle them at the network level. So if they were throttled to say 55 bytes a second, it will take them 100 seconds to load that image of the logo. Which a regular browser will cache but you can change it with the ? trick. But we can do better. Your challenge system can be updated to be like this:

JavaScript: 
// Enhanced challenge.js with image hash verification
(function() {
  'use strict';
 
  document.documentElement.classList.remove('no-scripts');
  document.documentElement.classList.add('scripts');
 
  // Fetch and hash the logo image
  async function fetchImageHash(imagePath) {
    try {
      const response = await fetch(imagePath);
      if (!response.ok) throw new Error('Failed to fetch image');
   
      const arrayBuffer = await response.arrayBuffer();
      const hashBuffer = await crypto.subtle.digest('SHA-256', arrayBuffer);
      const hashArray = Array.from(new Uint8Array(hashBuffer));
      const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
   
      return hashHex;
    } catch (error) {
      console.error('Image hash error:', error);
      return null;
    }
  }
 
  window.sssg_challenge = async function(salt, difficulty, patience) {
    console.log('Starting work.');
 
    // Determine current image path from DOM or config
    const imageElement = document.querySelector('footer img');
    const imagePath = imageElement ? imageElement.src : '/.sssg/public/logo.png';
 
    console.log(`Fetching image: ${imagePath}`);
    const imageHash = await fetchImageHash(imagePath);
 
    if (!imageHash) {
      document.getElementById('status').innerHTML =
        '<p>Failed to load verification image. Please refresh.</p>';
      return;
    }
 
    console.log(`Image hash computed: ${imageHash}`);
 
    const worker = new Worker('/.sssg/public/worker.js');
    document.getElementById('loader').setAttribute('class', 'playing');
 
    let startTime = Date.now();
    let deadline = startTime + (60000 - (startTime % 60000)) + (60000 * patience);
 
    let solution = null;
    let threads = navigator.hardwareConcurrency || 1;
    let initialAttempt = Math.random() * 4503599627370496;
    let nextAttempt = initialAttempt;
 
    console.log(`\t${deadline - startTime}ms of patience.\n\tSalt is ${salt}\n\tDifficulty of ${difficulty}\n\tInitial position of ${initialAttempt}`);
 
    // Start worker threads
    for (let i = 0; i < threads; ++i) {
      worker.postMessage({
        attempt: nextAttempt,
        difficulty: difficulty,
        salt: salt
      });
      ++nextAttempt;
    }
 
    // Listen for storage events (multi-tab coordination)
    window.addEventListener('storage', (event) => {
      if (event.key === 'sssg_clearance' && event.newValue) {
        worker.terminate();
        if (event.newValue !== 'PAUSE') {
          console.log(`Accepting answer from LocalStorage!\n\t${event.newValue}`);
          window.location.reload();
        } else {
          console.log('SessionStorage instructs a pause.');
        }
      }
    });
 
    // Handle worker messages
    worker.addEventListener('message', ({data: {attempt, solution: foundSolution}}) => {
      const nextBatch = attempt + threads;
   
      if (foundSolution === null) {
        const attempts = nextBatch - initialAttempt;
     
        if (solution === null) {
          if (attempts % 10000 === 0) {
            console.log(`\tAttempt #${attempts}`);
            if (Date.now() > deadline) {
              console.log('RAN OUT OF TIME!');
              location.reload();
            }
          }
       
          worker.postMessage({
            attempt: nextBatch,
            difficulty: difficulty,
            salt: salt
          });
        }
      } else {
        console.log(`Work concluded after ${Date.now() - startTime}ms.\n\t${foundSolution}`);
        solution = foundSolution;
        console.log('\tSubmitting to server...');
     
        submitSolution(salt, attempt, foundSolution, imageHash);
      }
    });
  };
 
  function submitSolution(salt, attempt, solution, imageHash) {
    const handleError = (message) => {
      if (typeof message === 'string') {
        document.getElementById('status').innerHTML = `<p>${message}</p>`;
      } else if ('error' in message) {
        console.log(`Error received in reply to server:\n\t${message.error}`);
        document.getElementById('status').innerHTML =
          '<p>Received a client error in reply. Please try again.</p>';
      } else {
        console.log(`Incomprehensible reply:\n\t${message}`);
        document.getElementById('status').innerHTML =
          '<p>Received a server error in reply. This issue may be temporary. Try again.</p>';
      }
   
      document.getElementById('loader').setAttribute('class', 'paused');
      const circles = document.querySelectorAll('#loader circle');
      for (let i = 0; i < circles.length; ++i) {
        circles[i].style = 'opacity: 1 !important; fill: #a66b5e !important;';
      }
    };
 
