denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_maintenance2023-09-28 11:16 pm
  • Add Memory
  • Share This Entry

Continuing dispatches on the war against spam

A few days ago we let you know about spam prevention measures that we were taking to help stem some of the flood of garbage. One of those temporary measures included geoblocking all IPs from several of the countries that are our largest source of spam. This did (as we knew it inevitably would) have some collateral damage for real users, and we're very sorry!

We're continuing to experiment: this time we've slightly expanded the range of countries we're geoblocking to include the ones that we held off on geoblocking because it would affect too much legitimate use, but we've limited the geoblocking only to the account creation page. This should mean that if you were having trouble accessing the site because of geoblocks, you should be able to access 99% of the site without a problem, and the only page you won't be able to access is the account creation page. With luck, this should cut back heavily on our spam account creation without disrupting legitimate use of the site. The current list of countries that are geoblocked from account creation are Bangladesh, Cambodia, Egypt, India, Indonesia, Morocco, Pakistan, Singapore, Turkey, and Vietnam. (If you're an existing user from one of those countries and you'd like to make an additional account, email [email protected] with the username you'd like to register and we can register it for you. If the number of requests gets to be enough that it's taking up too much of our time, we may have to pause this until we can build automated exceptions, but we'll start there.)

We will continue to monitor the results of these experiments and adjust as necessary: when we do one of these experiments, we always make sure to define in advance what "too much interference with legitimate use" will look like, and we try very hard to stick to it. I apologize to everyone who's been collateral damage in our efforts to filter out more of the goddamn spammers.

Page 1 of 5

Threaded | Top-Level Comments Only
dennisgorelik: 2020-06-13 in my home office (Default)

[personal profile] dennisgorelik 2023-09-29 03:55 am (UTC)(link)
Why do you geoblock the whole countries?
Isn't blocking individual abusing IP networks sufficient to mostly eliminate spam?
thatwasjustadream: (Default)

[personal profile] thatwasjustadream 2023-09-29 05:08 am (UTC)(link)
I managed spam posts on a web site for years. In the end, we had to remove commenting because it was impossible to keep up. User blocking was a joke. IP blocking didn't really touch the problem, either. Am sharing that to say I understand how hard it is. I think I'm still a little scarred from all the cr*p I read in the deleted comment files all those years. :\

I hope you can find the right formula, and I'm sure people will (should) understand. This is not an easy problem to manage.
Edited 2023-09-29 05:09 (UTC)
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-29 05:17 am (UTC)(link)
That's been our tactic for quite some time, but it isn't enough anymore. It's not individual netblocks that are the issue: the major spam factories have custom software that rotates their connections through multiple networks (and through multiple browser builds, to avoid browser-based fingerprinting) after every new account in order to evade automated blocking and detection. The big social media properties can afford to have engineers working full time on adapting to the tactics they're using, but we can't; geoblocking is the next tool we have available in the arsenal (for this particular problem; there are about six running concurrently) that has the least interference with legitimate use over the more invasive options.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-29 05:19 am (UTC)(link)
It's gotten so, so much worse lately, too. We had the spam percentage down to a good 20-30% for a while but they keep adapting, and now we're back up to 80% on a bad day and hitting 60% regularly. I feel like Sisyphus pushing a rock up a hill most days, sigh.
thatwasjustadream: (Default)

[personal profile] thatwasjustadream 2023-09-29 05:27 am (UTC)(link)
Ugh. :| I hear that. I hope the new measures help.
shadowbliss: (Default)

[personal profile] shadowbliss 2023-09-29 05:41 am (UTC)(link)
Thank you for all you do Denise
tornir: A silhouette of a horned viking helmet in a red circled prohibition sign. (No Spam)

"They're coming in too fast!"

[personal profile] tornir 2023-09-29 06:04 am (UTC)(link)
Han Solo shooting at tins of SPAM from the Millennium Falcon

Been there, done that, got the userpic. :P
Thanks for all your hard work. :)
dylan_mx: (dust*ash)

[personal profile] dylan_mx 2023-09-29 08:26 am (UTC)(link)
thanks for the hard work! It's much appreciated!
dennisgorelik: 2020-06-13 in my home office (Default)

[personal profile] dennisgorelik 2023-09-29 11:12 am (UTC)(link)
1) How do spam networks get access to IP networks that do not run public web proxies and VPNs?

