(no subject)

[denise]

We've just done a quick code push to get some fixes live (other changes in this push are here!), so if you spot anything awry, give us a holler. This push also should get Google indexing back (for those who have chosen to make their journals indexable) after the next crawl! 🤞 (We had to block an incredibly large range of hosted IPs in order to tackle our persistent and ongoing spam and flooding problem and there was a little too much splash damage.)

If you are not using a VPN and you regularly get the captcha from our hosting provider (the graphical one instead of the DW-native text one), please email support@dreamwidth.org with your IP address and we can see if we can add you to the bypass list after you've run a network and virus scan to make sure the reason our hosting provider is blocking you isn't because your network has a compromised machine on it. I am incredibly sorry that we won't be able to add any VPN IP addresses that are on the "suspicious activity and so receive a captcha" list to the exceptions list: we are very well aware of the security and privacy reasons to use a VPN service for internet browsing, and we really wish we didn't have to put those barriers in the way of some of the VPN services people use to access the site, but the overwhelming majority of our abusive traffic comes from free VPN services. It's been getting sharply worse lately, and we've needed to take some radical steps to curtail it. I apologize profusely to those of you who are using those services legitimately for the inconvenience you've been experiencing.

Comments

[pangolin20]

Thanks for putting in this work!

[madfilkentist]

When people put up Dreamwidth links on Mastodon, the preview looks like a captcha request. It would be nice if there was some way to prevent that from happening. I realize it may be difficult.

[bluedreaming]

+1 (also realizing it may not be possible)

[denise]

Unfortunately, there's no way to fix that, as we haven't been able to find any way to assemble a list of Mastodon servers and there are a lot of them!

[ysilme]

Thank you!

[ysilme]

I don't know if this is related, but today I posted an entry for the first time since the code push, and the rich text mode box isn't showing, just the html one (Firefox 111.01. (most recent) on Win10 64 bit (all updates installed, no VPN). I've already deleted cookies and cache and checked for updates.

[paserbyp]

Any replacement for VPN you will recommend?

[denise]

I can't recommend a specific one that will never have problems, because any one might be the source of garbage traffic at any moment, unfortunately.

[pronker]

Kudoses for the care you always show!

[otter]

I appreciate the work you do.

[frogfarm]

I suspect you'll support U2F before my bank does.

[denise]

Mark has the skeleton for it written, we just ran into the problem that there are eighteen billion legacy ways to log in while doing another thing (posting, commenting, etc) that are all slightly different and we need to solve the UI problem of how to handle each one of them individually!

[prayreturn]

As somebody who tends to poke around for old information on DW, thank you so much for working to restore google indexing. I hope that not many legitimate users get slammed by these changes.

[bookscorpion]

Thank you for the work you do!

[moes]

Thanks for the hard work!

I don't know if I'm the only one getting this issue, but I was trying to make a new account today for roleplaying purposes and the site was giving me an error saying that I wasn't 13+ in spite of me inputting an appropriate year, so that might be something to look at.

[denise]

In order to comply with COPPA, we make a reasonable effort to block people who have entered a date of birth that makes them under 13 (such as if you typo 2018 instead of 2008 or whatever) so someone who's under 13 can't just go back and change the DOB when they see that they're blocked for it. It is a cover-our-asses legal maneuver that will help us defend against any future charges of not taking COPPA seriously and preventing signups from people under 13 (since any more stringent ways of preventing people under 13 from signing up for the service without parental permission are all privacy nightmares for adults). The least-restrictive means we settled on for that blocking is setting an "underage" browser cookie that lasts for a little while (I think it's 24 hours) if someone enters a DOB that would make them under 13, and if that cookie is present in the browser that the user is using, giving an error message at signup no matter what the actual DOB entered on the second attempt is. It's not a perfect solution because there are definitely ways to work around it (which I would of course never provide instructions for!) but it's a way to show that we're complying with a perfectly reasonable and not at all ridiculously easy to circumvent law!

[senmut]

You all are the best!

[morrow]

You are appreciated!!!