    const handleCheck = (response) => {
      window.localStorage.setItem('sssg_clearance', 'PAUSE');
      document.getElementById('status').innerHTML =
        '<p>Work accepted! Validating session...</p>';
      document.getElementById('loader').setAttribute('class', 'paused');
   
      const circles = document.querySelectorAll('#loader circle');
      for (let i = 0; i < circles.length; ++i) {
        circles[i].style = 'fill: #6ba65e !important;';
      }
   
      const checkRequest = new XMLHttpRequest();
      checkRequest.onreadystatechange = function() {
        if (checkRequest.readyState === 4) {
          try {
            const data = JSON.parse(checkRequest.response);
            if ('auth' in data) {
              handleSuccess(data);
            } else {
              handleError(data);
            }
          } catch (e) {
            handleError('Server responded with an error.');
            console.log(`Bad Json: ${checkRequest.response}`);
            console.log(e);
          }
        }
      };
   
      checkRequest.open('POST', '/.sssg/api/check', true);
      checkRequest.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
      checkRequest.send(`f=${response.auth}`);
    };
 
    const handleSuccess = (response) => {
      window.localStorage.setItem('sssg_clearance', response.auth);
      document.getElementById('status').innerHTML =
        '<p>All done! Reloading page...</p>';
      document.getElementById('loader').setAttribute('class', 'paused');
   
      const circles = document.querySelectorAll('#loader circle');
      for (let i = 0; i < circles.length; ++i) {
        circles[i].style = 'opacity: 1 !important; fill: #6ba65e !important;';
      }
   
      setTimeout(() => {
        location.reload();
      }, 1500);
    };
 
    // Submit answer with image hash
    const xhr = new XMLHttpRequest();
    xhr.onreadystatechange = function() {
      if (xhr.readyState === 4) {
        try {
          const data = JSON.parse(xhr.response);
          if ('auth' in data) {
            handleCheck(data);
          } else {
            handleError(data);
          }
        } catch (e) {
          handleError('Server responded with an error.');
          console.log(`Bad Json: ${xhr.response}`);
          console.log(e);
        }
      }
    };
 
    xhr.open('POST', '/.sssg/api/answer', true);
    xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
    // Include image hash in submission: a=salt, b=attempt, h=imageHash
    xhr.send(`a=${salt}&b=${attempt}&h=${imageHash}`);
  }
})();

So the idea is that the clients have to submit the hash of the image they were served, meaning they have to download it. Meaning if they're already being throttled they now have to wait for that to finish. Zero impact for your regular users (i.e. they don't need to solve harder challenges). The best thing about this method is it gives you another tool in your toolbox, you might decide to make the challenge more difficult, or start to slowly throttle their connections to a crawl, or maybe you just made the image a larger size today, maybe combinations. It's something they'd need to waste time to investigate.

For bandwidth use at no cost to you: you could insert embeds to YouTube or Vimeo videos that autoplay when the page loads on the registration form or challenge. To regular users it's a minor annoyance that they will click pause to, but it's a bandwidth cost for someone running a bot that's actually running a real browser.

As others have suggested, you can also charge money for the ability to register during these kinds of periods. Which doesn't have to be the same as the monthly $20, it's to allow someone to actually make the account they pay some amount and then if they want to actually then pay you the $20 a month for the other perks if they want at any time now that they have an account. Also never underestimate having the person trying to attack your site have to admit reality while doing so. A simple new custom field that requires them to send you things that most people will agree with but a crazy person (that's attacking you) does not. It's the least you can do if you know their goal is try to get off on making other people clean up their filth, make them go through the humiliation of having to type a few words that they find humiliating (that's true) every once in a while when their bot breaks and they have to type it into their bot code and send it to you thousands of times before it breaks again and they have to type some other thing they find humilating.
 
Last edited:
skunt said:
If i were you I'd delete this post and email it to him instead.
Click to expand...
XenForo is just the name of the forum software and the things I mentioned about it are very general. I haven't gone into detail about what exactly I'd change in the templates or backend of the forum. The bandwidth limit mentioned is one of the oldest tricks in the trade and not really a secret. Maybe it would be news to a script kiddie but who cares what they think,. Besides, it's not like script kiddies know much about networking anyway. If this guy had actually had skills he would've been able to vandalise the forum itself. He's stuck with spamming and even buying services to do so because that's all he can do.
 
lambdadan said:
As others have suggested, you can also charge money for the ability to register during these kinds of periods.
Click to expand...
Problem with that is Josh has years of proof that 99% of people can't be bothered to jump through the hoops. Even people who actively use crypto have been penalized if they baldly send it to him. The 'friction' is too high for a monetary requirement.
 
Basically this website is completely blacklisted from every possible payment processor literally because Liz Fong-Jones recruited an army of trannies to harass the wives of bank CEOs.
 
