Telegram Watchdog Official Blog

A quick fix for message-reflection attack

中文版本随附于英文版本之后。

Recently, we aware that some user-bots (bots communicate with Telegram’s datacenter with user accounts) are launching messages-reflecting attacks, which target to verification bots. We have applied a quick fix to reduce the effect for inappropriate behaviours, with the version number 2605.02.

What’s happening?

According to the Telegram community, some spam users will use valid Telegram user accounts (instead of bot accounts and bot tokens) to target in-group bots (normal bots), including verification bots like Telegram Watchdog, and send a large number of irrelevant messages to the group.

Generally, those normal bots will respond to feature trigger commands, such as /start@somebot (with the bot’s actual @handle), in the group, which is the default behavior for most bot frameworks (including GrammY). However, this has been used by spammers to mount a message-reflecting attack that mixes their spam messages with bots’ command responses.

A Telegram group recent admin operation logs screenshot, shown in the All Actions view. The screenshot shows several system messages indicating that an admin bulk-deleted messages from two bots: 12 messages from ING-reCAPTCHA and Bad Bust Bot, then 18 messages from the same two bots, and later 8 more messages from the same pair. Between deletions, Bad Bust Bot sent a “Welcome to Bad Bust Bot!” greeting, and ING-reCAPTCHA posted a Chinese-language introduction explaining that the bot handles join verification for Ingress-themed groups, requiring new members to pass an image recognition challenge before gaining permission to send messages, with a note to use /help for available commands. At the top of the screenshot, a forwarded or quoted message is visible with a headline referencing “Orion mutation GORUCK cancelled,” along with a /start 948 command and several redacted usernames. All visible timestamps fall between 11:27 AM and 11:28 AM.

Why the attacks happen?

We assume that the spammers, a.k.a. attackers, are executing fatigue attacks to the groups. They try to fatigue group admins to trick them into removing verification bots entirely from the group.

Telegram provides a small dialog for group moderators when mods wish to remove someone’s message from the group. This is useful to allow mods to remove all spam from a single account when that spammer floods the group with a large amount of spam.

Screenshot of a Telegram group admin “Delete 1 Message” dialog with four checked options: Delete Message, Report Spam, Delete all from [username] (showing 2/2 …Screenshot of a Telegram group admin “Delete 1 Message” dialog with four checked options: Delete Message, Report Spam, Delete all from [username] (showing 2/2 with a dropdown arrow), and Ban User. A blue “Partially restrict this user” link and a blue “Done” button appear at the bottom of the dialog.

We assume that spammers trigger the message-reflecting attacks to mix their spam with bot messages in order to trick moderators into removing verification bots with this dialog. Moderators may tick all options in this dialog and confirm without being aware. Then spammers can let spam bots join the group without any barriers.

In some cases, the message-reflecting attacks may distract moderators and group members and lead them to believe that the message-flooding attacks are being launched by normal bots.

What should I do if I am using Telegram Watchdog?

Since Telegram Watchdog requires the “Join Request” feature to work, no spam bots should be able to join your group under this attack. However, some group mods may accidentally remove Telegram Watchdog, which will prevent normal group members from verifying their identity and joining your group.

You can check if the Telegram Watchdog bot is still in your group and has proper moderation permissions. See this article to learn how to re-enable the guard feature in Telegram Watchdog.

After the quick check, you are good to go. Telegram Watchdog can now filter the /start command from the group and will no longer respond to it, avoiding message-reflection attacks. However, we may suggest group mods to turn “Who can send message?” option to “Only members” instead of “Everyone”, or unlink channel from group, to prevent future spam message floods.

Telegram group settings showing “Who Can Send Messages?” with “Only Members” selected.

最近,我们发现一些用户机器人(与 Telegram 服务器通信时使用 Telegram 用户账号,而非机器人账号的程序)正在发起消息反射攻击,目标是群组中的验证机器人。我们已发布版本 2605.02,对该异常行为进行了快速修复。

发生了什么?

根据 Telegram 社区的反馈,部分垃圾信息发送者会使用有效的 Telegram 用户账号(而非机器人账号和机器人令牌)攻击群组内的普通机器人,包括 Telegram Watchdog 这类验证机器人,向群组发送大量无关消息。

通常情况下,普通机器人会响应功能触发命令,例如 /start@somebot(附带机器人的实际用户名),这是大多数机器人框架(包括 GrammY)的默认行为。然而,垃圾信息发送者正利用这一机制发起消息反射攻击,将垃圾消息与机器人的命令响应混杂在一起。

一张 Telegram 群组管理员日志截屏,显示的是 All Actions 视图。截图中可见多条系统消息,显示管理员批量删除了来自 ING-reCAPTCHA 和 Bad Bust Bot 两个机器人的消息,分别删除了 12 条、18 条和 8 条。期间 Bad Bust Bot 发送了「Welcome to Bad Bust Bot!」的欢迎消息,ING-reCAPTCHA 机器人发送了一条中文介绍,说明该 Bot 用于 Ingress 主题群组的入群验证,新成员加入时需通过图片识别验证才能获得发言权限,并提示使用 /help 查看可用命令。截图顶部可见一条被引用转发的消息,标题含有「Orion 异变 GORUCK 惨遭取消」字样,以及以 /start 948 开头的命令和若干被打码的用户名。时间均显示为上午 11:27 至 11:28。

为什么会发生这类攻击?

我们推测,垃圾信息发送者正在对群组发动疲劳攻击,意图让群组管理员不堪其扰,进而将验证机器人从群组中彻底移除。

Telegram 为群组管理员提供了一个小型对话框,当管理员希望删除某人的消息时会弹出该界面,方便管理员在某个垃圾信息发送者刷屏后一次性清除其所有消息。

Telegram 群组管理界面的「Delete 1 Message」对话框截图。对话框中有四个已勾选的选项:Delete Message、Report Spam、Delete all from [用户名](显示 2/2,带下拉箭头)、Ban User。对话框底部有一个蓝色链接「Partially restrict this user」和一个蓝色「Done」按钮。

我们推测,垃圾信息发送者发起消息反射攻击,将垃圾消息与机器人消息混杂,目的是诱导管理员通过上述对话框将验证机器人一并移除。管理员可能在未加注意的情况下勾选了所有选项并确认操作。一旦验证机器人被移除,垃圾机器人便可畅通无阻地加入群组。

在某些情况下,消息反射攻击还会分散管理员和群组成员的注意力,让他们误以为刷屏攻击本身是由普通机器人发起的。

如果我正在使用 Telegram Watchdog,应该怎么做?

由于 Telegram Watchdog 依赖「加入请求」功能方可工作,因此,只要管理员不主动同意,垃圾信息用户无法正常加入受 Telegram Watchdog 保护的群组。但部分群组管理员可能会不小心将 Telegram Watchdog 移除,导致普通成员无法完成身份验证并加入群组。

您可以检查 Telegram Watchdog 是否仍在群组中,并确认其具备相应的管理权限。请参阅本文了解如何重新在群组中启用 Telegram Watchdog。

完成上述检查后,一切即可正常运行。Telegram Watchdog 现在可以过滤群组中的 /start 命令,不再对其做出响应,从而避免消息反射攻击。不过,我们依然建议群组管理员将「谁可以发送消息?」选项从「所有人」改为「仅群组成员」,或将群组与频道解除关联,以避免未来的垃圾消息攻击。

Telegram 群组设置界面,「谁可以发送消息」选项,当前选中「仅群组成员」。