[hhimring]

I encountered the captcha when using a VPN. I have a concern, not on behalf of myself, but on behalf of other users: my impression was that the kind of captcha used is going to pose a more serious barrier for anyone with greater visibility issues. I believe there are now captchas available that are better options for users with accessibility requirements? (I may be wrong about all of this.)

[denise]

We unfortunately don't have any level of control at all over that captcha (it's not ours, it's our hosting provider's) and what type or style it is. Again, we are very aware that the situation isn't optimal! However, the level of abusive traffic we get from VPN services dwarfs the legitimate VPN traffic to an extent where it's either enable the captcha or disable VPN access at all, and we are trying very very hard to not have to disable VPN access at all.

[teddywolf]

Much appreciation from a usually quiet corner of the site.

[dickgrayson]

Thank you very much for the work you put in to the site. It is very appreciated.

(in-reply-to: wall o'spam from the honey vendor)

[azurelunatic]

it takes some gall to spam in an official community.

[henrylyne]

You're doing good work Denise

[denise]

HENRY! Haven't seen you in ages, welcome back!

[necrophilia]

Hi there! Sorry if this isn't the right place for this question, it didn't seem important enough for a support ticket. Am I out of my gourd or did the batch icon upload function disappear?

[anaraine]

Hi necrophilia - Dreamwidth has never had an official way to batch upload icons. Were you perhaps thinking of this unofficial extension?

A sad server (or service) needs to be cheered up, please!

[cora]

Hey, Denise or whomever at Dreamwidth: I think there is an unhappy server (or service) in the datacenter, depending on how you have things configured.

Sometimes when I go to post an entry or a comment, I am directed to "Safari has no idea where you are trying to go." It's happened 3 or 4 times for me since my entry to my own journal last night. I can only assume the service being used to direct my "please post this" request is routing to an unhappy server, or an unhappy server is trying to pick up the request (not entirely sure how you have that configured to work). I assume it's just one server, but could be a couple.

I'm not really sure the proper way to raise a "Hey, check your monitoring, and then check on your servers in case your monitoring didn't go off" request/alarm.

Additional edit: I am on canary. I'm pretty sure it's not the code itself given it doesn't happen all the time, and if I hit "back" in my browser and try again, it works.

Re: A sad server (or service) needs to be cheered up, please!

[denise]

That error means the site is under heavy load (and it's related to the spam problem I reference in this post). Our automated monitors detect that kind of heavy site load, filter out abusive traffic as much as possible, and auto-scale the frontend power so it's less likely people will get the errors, but there's a small delay in the auto-scaling having a visible effect on the actual problems people are seeing (because it takes a few minutes for a new webserver to be provisioned and deployed to the point it can take requests). Usually it's 4-5 minutes for the site to deploy more power, but the auto-scaler acts relatively conservatively on burst traffic so people can't deliberately run up our cloud hosting bills just by DDoSing us, so if the problem is "heavy burst traffic that's very far outside the levels of recent average sustained traffic" it can take 15-30 minutes to arrive at a stable balance of demand vs availability as it adds webserver machines one by one and sees if that fixes the problem. We do have monitoring that catches "the auto-scaler is being too conservative", issues with the actual webservers in the pool, and full-out outages, but the automated deploy system for traffic-related issues has proven to be a lot faster and more effective than alerting someone and getting them to manually add extra webservers, since we only have two employees doing SRE work and the more we can automate, the better.

The issue really is just that we are getting such a high amount of garbage traffic that it completely floods out legitimate traffic and trying to keep up with it is almost impossible unless we want to get more extremely aggressive in blocking, but we're already seeing a number of people who are using the site legitimately having trouble with the "block abusive traffic" measures we take because the more aggressive you get, the more splash damage you get. We're trying to keep the site available for legitimate use without inconveniencing legitimate users while still dumping the abusive traffic, and it's a really hard balancing act because there really is that much garbage traffic on the internet and it really is that hard to tell apart from a certain range of legitimate traffic.

tl;dr: I'm really sorry about the errors, the site fixes itself automatically when you start getting them, but it takes anywhere from 2 to 30 minutes for the automatic fix to have a visible effect on the problem (although usually things improve a lot within 4-5 minutes). Also, spammers are the scum of the earth.

[stardustmelody]

Thank you for your hard work and for the communication!