SoyQuote said:
We have a file whitelist using SHA256 hashing and image hashbans using PDQ hashing. When an image that isn't in the whitelist is posted, it enters the approval queue for moderators to either add to the whitelist or hashban.

I believe he's an Israeli, as whenever the bot is running an IP on the range 46.120.1XX.XXX will start obsessively stalking the bans page and poll the site's JSON API.
I tried blocking the IP once and sure enough the bot stopped for about 30 minutes until a new one on the same range appeared.
His most recent IP is 46.120.114.214 as of 05/Nov/2025:18:23:31 +0000.

I had a feeling that'd happen hence why I obsessively archived every single piece of activity on the accounts. I locally cloned their repos too but Leto's sole repo didn't have any changes compared to the project it was forked from so it's not worth sharing.

We used to do this on soyjak.party actually and I still do use NSFW score as a signal in autoban filters.
You can get a fairly decent CSAM detector by having a model check if the image contains porn and if the image contains a child. If both are true, flag the image as CSAM.
Not perfect by any means but it's better than nothing and takes some load off the jannies.
Click to expand...
Ban all Israeli IPs, problem(s) solved.

The Repeated Meme said:
His time is borrowed. It's only a matter of time before he fucks up. To not only have csam, but to spam it on sites as an attack vector is colossally stupid. You are not just playing with fire, you are actively daring it to burn you. There is no way this ends well for him.

Wait for the knock.
Click to expand...
100% correct, there's nothing the feds go after more aggressively than people trying to muscle in on their turf.
 
Last edited:
Divine Schizo said:
Gooning to child porn is probably one of the core values of the Talmud, so I don't think this guy will be arrested anytime soon.
Click to expand...
Talmudic law is actually pretty strict on this. If they are younger than 2 years and 1 day, its fair game. Otherwise you are only stuck to goyim.

As for official policy: If I recall correctly, its also simply not a crime to post cp from Israel onto non-Israeli servers.

If that holds true, I guess would open up a somewhat silly loophole. If you have all content upload to Israel first, before ever touching a farms server, you could then report it to whatever authorities. But you'd also have to convince them to care, provided this faggot is even operating from there.
 
Null said:
This makes dealing with the automated flood very, very difficult and the stakes are so high that I'm at a loss about what to do with it.
Click to expand...
I love reading blogposts about site development and history like this. Are enough people here plainly interested in site development? If there was a forum dedicated to that I'd read it very often.

I wish you best of luck in dealing with the spam doe. This type of malicious activity is the main reason anonymous sites don't really exist nowadays.
 
Null said:
I think when people start blurting out suggestions they're not really considering what needs to be accomplished.

1. Reduce impact to regular users.
2. Increase response time
3. Decrease reliance on me.
4. Reversal of assymetrical nature of time spent (my time = valuable, his time = worthless).
5. Escalate law enforcement involvement until he is a non-factor.
Click to expand...
Instead of a day/night cycle, I would make the cycle random. In addition, have several registration pages or randomize the link to the registration page. Maybe even randomize the location of registration on the ui.
Make the system so chaotic he has to manually update his bots to access registration at whatever times registration happens to be available.

Optimally, you would be able to have an automated system that is impredictable. Either he has to constantly manually adapt his bots, or burn resources to run them even when they are useless.

A normal user only has to register once, but he has to do it millions of times.
 
SOLDIER OF WALES said:
is this the team gamerfood guy lol?


I say we let the gay pedophiles in and we become gay pedophile land hahahahaa!! :DDDDDD
Click to expand...
Team Gamerfood does not claim his kind.

also, I've found a YouTube account of his (link, archive). Not sure if that's been documented already.
1762403587230.png
This was on a video related about CS:GO cheating history, and unsurprisingly he tried to leave a stamp there (note how he desperately wanted the connotion, you can't beat the attention whoring remarks).
1762403745866.png
This account was made on Apr 10th, 2019, which most likely is one of his many YouTube alternative accounts. still, good to keep around.
And the "furry trappin" video had to be absolutely unhinged and nonsensical because of course you can't stray off your 2018 furry nigger personality:
 
madeforkiwifarms said:
I am suggesting establishing a formal communications line with team4chan to pool information on bad actors and how to best deal with them, with the goal of reporting them to law enforcement.
Site rivalries aside, this is a problem much larger than what a single team can deal with.
And I suggest the same thing to @SoyQuote. I trust RapeApe, who I suspect also reading, to understand.

It is like they say, apes together strong.
Click to expand...
There's also the catbox.moe admin. Ever since he's been struck financially by all of this shit he's been more proactive on taking illegal content down and been warring against the furnigger for a while as well.
 
You must log in or register to reply here.
Back
Top Bottom