denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_maintenance2023-09-28 11:16 pm
  • Add Memory
  • Share This Entry

Continuing dispatches on the war against spam

A few days ago we let you know about spam prevention measures that we were taking to help stem some of the flood of garbage. One of those temporary measures included geoblocking all IPs from several of the countries that are our largest source of spam. This did (as we knew it inevitably would) have some collateral damage for real users, and we're very sorry!

We're continuing to experiment: this time we've slightly expanded the range of countries we're geoblocking to include the ones that we held off on geoblocking because it would affect too much legitimate use, but we've limited the geoblocking only to the account creation page. This should mean that if you were having trouble accessing the site because of geoblocks, you should be able to access 99% of the site without a problem, and the only page you won't be able to access is the account creation page. With luck, this should cut back heavily on our spam account creation without disrupting legitimate use of the site. The current list of countries that are geoblocked from account creation are Bangladesh, Cambodia, Egypt, India, Indonesia, Morocco, Pakistan, Singapore, Turkey, and Vietnam. (If you're an existing user from one of those countries and you'd like to make an additional account, email [email protected] with the username you'd like to register and we can register it for you. If the number of requests gets to be enough that it's taking up too much of our time, we may have to pause this until we can build automated exceptions, but we'll start there.)

We will continue to monitor the results of these experiments and adjust as necessary: when we do one of these experiments, we always make sure to define in advance what "too much interference with legitimate use" will look like, and we try very hard to stick to it. I apologize to everyone who's been collateral damage in our efforts to filter out more of the goddamn spammers.
Flat | Top-Level Comments Only
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-29 02:05 pm (UTC)(link)
1) We keep a regular eye on the hit rates of every access restriction we place, yes. It is very rarely that we can lift one once we place it, however.

2) It absolutely will not be faster than 24h turnaround; there's no way we can commit to that. The exact speed will depend on the volume and on how much admin time we claw back from spam handling. If that doesn't work for you, you can also use a VPN service to get an IP that geolocates outside of one of the blocked countries just for account creation, although VPN abuse is another one of our big issues right now and we have the "filter traffic from netblocks with bad reputations" filter with our DDoS provider turned up pretty high right now.

3) The account creation admin tool generates a random password that can't be emailed to you (it's impossible to extract an account's password: writing the password to the database is a one-way operation) and you will have to reset it once the account has been created through the normal password reset email workflow to a password of your choice.

4) Not easily technically possible, I'm afraid.

I know it sucks, and I'm sorry. We have been holding off on this step for a very long time, because we know it's disruptive. But we are absolutely drowning -- on a bad day our account creation volume is 80% spam and an average day is running around 60% -- and we need to take drastic steps in order to preserve the service for everyone.

[personal profile] qitian 2023-09-29 02:25 pm (UTC)(link)
1 + 2) That's what I expected, but it's good to have confirmation. I've been following your tweets and the site's updates regarding Dreamwidth's challenges with combating spam so I was aware of the VPN-related issues already, but I really appreciate you raising it as a possible solution and highlighting the issues associated with that. :)

3) I'm very glad to hear this actually; yay for protections to account access. So will the process look like this from the user's end?
I email support with usernames of accounts to be created → Some unspecified amount of time later, I receive emails that my accounts have been created and verified (i.e. just like I would have under the old process) → I do a password reset for those accounts via the usual process and change my password at that point

4) In that case, would it be possible to add a new FAQ on this topic? This is for the benefit of entirely new users to Dreamwidth / existing users from those countries who may not see this post and won't have a clue what's going on when they hit the 403 page.

I understand that this is a measure of last resort and implementing it was a difficult decision to make - I absolutely don't begrudge the team for doing this. Rather, I'm grateful to you all for not just the work put into keeping the site useable, but also for the consideration towards the userbase!
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-29 03:06 pm (UTC)(link)
3) Correct, that's what it will look like.

4) Someone who doesn't read [site community profile] dw_maintenance doesn't read the FAQs either :)

[personal profile] qitian 2023-09-29 03:21 pm (UTC)(link)
4) What if an existing user were to be away from the site for some time and missed this post? Not to mention new users who don't even know this community exists. I think it's reasonably fair to expect that someone who's trying to troubleshoot the 403 block would check the FAQ, and so some of the freed-up admin time ought to be allocated towards drafting a new FAQ.
mildred_of_midgard: (Default)

[personal profile] mildred_of_midgard 2023-09-29 03:51 pm (UTC)(link)
Seconding this. I spent years checking the FAQ before I started following this community.
octahedrite: elf girl with a slight smile (Default)

[personal profile] octahedrite 2023-09-29 04:50 pm (UTC)(link)

+1, it's unreasonable to expect a new user from a blocked country to dig through dw-maintenance. In fact, the sign-up flow instructions should be on the home page for those countries.

denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-29 06:59 pm (UTC)(link)
We'll document it once we have more than two hours of data from the test drive to see if it works, if we're keeping it, what we're changing (if any), etc: the FAQ is for permanent or very long term information, not for "we're trying this thing, it may work, it may not, we may change it back". But I will note that the reason we chose those particular countries is because the amount of legitimate usage from them is very, very low, and the vast majority of new account creation from them is overwhelmingly spam.
Flat | Top-Level Comments Only