2) Did you try to use mobile phone/SMS verification for Dreamwidth account registration?

3) Did you try to use Dreamwidth invites in order to connect new users to existing Dreamwidth users?
pebbleinalake: (seasonal: leaf)

[personal profile] pebbleinalake 2023-09-29 11:17 am (UTC)(link)
Sorry you're continuing to have to deal with the spam problem. It sounds like something I'd never have the patience to handle. We appreciate all your hard work in keeping the site safe and free of spammers. Thank you!
profiterole_reads: (Default)

[personal profile] profiterole_reads 2023-09-29 11:40 am (UTC)(link)
Thanks for your work!
bluedreaming: digital art of a person overlaid with blue, with ace-aro-agender buttons (Default)

[personal profile] bluedreaming 2023-09-29 11:56 am (UTC)(link)
Sorry to poke in but 2) is super restrictive to people who don’t have mobile phones and I despise it.
Also big privacy issue.
bluedreaming: digital art of a person overlaid with blue, with ace-aro-agender buttons (Default)

[personal profile] bluedreaming 2023-09-29 11:57 am (UTC)(link)
Thank you for your update!
sixbeforelunch: black and white image of clara bow in a suit and tie, no text (Default)

[personal profile] sixbeforelunch 2023-09-29 12:40 pm (UTC)(link)

Would bringing back invite codes help? Or does that fall too heavily on the side of restricting legitimate use?

Thanks for the hard work! I’m sorry the spammers are making your job so hard. :(

bradygirl_12: (canadian beaver)

[personal profile] bradygirl_12 2023-09-29 01:08 pm (UTC)(link)
You must feel like Monty Python yelling "Spam!" 😠

[personal profile] qitian 2023-09-29 01:10 pm (UTC)(link)
Hi Denise, thanks for the update. Just a few questions:

1) Will Dreamwidth periodically review the list of countries subject to signup blocking and update it?

2) What's the anticipated turnaround for the support team to respond to account creation requests? I'm not asking this for the purpose of holding the team to some hard timeline, but if the process is expected to take longer than a day then I'll probably send in my requests for throwaway account creation in batches instead of doing them individually.

3) Since the instructions in your post do not require users to provide the passwords they wish to use when creating new accounts via email request, I presume this means that the support team will generate the passwords and email them to the user.

Will the created passwords will be unique to each email request or to each account created? E.g. I send in a batch request to create 5 new accounts. Will each account have a different password or will all accounts in that batch have the same password?

4) Will the blocked signup page be enhanced so that users from geoblocked locations have access to the instructions that they need to email support in order to create an account? Right now it's just a 403 error page.
Edited 2023-09-29 13:47 (UTC)
talkswithwind: (medic!)

[personal profile] talkswithwind 2023-09-29 01:37 pm (UTC)(link)
SMS is subject to it's own abuses that small providers have a hard time dealing with. There is a form of toll fraud you can do if you can trigger SMS messages, "texting charges may apply," and also control a phone network (more common in the kind of countries getting IP blocks right now). SMS isn't free in good chunks of the world, and a small provider like DW isn't going to be able to eat the verification charges for long.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-29 01:45 pm (UTC)(link)
1) Have you seriously never heard of locations having multiple internet services they can rotate between? Because it's trivial to rotate between 30 or 40 WiFi networks even before you get into mobile SIM swapping software.

2) In addition to being a privacy nightmare, SMS authentication costs a significant amount of money for a service to provide, is plagued by an extremely high rate of toll fraud and pumping (especially in the countries that we're having the highest spam problems from), and has a very low rate of success at stopping any kind of spam because any spam network of any appreciable size has racks of hundreds of thousands of SIM cards wired into devices and software that automatically tracks which numbers have been provided to which sites, selects the next number that's up, and handles the SMS verification. You can buy a full turnkey spam system for about $1000 USD. The only reason anywhere uses SMS verification anymore is inertia: it is useless.

