Observing Malaysian Social Media

Emergence of Dedicated Spamming Apps in Malaysian Politics

In previous articles published on our blog we have described various spamming strategies used in Malaysian politics:

Some of these strategies are still in use today. Some key points about spam:

  • Spamming involves repeating the same tweet or retweeting another user’s tweet across one or more accounts within a certain time period.
  • Spamming is a violation of Twitter’s own rules for users (that you can read at https://support.twitter.com/articles/18311-the-twitter-rules ). They list various factors that determine spamming behaviour one of which is, “If you post duplicate content over multiple accounts or multiple duplicate updates on one account”. ‘Updates’ refer to tweets and retweets.
  • Spammer accounts are identifiable via their behaviour on Twitter e.g. follower/following relationships; timeline content; tweet timestamp patterns. Tweet frequency, repetition and collaborative behaviour are the main traits we look for.
  • Twitter accounts are being used for personal use and spamming. This lends the appearance of a normal human Twitter user for anyone looking at their timeline and a denial when accused of sending spam.
  • Some Twitter accounts are dedicated to spamming and have no personal messages of any kind.
  • Some Twitter accounts have a block of spam in their timeline but otherwise appear normal. This means they only spammed tweets briefly. It is possible their login credentials were being used without their knowledge.
  • Spamming does not always involve automation via applications. Humans using mobile devices to repeatedly send identical messages across multiple accounts can still be identified.
  • It takes a computerised system to analyse and identify these users and their tweets and categorise spam.

Developing spam detection systems is necessary for us due to the frequent use of spam in Malaysian politics. Spammers who retweet other tweets are problematic for 4 main reasons:

  • They increase the retweet counter for the tweet, making people believe that tweet was popular
  • By retweeting instead of tweeting, users who are searching on a keyword or hashtag won’t see the spamming accounts. This means people who use Twitter won’t discover this activity unless they happen to find the spammer in the list of recent retweeting users for the tweet.
  • The retweet counter is not guaranteed to decrease if the spammer is suspended or deleted.
  • It is harder to prove to non-technical users that the account is a spammer. Direct links to the spammer’s tweet will redirect to the tweet that they retweeted, which is a detail they may overlook. The best way to show evidence to the public is for them to visit the spammer’s timeline and judge for themselves.

All timestamps used in this article have been adjusted for the UTC+8 time zone.

1. Festival Belia Putrajaya (#FBP2015)

During the #FBP2015 event on May 24th 2015 we noticed a pattern in the tweets-per-minute for the hashtag that indicated automation. The graph below shows that pattern for mentions of #FBP2015.


A normal activity graph would have a mix of increasing and decreasing levels instead of being dominated by spikes. Hills and valleys would show up in the graph as tweets are retweeted throughout the network and other users join the conversation.

For comparison, here is a graph showing #RakyatHakimNegara tweets on October 28th last year:


Notice that some of the spikes were spam. Spikes in tweets-per-minute graphs are an indicator of suspicious behaviour, which is something social media analysts need to look out for.

By looking at the most common applications used, we can discover spamming applications. The lists below show the top applications ranked by number of tweets (high to low)

Top applications used to tweet #FBP2015, May 24th 2015:

  1. Sambal ABC
  2. TweetDeck
  3. Twitter for Android
  4. IFTTT
  5. Twitter for iPhone

Top applications used to tweet #RakyatHakimNegara, Oct 28th 2014:

  1. Twitter for Android
  2. Twitter for iPhone
  3. Twitter Web Client
  4. TweetDeck
  5. TweetCaster for Android

TweetDeck and IFTTT are common applications used by spammers, but Sambal ABC is something new to us. So we investigated the content that was being tweeted using that application from May 23rd – 24th using the hashtag #FBP2015.

What we found were retweets of specific tweets by the following users:

  • @OfficialVyrec
  • @FestivalBeliaMy
  • @KayAzlee
  • @CikkMyraa
  • @anwaralias
  • @RTM_Malaysia
  • @Malaysia_Latest
  • @festivalbelia15
  • @bruno_desmond
  • @Munirahhh94

These retweets were done in bursts, resulting in spikes for the related tweet.

