The techniques discussed in this article are widely-known in security circles, and have been public for years. I talked about something similar in my 2014 article, Troll Hunter.
In Part 1, I mentioned that I had uncovered someone with a forum name of “julio schwartz” (as far as I know not a real name) with 100 other sock puppets at Birther Report. Birthers make claims about sock puppets but usually they don’t know what they are talking about. I do.
Birther Report is a Blogger blog with the Intense Debate commenting plug-in. If I recall correctly, when a comment goes into moderation, the site administrator is informed in an email of the email and IP address of the commenter in moderation and in this case there is a chance the admin might see an email address initially (but can’t go back and look at historical information). The Intense Debate admin information is not a general solution to identifying sock puppets, and its use is restricted to site administrators.
The typical post of “julio schwartz” is a short comment under a name one has never seen before. Here’s an example (click on the image to view at Birther Report):
At first glance, there’s not much here. The avatar is generic, but looks can be deceiving. A right-click on the avatar using the Chrome browser gives a “Copy image location” option, a link to a generic avatar image, only it’s not a generic URL:
The interesting bit is “00b80594cd9c492a6af64b238119fea9.” Let’s examine another BR sock puppet candidate:
The URL for that avatar is identical to the one before. What’s going on?
Intense Debate and a lot of other web sites, including this one, manage avatars through a service called Gravatar. The blog or forum creates an encrypted hash (or digest) that it embeds in its comment pages. The URL goes to Gravatar and Gravatar sends the image to the web browser.
If you have an email address registered with Gravatar, as I do, then the avatar returned is one selected by the email owner. In other cases Gravatar makes one up or sometimes the “mystery man” image is returned.
What we are seeing in these URLs is an encrypted hash of the email address that “julio schwartz” gave Birther Report when posting comments, an address constant across all of the hundred or more sock puppets. Not only is the cryptographic hash constant across comments at Birther Report; it is constant across all web sites where the same avatar system and email address is used. (Not all avatars at Birther Report have MD5 hashes, in particular not those using Facebook logins.)
The hashing algorithm is called MD5. Because the email address is encrypted, you can’t see the actual email address itself, but you do know when two are the same.
In the end, after removing “julio schwartz,” I had 225 forum names with internal matches. It looks like the vast majority of those are just people using parts of their real name and switching to an alias later. I have since deleted my “julio schwartz” sock puppet list, and I had to scramble to find the examples for this article, but at one time I spent quite a lot of time right-clicking on avatars at Birther Report.