Plugins: Mask of Many Faces

There’s a term we use a lot in WordPress forum/plugin work, called Sock Puppets. That’s what we call an account someone makes with the intent of disguising who they are, usually to troll or for some other nefarious purpose. For plugin reviews in particular, the sock puppets are generally used to make fake reviews. Specifically they make a bunch of fake accounts to make five-star reviews for their own plugin.

While there is a claim that people use sock-puppets to leave one-star reviews for other plugins, that’s really not common. In fact, I only remember three times, and all three ended with banned companies. It’s not worth it. We’re a lot more kind if you make fake reviews for yourself, than if you do it to hurt others.

Fake reviews are a huge issue everywhere. Amazon and Apple have zero tolerance on them, and will punt you if you do it. On WordPress, I tried to be gentler and I would regularly warn people we caught them, please stop it, and we removed the reviews. If it happened a second time, their accounts were suspended until they replied to confirm they understood. The next step was the final warning (any non-security issues will result in a ban), and after that I would punt.

Friends or Puppets?

One day a trio of plugin developers reviewed each other’s plugins. They specifically made fake accounts to do it. They were caught and admonished. They each replied in pretty thoughtless ways:

  1. Replied 4 times, one saying they were all roommates, and said ‘god sees all’ (Zorro)
  2. Replied that he was thinking about quitting WP (Doug)
  3. Replied about bathing (Wally)

All names are fake. And no, I’m not kidding about Wally:

Stop brushing and bathing.

A lot of viruses when will destroy you, then you will understand the importance of cleaning your body and mind.

Your behaviour is abnormal. You are doing wrong use of technology made by others.

Wally via email to Plugins

Wally got the insta-ban because that one is off the wall weird and generally a good indication of trouble. I usually wouldn’t post the whole email but that one is pretty choice and hard to explain otherwise.

After being banned, Wally said he was happy to leave, that ‘we’ were idiots, he wished that we would lose our jobs and have to beg so people would treat us badly. I got treated badly while I was being paid. Does that mean I win? He ended up saying this:

May WordPress get a virus similar to Coronavirus and all of you die under debts and people like you who interfere with others lives beggars for people like me and in return I will not put a paise in your begging hands.

Wally via email to Plugins

Props for the capital P in WordPress.

After jokingly calling this a soap-puppet, I figured it was done. But then…

All For Ban, Ban For All

Zorro replied to Wally’s email. You read that right. Zorro emailed a reply from his email address and so did Doug. Same email address. Zorro made more comments about God, Doug claimed he had friends in WordPress and I should watch my step.

Be careful, you may be hurt harder than you expect and at places where you do not expect.

Doug via email to Plugins

While it is possible that Wally shared the email around, Occam’s Razor is pretty sharp here. They were all the same person. Three accounts, three separate plugins, a bunch of reviews. And the fact that they all replied in minutes is pretty damning.

In the end, all three were banned, but only Zorro emailed the Password Reset folks asking why his account was disabled. He offered a bribe:

I would like to make donation in your account if you restore my WordPress account and plugins.

You may send me any guidelines.

Once my plugin start generating income again I will be able to send you 50 dollars monthly for cooperation from your side.

Zorro via email to Password Resets

The reset folks said ‘Nope.’ and that should have been that.

It’s Never Over

The story doesn’t end there, and I have to backtrack.

Previously, before they were banned, I wasn’t quite sure they were all the same person. Three friends making puppets together isn’t new, so I laid a trap. This does not make me a great person, I know, but it’s important to be sure. And my trap was pretty benign.

Each account got a slightly different email about fake reviews. I’ve done this before with good results, because usually people slip up and reply with the wrong email. It’s harder than it looks to be note-perfect with multiple accounts, which is why it’s not worth the time. In this instance, it panned out perfectly as a fourth account, Soren, replied to Zorro’s email!