Example 1


The graph above shows the retweets-per-minute for a single tweet by @OfficialVyrec (https://twitter.com/OfficialVyrec/status/602311546979495936), divided by different categories:

  • Non-Spam tweets (also does not include TweetDeck and Sambal ABC)
  • Tweets using TweetDeck (spam and non-spam)
  • Tweets using Sambal ABC (spam and non-spam)

The timeline is:

  • Initial tweet by @OfficialVyrec sent by Android at 11:13:57 AM
  • At 11:14:27 AM it is retweeted by 31 TweetDeck users at the same second
  • Starting at 22:52 PM, 594 retweets were made within 5 minutes using Sambal ABC
  • No other retweets were made using TweetDeck during the day

Example 2


The graph above shows the retweets-per-minute for a single tweet by @RTM_Malaysia (https://twitter.com/RTM_Malaysia/status/602334027085905920).

The timeline is:

  • Initial tweet by @RTM_Malaysia sent by Instagram at 12:43:17 PM.
  • At 13:20:00 PM it is retweeted by 32 Tweetdeck users at the same second.

Subsequently at 13:23 PM 217 users start retweeting within 2 minutes using Sambal ABC.

Example 3


The graph above shows the retweets-per-minute for a single tweet by @OfficialVyrec (https://twitter.com/OfficialVyrec/status/602392809279107072).

The timeline is:

  • Initial tweet by @OfficialVyrec sent by Android at 16:36:52 PM
  • At 16:37:16 PM it is retweeted by 31 TweetDeck users at the same second
  • From 16:37:33 PM – 16:40:29 PM it is retweeted by 4 users using mobile phones
  • Starting at 16:40:49 PM, 217 retweets were made within 3 minutes using Sambal ABC
  • Starting at 22:38:07 PM, 376 retweets were made within 3 minutes using Sambal ABC

Example 4


The graph above shows the retweets-per-minute for a single tweet by @FestivalBeliaMy (https://twitter.com/FestivalBeliaMy/status/601956290785587200).

The timeline is:

  • Initial tweet by @FestivalBeliaMy sent by TweetDeck at 11:42:18 AM on May 23rd
  • At 11:42:32 AM it is retweeted by 5 TweetDeck users at the same second
  • From 11:59:20 AM – 12:01:32 PM, 315 retweets were made using an application called ‘Sosial Media Berita’ (not shown in graph)
  • Starting at 23:18:32 PM, 594 retweets were made within 5 minutes using Sambal ABC

These examples show that Sambal ABC users are engaging in suspicious behaviour. Thanks to this investigation we also discovered another application called ‘Sosial Media Berita’.

We would like to point out that not all TweetDeck users are spammers. But by isolating their usage in these graphs we are pointing out the possibility that most of the accounts used to retweet in the same second might be spammers. It is very odd that users of a specific app would only tweet at specific times in unison.

2. Investigating Sambal ABC

The earliest usage of Sambal ABC in our database of socio-political tweets for 2015 was April 29th 2015. It was used to retweet the following tweet by @shaberyc (https://twitter.com/shaberyc/status/593005170335711232):


Many of the accounts used have already been suspended by Twitter. 582 retweets were made from 1.16 PM – 1.20 PM on April 29th – the day after the original tweet was sent (6.53 PM April 28th).

Between April – May, Sambal ABC was used exclusively to retweet tweets by the following users, in order of first appearance:

  • @shaberyc
  • @KayAzlee
  • @bernamadotcom
  • @saidosem
  • @ZonaBeritaID
  • @JapenMelaka
  • @KBSMalaysia
  • @OfficialVyrec
  • @CikkMyraa
  • @FestivalBeliaMy
  • @Munirahhh94
  • @Malaysia_Latest
  • @elinatiew
  • @anwaralias
  • @RTM_Malaysia
  • @festivalbelia15
  • @bruno_desmond

The description of the Sambal ABC application lists sambalabc.com as the application website. However a check at the URL shows a broken website with no indication that it is a Twitter application:


It is possible that the website listed in the application description is a form of misdirection. A check with who.is lists someone named ‘Caroline Wijono’ as the domain owner with no further details.