3) If you read the comments on the previous post, you will see I have already answered this question.

Please assume that we are competent professionals who know a great deal more than you do about the problem and are addressing the issue in the least restrictive fashion possible to us that is likely to be effective.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-29 01:48 pm (UTC)(link)
I covered it in comments to the last post: the problem is it's easy enough for spammers to get codes (between people posting lists of invites and the "create an account, age it and wait for it to start generating codes" tactic) that it's not an effective deterrant and it takes about as much administrative time to deal with invite-related problems as it does to deal with spam so it would just be a giant pain in the fucking ass for no net benefit.
tessitura: recycle @ lj (FASHION ‣‣ { dress })

[personal profile] tessitura 2023-09-29 01:53 pm (UTC)(link)
Thank you for the updates, constant vigilance, dealing with bad faith actors (spammers/several passive-aggressive at best comments on DW update posts/etc) and making DW such a cool place to hang out on in general
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-29 02:05 pm (UTC)(link)
1) We keep a regular eye on the hit rates of every access restriction we place, yes. It is very rarely that we can lift one once we place it, however.

2) It absolutely will not be faster than 24h turnaround; there's no way we can commit to that. The exact speed will depend on the volume and on how much admin time we claw back from spam handling. If that doesn't work for you, you can also use a VPN service to get an IP that geolocates outside of one of the blocked countries just for account creation, although VPN abuse is another one of our big issues right now and we have the "filter traffic from netblocks with bad reputations" filter with our DDoS provider turned up pretty high right now.

3) The account creation admin tool generates a random password that can't be emailed to you (it's impossible to extract an account's password: writing the password to the database is a one-way operation) and you will have to reset it once the account has been created through the normal password reset email workflow to a password of your choice.

4) Not easily technically possible, I'm afraid.

I know it sucks, and I'm sorry. We have been holding off on this step for a very long time, because we know it's disruptive. But we are absolutely drowning -- on a bad day our account creation volume is 80% spam and an average day is running around 60% -- and we need to take drastic steps in order to preserve the service for everyone.
sixbeforelunch: black and white image of clara bow in a suit and tie, no text (Default)

[personal profile] sixbeforelunch 2023-09-29 02:09 pm (UTC)(link)

Ah. I figured there was a good reason why you weren’t doing it but I was wondering what it was. (Sorry should have checked comments on the last post before asking.)

Spammers are relentless and I hate that they exist (but probably not as much as you do).

[personal profile] qitian 2023-09-29 02:25 pm (UTC)(link)
1 + 2) That's what I expected, but it's good to have confirmation. I've been following your tweets and the site's updates regarding Dreamwidth's challenges with combating spam so I was aware of the VPN-related issues already, but I really appreciate you raising it as a possible solution and highlighting the issues associated with that. :)

3) I'm very glad to hear this actually; yay for protections to account access. So will the process look like this from the user's end?
I email support with usernames of accounts to be created → Some unspecified amount of time later, I receive emails that my accounts have been created and verified (i.e. just like I would have under the old process) → I do a password reset for those accounts via the usual process and change my password at that point

4) In that case, would it be possible to add a new FAQ on this topic? This is for the benefit of entirely new users to Dreamwidth / existing users from those countries who may not see this post and won't have a clue what's going on when they hit the 403 page.

I understand that this is a measure of last resort and implementing it was a difficult decision to make - I absolutely don't begrudge the team for doing this. Rather, I'm grateful to you all for not just the work put into keeping the site useable, but also for the consideration towards the userbase!
dreamtigress: Rainbow Tiger Icon, made by Tiger Torre (Default)

[personal profile] dreamtigress 2023-09-29 02:36 pm (UTC)(link)
Thank you for all of your hard work!
tornir: Animated GIF of a cute snowleopard furry, paw to her face, and cheeks aflame. (Facepaw)

[personal profile] tornir 2023-09-29 02:52 pm (UTC)(link)
1) Bogons. Look them up. Most of the shittiest spam-friendly ISPs announce them.
Threaded | Top-Level Comments Only

Page 1 of 5