Bingo. That’s what I needed, and I banned all four telling them why. I did not cc them on the same email just in case I was wrong. I didn’t want to leak private data. At that point, they all replied with pretty nasty stuff about gods and bathing (what the hell? I shower every day!).

Enter Aaron. He submitted code that linked back to Zorro and Soren’s website. In fact, it linked back to one of Zorro’s plugins! I banned Aaron and repeated the end of the original ban email, which says not to make more accounts or WordPress.org will have to take stricter measures that could hurt others (IP bans etc).

Aaron didn’t reply. Another person, Derek, did. If you’re keeping track, this is the 6th account, and Derek said that he didn’t know who Zorro was, but Aaron (the account he was replying for) worked upstairs for a separate company.

Gif of David, from "Schitt's Creek" saying "What the actual f*ck?"

Who The Hell Is Whom?

At this point, we have three people who (purportedly) live together (Zorro, Doug, and Wally) and all their plugins cited Zorro’s website. We also have Soren, who replied to Zorro’s email, and Aaron who submitted another plugin linked back to Zorro. Finally we have Derek, who replied to Aaron’s email saying he didn’t work with Aaron.

Why did Derek reply to an email sent to Aaron?

This, my gentle readers, is why having multiple accounts is a shit-show and not worth it. You’re going to screw up and reply with the wrong ones. When you do, you will pay the price. It’s better to just be yourself and be honest. And preferably not an asshole.

Derek’s email went on to cite some things from Zorro (about gods), Wally (bathing and viruses, again!), and Doug (threats). I did not reply, I filed the email as blocked and ignored it. Derek replied again with basically “you can’t kick me out, I’m leaving!” … Except we already had kicked him out.

He added we sucked at communication and we were suckers and idiots he didn’t want to work with.

Signed Zorro.

From here on out, I will always use ‘Zorro’ for his name. I’m pretty sure everyone was Zorro anyway.

Of Course He Kept On

Normally if you tell folks you’re leaving, you actually … leave. Right? Zorro didn’t. Every day for half a month he made new accounts and submitted plugins. He was really stupid about it, too. I mean, they all had the same naming convention and if there’s one thing I’m really gifted at, it’s pattern recognition.

I had just finished my first pass of my shell-script plugin checker, so I used this opportunity to write a complex set of checks for them, using Zorro’s ‘tells.’ This is why that work is complicated to be made public, it tracks why a plugin cannot be hosted, and outs the person as why. I don’t want the evil populace to know how I’m catching them. And catch I did.

Finally, Zorro emailed with a new story (and new email). Zorro’s new story was that his ‘accounts’ were hacked.

Our accounts were hacked. All the emails linked to company were of multiple students who come here to learn WordPress free of cost. We provide emails to them, so that we can use their published plugins as part of project so that we can monitize it.

Zorro via email to Plugins

That last sentence threw me for a loop. To monetize? They meant the plan was to funnel people to their company as a free-to-premium flow. Sure, a lot of people do that, but Zorro just said he intentionally used multiple accounts to own multiple plugins to funnel users to pay them. So you know, basic deception where multiple accounts are hiding who they are. Right. Not okay.

We are never going to stop publishing plugins, we can change IP address, we can ask students to use their own network to publish plugins, use different emails. We can relocate to different location if we do not generate income here. You can not stop us from what we are doing.

Zorro via email to Plugins

This kind of rant continued (along with how evil we are, blah blah) when Zorro stepped up the impersonation from the Wally email:

An email that reads "You are terminated from your job on WordPress and is not allowed to work here anymore. Regards, Matt Mullenweg."

Again, props for using capital P, but yeah, totally. That’s how Matt would do it. I think he has my phone number actually … I know he has my address after that August surprise.

It Kept Going

From May to August, this shit kept going. Eventually I figured out the regex to catch and close the emails automatically, and I built out the scanner to catch ’em faster. Zorro sporadically popped up now and then, making a total of 17 separate accounts by the end of that year.

Once in a while that year I would catch another email from “Matt” firing me, and it was always good for a chuckle.

%d