When we look at the profiles of the accounts using Sambal ABC, there is a trend of Indonesian locations being used for those that listed their location. We have summarised it in the word cloud below, where font size is based on frequency of use (high frequency = large font):


Repetition is present in profile images used by the Sambal ABC users, though not as frequently as the ones used in #Merdeka55 in 2012. A sample of users is shown below:


Looking at the timelines of many users, we found them currently dedicated to retweeting other tweets. One common type of tweet being retweeted was tweets offering followers for sale. When we looked at the accounts’ historical tweets we found them using another application called LTweet.

3. Investigating Retweets

Because Khairy Jamaluddin was frequently mentioned using Sambal ABC, we decided to take a look at @KhairyKJ’s most retweeted tweets to see if the application was used to retweet him.

We have data going back to 2010. The graph below shows the daily retweet count for @KhairyKJ for the last 5 years.


The most-retweeted tweet occurred on July 16th 2014. This is the graph for that tweet (https://twitter.com/Khairykj/status/489387161108484097):


From the shape of the graph and the applications used, it is clear that any spam present did not impact the retweet count in a significant way. This is an example of a normal retweet pattern.

Here is a graph showing retweets-per-minute for @KhairyKJ for 2015:


When looking at the most retweeted tweet on March 27th (https://twitter.com/Khairykj/status/581322127028150272) we found this pattern in the graph:


The timeline is:

  • Initial tweet by @KhairyKJ sent via Facebook at 13:09:30 PM
  • It is then retweeted by a number of Android and iPhone users
  • At 21:05:52 PM it is retweeted by 30 TweetDeck users within 3 seconds
  • From 21:32:43 PM – 21:41:09 PM, 1122 retweets were made using an application called ‘Line – Login’ (which we will refer to as Line.me, the registered website for the application)

The top applications are Line.me and TweetDeck. We have not noticed Line.me before, so this is another application to investigate.

Following this discovery, we took a look at retweets mentioning #FitMalaysia in September 2014. We came across this pattern:


Again there are spikes. These are the top applications used to retweet #FitMalaysia tweets from September 6th – 7th 2014:

  1. Path
  2. Twitter for Android
  3. Twitter for iPhone
  4. TweetDeck
  5. Twitter Web Client

Upon investigating tweets sent using Path we came across this retweet pattern for a tweet by @shaberyc (https://twitter.com/shaberyc/status/508061600121499648):


The timeline is:

  • Initial tweet by @shaberyc sent via Android at 9:18:19 AM
  • It is then retweeted by a number of Android and iPhone users
  • At 9:24:05 AM it is retweeted by 30 TweetDeck users within 4 seconds
  • From 9:26:48 AM – 9:30:01 AM, 475 retweets were made using Path
  • From 9:38 AM – 9:43 AM, 906 retweets were made using Path
  • From 10:13 AM – 10:18 AM, 727 retweets were made using Path

Path (registered website: path.com) is a private social networking service that allows users to post content on both Path and Twitter, as well as allowing users to give applications control over their Path account. However we are not sure how Path could be automated to retweet tweets. Like TweetDeck, Path may have been misused to spam retweets.

4. Investigating Line.me

Based on the data that we have for 2015, Line.me was used to retweet tweets by the following users in March 2015:

  • @KayAzlee
  • @Shaberyc
  • @Ibdil
  • @501Awani
  • @KhairyKJ

The retweets had similar block tweets-per-minute patterns. We could find no other usage of Line.me to send tweets.

However apart from @KhairyKJ we do not monitor these users and do not know how long the application continued to be used or when it first started being used in Malaysian politics. The only reason the users listed above showed up in our database was because of mentions of politicians and certain keywords.

While examining some of the accounts used to spam retweets, we found that spamming activities stopped in early April.

Like the Sambal ABC users, many Line.me users list Indonesian locations in their profile. This is shown in the word cloud below:


Other than the location in their profiles, the Line.me users are noticeably different from the Sambal ABC users:

  • Their recent tweets look like real people, for those accounts that are still tweeting
  • Some accounts had none of the spam retweets. This indicates they did a clean-up of their timeline.
  • The ones who did not do a clean-up had similar/identical sets of retweets advertising followers for sale as well as gay porn imagery. There was no gay porn in the Sambal ABC content that we saw.
  • There is enough variety in the account creation dates to imply that they were created by individuals.
  • Many of them have since changed their profile images, making the image URLs from their March tweets inaccessible. A sample of users is shown below:


We can conclude that these users may have had their accounts hacked or allowed an application access to their account, which subsequently used their credentials for spamming. It is also possible that these users knowingly signed up to be part of a spamming service.

