Ask HN: Is Hacker News under attack from spam bots?
Nature of the Incident
- Commenters widely agree HN is under a large-scale spam bot attack.
- Thousands of new accounts are posting nearly identical “AI girlfriend” ads, often with crude or offensive usernames and a short random string appended.
- Spam appears across most front-page posts, sometimes dozens of comments per thread, in visible “waves.”
Impact on Site and Users
- Many report slow page loads, timeouts, and HN feeling like a mini-DDoS.
- Some users try to manually flag hundreds of comments but say it feels futile at this volume.
- The attack is described as the worst or first of its kind seen on HN by several participants.
Account Creation, Captchas, and Security
- The spam seems to rely on rapid creation of new accounts with predictable name patterns.
- Some users observe that captchas appear on login/creation now; others note this is new or inconsistent.
- Debate over mitigations:
- Temporarily disabling new account creation or delaying new users’ ability to post.
- Regex/string-based filters or banning specific username patterns/domains.
- Captchas vs. phone verification vs. proof-of-work; concern about privacy and “Orwellian” friction.
HN Infrastructure and Moderation Philosophy
- HN is described as using early-2000s-style tech with minimal upfront friction (no 2FA, light validation).
- Some argue that historically low spam implies an effective but not perfect spam filter plus active moderation.
- Others think the site was unprepared for such a crude, high-volume attack and should have had basic rate-limiting and pattern blocking ready.
Voting Integrity and Bot Abuse
- Users wonder whether similar bot activity could also manipulate upvotes.
- Examples are given of posts with many votes that never reach the front page, suggesting hidden anti-abuse mechanisms (e.g., detecting voting rings or ignoring certain accounts’ votes).
- Exact details of these defenses are unknown and intentionally opaque.
Attacker Motives and Quality of Spam
- Speculation ranges from a low-effort teenager/script-kiddie to someone just aiming for chaos rather than real marketing.
- Some note that more sophisticated, LLM-written spam could be far harder to detect; this incident is seen as very crude by comparison.