As with Sambal ABC, the owners of the line.me website might not be responsible for this spam.

5. Investigating Path

Based on the data that we have since June 2014, Path was used to retweet tweets by the following users from August 2014 – September 2014:

  • @Merdeka1957
  • @KayAzlee
  • @bernamaradio24
  • @Shaberyc
  • @saidosem
  • @ShahTwenty
  • @PengkalanKubor
  • @nusabangsa
  • @AfrizNoor

The retweets had similar block tweets-per-minute patterns. We do not monitor these users so we cannot check how often Path was used to retweet their tweets.

While examining some of the accounts used to spam retweets, we found a lot in common with Line.me users. Accounts that have recent tweets appear to be used by real people, and some have done a clean-up of their timeline. Many have been suspended or have been inactive since October. We saw no gay porn in their content, though some of it was of an adult nature.

Like the other application users, many Path users list Indonesian locations in their profile. This is shown in the word cloud below:


We did find non-political tweets sent using Path on other dates that did not resemble spam. However none of them were retweets. At the moment we have to assume that not all Path tweets or retweets are spam, but it is an application that can be misused.

6. Investigating Sosial Media Berita

Based on the data that we have for 2015, Sosial Media Berita was only used to retweet one tweet by @FestivalBeliaMy, as shown earlier in this article. That means it has not been used to spam the politicians that we track.

The registered website for the application is sosmedberita.com which is an inactive domain.

Like the other applications, Sosial Media Berita users also retweeted tweets that advertise followers for sale. They also retweeted tweets containing gay porn imagery. Indonesian locations were the most commonly listed in their profiles:


However some of the accounts that we examined also tweeted out personal tweets. Whether they were aware that their accounts were being used to spam is unknown.

7. Investigating LTweet

Based on the data that we have, LTweet was used to retweet 2 tweets from @ahmadmaslan and @shaberyc on April 27th 2015 for a combined total of 1556 retweets.

The registered website for the application is ltweet.com which has an invalid security certificate and only shows a login screen.

Like the other applications, LTweet users also retweeted tweets that advertise followers for sale. There was no gay porn in the content we saw. Again we find Indonesian locations were the most commonly listed in their profiles:



8. #FBP2015 User Network Analysis

We ran a deep analysis of users tweeting about #FBP2015. This was to determine how users were connected to each other based on their profile details, including their followers.

What we found was that users of Sambal ABC were so well-connected that they formed their own community.


This network diagram shows how users tweeting about #FBP2015 were connected. Each user is represented as a node (circle). This analysis resulted in 3 distinct groups – the red cluster on the right containing users of Sambal ABC application, the blue cluster on the left containing users of other apps, and a handful of users connecting the 2 groups.

This means all the Sambal ABC users were related to each other, unlike Android, iPhone, TweetDeck etc. users that ended up in the blue cluster and in-between both clusters. This cannot be a coincidence and is a picture of what spammer networks look like on Twitter.

The isolation and interconnectivity of the Sambal ABC users indicate that they have a shared audience. This shows how ineffective their retweets were at reaching a wide market.

9. The Effect of Filtering Spam

Before filtering spam, this is what the conversation network graph for #FBP2015 looked like for May 24th:



Each user is represented by a node (circle) that is coloured based on the number of their tweets that were retweeted and the number of tweets sent to them. The more attention they receive, the larger the node. Any node that retweets another node or tweets to another node is connected.

Nodes are positioned based on their connections to other nodes – strong connections pull them closer to form a cluster. Large nodes are considered influential within the network. We have coloured the nodes based on a scale of blue (least influential) to green; yellow; orange; red; and purple (most influential).

These are the top 10 users based on their retweets and tweets received:

  1. @officialvyrec
  2. @festivalbeliamy
  3. @kayazlee
  4. @munirahhh94
  5. @cikkmyraa
  6. @fbp2015
  7. @baisgbsgr
  8. @malaysia_latest
  9. @elinatiew
  10. @khairykj

After filtering spam, this is what the graph looks like:


The top 10 users are now:

  1. @officialvyrec
  2. @festivalbeliamy
  3. @munirahhh94
  4. @baisgbsgr
  5. @fbp2015
  6. @khairykj
  7. @hotfm976
  8. @arifadenan
  9. @malaysia_latest
  10. @adelihussin

Our spam filtering system is not perfect, so it is possible that some spammers remain. However this comparison is enough to show how popularity can be manipulated by spamming retweets.

Here is a side-by-side comparison of both networks.


10. Conclusion

When we announced the presence of spam in #FBP2015 and the use of spamming services to increase retweets, some people were confused. They believed we were making an allegation against the organiser. We were referring to the hashtag, and the fact is nobody controls how a hashtag is used on Twitter.

Our position has been very consistent when talking about spam – we have never alleged that the persons being mentioned, targeted or retweeted are responsible for the spammers. Spamming activities by users is only evidence that the users are spammers – not the persons being mentioned; or an event organiser using the hashtag.

Automated retweeting and tweeting can be useful to give an automated account the appearance of a real person. However the timing of the retweets and the similar timelines of the accounts using the applications lead us to believe that many of these accounts are involved in a spamming service. The persons responsible remain a mystery.

The use of spamming services to increase retweets creates a number of problems:

  • Tweets get a wide reach, but in the wrong market
    • The tweet is seen by the spammer’s followers, who are likely fellow spammers and in the worst case, fully automated bots.
    • For users involved in Malaysian politics, ideally they would want their tweet retweeted mostly by users in Malaysia and not users based in Indonesia.
  • False achievement
    • The owner of the account being retweeted will believe they are popular
    • Social Media agencies that are hired to hit certain retweet/mention targets; or receive bonuses if mentions/retweets cross a certain margin stand to benefit from spamming services
    • Social Media rankings prepared by companies will see their lists of ‘Most mentioned’ and ‘Most retweeted’ affected
  • Bad research data
    • Social media analysts will get a false impression of what content resonates with their expected audience.
    • For the account owner, this can prompt them to create similar content, thinking it will ‘go viral’ in the same way. The same can be said of their competitors and market researchers within the same industry. Everyone will get the wrong idea of what content resonates with human users.


In this article we have exposed the use of 5 applications used to spam retweets:

  1. Sambal ABC
  2. Line.me
  3. Path
  4. Sosial Media Berita
  5. LTweet

Further checks on top applications used to retweet @KhairyKJ from January – May 24th 2015 revealed that Line.me was only used once. No other unknown applications were being used to spam retweet his tweets on a large scale during this period. However his @mentions statistic has been manipulated by Sambal ABC users.

We also ran checks on Najib Razak, Anwar Ibrahim and Nurul Izzah and found no indication of unknown applications used to retweet their tweets on a large scale in 2015. However such applications may have been used in previous years or on other politicians’ tweets.

If you own a business running a campaign on Twitter, here is a simple approach to protect yourself from being manipulated by others:

  • Use a system that lists the top sources for your mentions and retweets
  • Take note of any applications that you have not seen before
  • Check the tweet patterns and timelines of suspicious accounts involved
  • Judge for yourself if it is spam

We will be submitting a report to Twitter on Sambal ABC and Sosial Media Berita so they can conduct their own investigation.

What follows are appendices listing screenshots and links to accounts using some of the applications named.

Appendix 1 – Screen captures of accounts


Above is a set of screen captures for @dndy1476316iht, @dndy1684715iht and @dndy1855567iht. These are Sambal ABC users.

Notice their timelines are almost identical. Below the black line are the #FBP2015 tweets that they retweeted.

Other accounts with the same name (Onistef Friend) and similar timelines, also retweeting the #FBP2015 tweets at the same time:









Another sample of a Sambal ABC user:


Here are sample timelines from Line.me users:





Here are sample timelines from Path users that we found:





Here are sample timelines from LTweet.com users that we found:



Appendix 2 – User account listings

This appendix contains samples of accounts using the applications mentioned.

The following 50 accounts were used to retweet #FBP2015 tweets using Sambal ABC.

The following 10 accounts were used to spam retweets using Line.me in March. Please be warned there may be gay pornographic images in their timeline. As we stated before, many Line.me users appear to be using their accounts personally and no longer spam tweets since April. They may have already cleaned up their timelines.











The following 5 accounts were used to make retweets using Path in 2014:







Written by politweet

June 1, 2015 at 12:51 pm

%d bloggers like this: