denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_maintenance2023-09-24 04:49 pm
  • Add Memory
  • Share This Entry

A heads up on spam prevention measures

Due to recent increases in spam account registration (over and above the already-high baseline levels of spam account registration!) and the amount of our administrative time that dealing with spam is costing us, it's highly likely we will need to start playing around with more aggressive measures to block spammers in the next few weeks. We already use quite a few spam account creation prevention techniques, but there's been a worldwide increase in the amount of abusive/spam traffic over the last six months or so, and we're at the point where we need to start getting much more aggressive about filtering it.

Generally speaking, we try to use the least restrictive measures of spam blocking that we can, because any form of spam blocking can impact legitimate use of the site. If you start getting 403 errors when accessing the site, or you are asked to solve a captcha from our hosting provider (the graphical captcha that shows on a separate page, not the text-based one that shows on the same page) before proceeding to the page you're trying to load, and you are not using a VPN service, please email support@dreamwidth.org with your IP address and let us know. If you don't know your IP address, you can look it up at whatismyip.com.

If you are using a VPN provider and you get these errors, I am incredibly sorry, but we probably won't be able to help. We know that many of our actual-person users use VPNs for privacy and security reasons or to circumvent government restrictions on accessing the site, and we are trying our very best to keep those services able to access Dreamwidth. Unfortunately, VPN services are also a major source of our abusive traffic, especially the free ones, and it's impossible for us to distinguish legitimate traffic from abusive traffic automatically. You are less likely to have problems with paid VPN services, but even those are the source of a lot of spam: our two main VPN sources of abusive traffic are NordVPN and Proton VPN. We're trying very, very hard to not have to block VPN services entirely, but the problem is getting much worse. If you subscribe to either, you may want to contact them and tell them that you've been having problems accessing sites you regularly use because of the amount of abusive traffic that comes from their network.

We will continue to tweak our spam prevention measures as much as we can to avoid interfering with legitimate traffic, and I apologize in advance if we wind up temporarily interfering with your use of the site as we try to stop the garbage we're drowning in.

Page 1 of 2

Flat | Top-Level Comments Only
the_broken_tower: (Default)

[personal profile] the_broken_tower 2023-09-24 09:00 pm (UTC)(link)
Completely understandable and unfortunate the abusive traffic is becoming such a problem. Thanks for the heads up!

- Ellie (she/her)
(reply from suspended user)
havocthecat: the lady of shalott (Default)

[personal profile] havocthecat 2023-09-24 09:04 pm (UTC)(link)
Can you give us a heads up if you plan on blocking any of the VPN services? I use a paid VPN for my own reasons and I totally support your spam-blocking measures! But I would like to know if I need to alter my Dreamwidth access processes if I have to. Which I will do in order to keep supporting you.

And I'll try letting them know, but uh, you know. Idk how much it'll work.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 07:12 pm (UTC)(link)
An outright block on accessing the site entirely would be the absolute last resort -- we have a lot of steps we can take before that.
havocthecat: the lady of shalott (Default)

[personal profile] havocthecat 2023-09-25 07:51 pm (UTC)(link)
You folks are way better at knowing what to do than I!
ninetydegrees: Art & Text: heart with aroace colors, "you are loved" (Default)

[personal profile] ninetydegrees 2023-09-24 10:09 pm (UTC)(link)

Thanks for the heads-up! That explains the captcha I get :)

vesper_evensong: (Expressions - Thank You 2)

[personal profile] vesper_evensong 2023-09-24 10:46 pm (UTC)(link)
Thank you for your efforts in these areas. It has made DW a very decent place to be. I migrated from LJ because it's hard to use for Americans now, and as I've used DW I have appreciated the regular updates on things, and how hard you all work to keep things up and running smoothly.
(reply from suspended user)
nerakrose: drawing of balfour from havemercy (Default)

[personal profile] nerakrose 2023-09-24 11:06 pm (UTC)(link)
Ah that confirms why I was getting 403 error messages when I had my VPN on the other day (I use NordVPN). I did figure it was a VPN thing as I’ve run into similar on other sites so didn’t log an error message. It’s not a big deal for me, though I understand it might be more of an issue for others.

I was wondering, and this may not be viable at all, is it possible to flag and exempt logged in accounts that use VPNs so this doesn’t happen for them? As in, my user account at fanlore has that kind of account flag (I reached out to them about it) so that I can access and edit entries even when my VPN is on, that was something they were able to do. The infrastructure here may be completely different though so this may not be a helpful suggestion at all!
devilc: Go Like Hell (Default)

[personal profile] devilc 2023-09-25 02:46 am (UTC)(link)
I would just like to echo this suggestion.
twoeleven: Hans Zarkov from Flash Gordon (Default)

[personal profile] twoeleven 2023-09-25 04:21 am (UTC)(link)
I support this as well, since I'm another VPN user.
innitmarvelous_og: (Default)

[personal profile] innitmarvelous_og 2023-09-25 04:48 am (UTC)(link)
Me as well as I also use a VPN.
thesaltinstitute: A brook bordered by moss-covered rocks. (Default)

[personal profile] thesaltinstitute 2023-09-25 07:40 am (UTC)(link)

Also in support of this!

amalthia: (Default)

[personal profile] amalthia 2023-09-25 06:23 pm (UTC)(link)
As a VPN user I second this suggestion as well.
Edited 2023-09-25 18:23 (UTC)
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 07:15 pm (UTC)(link)
We can kinda-sorta do that, but not easily and not by account, and it's enough of a pain that it's generally not worth doing unless you keep the same VPN IP for a long time (which most people don't). Disconnecting and reconnecting is probably a lot easier for you!

[personal profile] pinterface 2023-09-26 12:44 am (UTC)(link)

Hrm... since the hosting provider MITMs at the HTTP level, (and without being at all familiar with the methods they provide) my first pass idea would be something like the following:

DW sets a "probably-human" cookie for logged in users that amounts to something like v1:nonce:expiration-timestamp:hmac(v1:nonce:expiration-timestamp:secret). The host service could look for that cookie, validate it (either by the secret being shared, or by a callback which lets you process it), and allow or deny the user based on that validation.

Now, that only works after a user has authenticated at least once, doesn't help at all with signups, would happily allow through an attack using Selenium or whatever (absent any other bot detection prior to setting the cookie, anyway), and probably has a few other drawbacks. So maybe not worthwhile even if technically possible.

(And now I spend ten minutes debating with myself whether this is worth posting, both because it's not a full solution and because y'all are technical enough you'd probably have done it already if it was an option and made sense.)

denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-26 03:16 am (UTC)(link)
Unfortunately that approach wouldn't work, because the filtering Cloudfront uses doesn't even get as far as contacting us before it kicks in and the filtering we can do on our end kicks in so much earlier in the process that letting it get as far as reading cookies would be a major performance hit (since it's the same system used to filter DDOS style traffic). We have almost no control over AWS other than "stick this specific IP fully on the allow list", and our only feasible control on our end is expiring the block early, neither of which is feasible for IPs that change ownership rapidly like VPN IPs because it has to be done manually and the legitimate user who had the connection is almost certainly no longer the person who has the connection by the time we would be able to handle it and with most VPN IPs the chance the next person who has the IP is a spammer is very, very high. (Fanlore in particular that [personal profile] nerakrose was talking about is an OTW project, and OTW only implemented the intermediary-based DDOS protections that most everyone on the internet is running a few months ago, and only for AO3 and not any of their other projects -- Fanlore has nothing like Cloudfront doing intermediary garbage filtering, which is where most of the restrictions on VPN IPs comes from. Fanlore only uses Mediawiki's software based spam protections, which happen very very late in the call.)

It's extremely shit, we know it's extremely shit, every person who runs internet infrastructure knows it's extremely shit, we all wish we didn't have to do it, but this kind of IP-based reputation system is the only thing that even slightly works and the collateral damage is something no one has ever been able to contain 100%.

[personal profile] pinterface 2023-09-26 02:48 pm (UTC)(link)
Oh, Cloudfront? In that case you could do a Lambda @ Edge, which looks for the cookie and verifies the signature ...

... But even if you could bear the additional cost, that still only helps if Cloudfront lets it get that far before DDOS-style filtering. Which it probably doesn't, because the whole point is to drop bad traffic as early as possible.

Gah. The fact capitalism effectively encourages exploiting negative externalities for profit really ruins a lot of otherwise nice things.
morrow: (💋)

[personal profile] morrow 2023-09-24 11:09 pm (UTC)(link)
Fair enough!
watersword: Keira Knightley, in Pride and Prejudice (2007), turning her head away from the viewer, the word "elizabeth" written near (Default)

[personal profile] watersword 2023-09-24 11:15 pm (UTC)(link)
Thanks, I hate it! (I don't hate you, D. I hate that spam is still a problem.)
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 10:00 pm (UTC)(link)
My rant about the economics of spam and the diffusion of responsibility for handling it is about 45 minutes long and involves a lot of uses of the word "fuck".

[personal profile] corbiecore 2023-09-26 01:12 pm (UTC)(link)
I was blearily looking for the like button before I realized which platform I was on, lol.
house_wren: glass birdie (Default)

[personal profile] house_wren 2023-09-24 11:58 pm (UTC)(link)
Thank you for all your work!
scissorsevered: (Default)

[personal profile] scissorsevered 2023-09-25 12:22 am (UTC)(link)
Maybe some sort of invitation system would work for curbing spam accounts, similar to how AO3 runs their signups? I know it would place a damper on the number of people signing up at a time but it would seriously reduce the number of accounts being made just to spam.

This isn't me trying to say what you're doing isn't good, because we all really do appreciate the hard work you put into running this site! I'm sure trying to block spam and ensure user privacy at the same time is a pain in the ass lol. But we have faith in you :D
medusahealing: (Default)

[personal profile] medusahealing 2023-09-25 02:08 am (UTC)(link)
Funny enough, DW actually started with an invitation system. You had to have an invite to set up your account.
jeweledeyes: Pretty Guardian Sailor Moon (Default)

[personal profile] jeweledeyes 2023-09-25 05:35 am (UTC)(link)
I totally forgot about that. I got my account through an invite code!
the_broken_tower: (Default)

[personal profile] the_broken_tower 2023-09-25 05:24 pm (UTC)(link)
Oh wow, how long ago was that? :0 Was there a limited number of times you could send invites?

- Izar (he/him)
jeweledeyes: "'Popular Science'? More like Nerdular Nerdence." (Nerdular nerdence)

[personal profile] jeweledeyes 2023-09-25 05:42 pm (UTC)(link)
I thought it might have been 2009, but my profile page says it was 2010. 13 years ago, dang!

As for how many codes, I don't remember that much, so I tried searching. I found some posts with people with multiple codes, so it wasn't limited to just one, but I don't remember beyond that 😅 And it looks like they opened registration in December 2011, based on this post and this post.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 10:25 pm (UTC)(link)
It was back when we were still in beta (2009-2011 or so)! We would generate batches of invite codes semi-regularly based on certain criteria -- like, sometimes we'd send codes to people who'd posted recently, sometimes to people who'd logged in recently, sometimes to people who'd used all their invites, sometimes to people who'd invited people who were active on the site, yadda. We had a bunch of different methods we could use to hand them out and we tried to make sure everybody who was active on the site had at least one or two on hand at all times, plus we could make 'bulk' codes that could be used to create a larger number of accounts (like, if you were starting a new RP game and wanted to make sure all your players could make accounts for it, we could give you a single code that worked to make 50 accounts and not just one, etc). It was a good method for making sure that we didn't overwhelm the site completely when we launched, but it was a lot of administrative overhead and we were glad to finally ditch them!
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 07:18 pm (UTC)(link)
Yes, we had an invite code system when we started to limit growth to what we could support! But it's less effective for curbing spam than you'd think: people generally share invites widely enough that it's easy for spammers to get them, and all it does is put a barrier in front of people who are looking to make legitimate accounts. It's also enough of a pain in the ass, administratively, that we were really happy to ditch it when we could. If it were more effective in curbing spam registration, absolutely we would turn it back on, but the combination of "not great at spam fighting" + "deeply annoying for legitimate use" + "just as much of an administrative burden as the spam fighting" puts it pretty far down on the list. (At most, we'd require invites for creating accounts from one of the six countries that 90% of our spam comes from, but that's 90% of the admin annoyance as requiring them for everyone so we haven't yet.)
elderwitty: (art judith and her maidservant)

Dam spam!

[personal profile] elderwitty 2023-09-25 02:22 am (UTC)(link)
Thank you for fighting the scourge that is spam!

Is this why I've needed to login two days in a row? It's usually only a couple of times a month or so.

(I'm not upset, just curious.)
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

Re: Dam spam!

[staff profile] denise 2023-09-25 07:28 pm (UTC)(link)
Nope, that should be unrelated! make sure you don't have any extensions installed that are interfering with your cookies -- we especially find that any of the login juggler extensions are really prone to causing login problems.
elderwitty: (ow)

Re: Dam spam!

[personal profile] elderwitty 2023-09-26 02:28 am (UTC)(link)
Thanks for the info!

It kept me logged in today, so maybe it was just an anomaly. I hope it's not an extension, because I only have six of them. :D
kore: (Default)

[personal profile] kore 2023-09-25 05:29 am (UTC)(link)
BOO SPAM. I was followed by at least twenty empty pornbots on Tumblr last week. I've given up playing whack-a-mole with them. I am so glad DW fights spam with a fury!
innitmarvelous_og: (Default)

[personal profile] innitmarvelous_og 2023-09-25 05:42 am (UTC)(link)
Aren't the p*rnbots on Tumblr awful? I am soooooooooo sick of them too, especially the ones that are not an empty account!
kore: (Default)

[personal profile] kore 2023-09-25 05:44 am (UTC)(link)
The only thing I am more sick of than the non-empty pornbots are the Only Fans-type "Tumblr Live" accounts which have shown me dick picks more than once! Which you can't turn off!
innitmarvelous_og: (Default)

[personal profile] innitmarvelous_og 2023-09-25 06:09 am (UTC)(link)
Yeah those would be the non-empty ones I hate! I've learned to be super cautious when seeing what the accounts are!
scissorsevered: (Default)

[personal profile] scissorsevered 2023-09-25 01:15 pm (UTC)(link)
The big wave of pornbots is probably the one bad thing about Tumblr allowing NSFW again.
innitmarvelous_og: (Default)

[personal profile] innitmarvelous_og 2023-09-25 04:41 pm (UTC)(link)
Yeah, things will always be abused in some way. *sighs*
profiterole_reads: (Default)

[personal profile] profiterole_reads 2023-09-25 11:50 am (UTC)(link)
I usually report them, but when I don't, they usually disappear in a few days from other people reporting them. Fortunately, it's not as bad on DW.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 10:08 pm (UTC)(link)
It actually is just as bad! We're just still small enough that we can handle them the only truly effective way, which is to say, a real person looks at every newly created account and knocks out the spam ones. Once you get to Tumblr size, that method stops being possible and you have to switch to automated detection, but automated detection is kind of shit. We get just as many spam accounts as Tumblr does, we're just more effective at knocking them out before you notice them because [staff profile] karzilla or I spend four hours a day every day screening every single newly-created account for the ones that our automated systems miss, heh.

Ironically enough, this is one of those things machine learning networks are moderately decent at -- worse than human eyeballs, but sharply better than a lot of other systems. We experimented: when we fed ChatGPT the profiles of a test suite of 100 of our spam accounts, it caught about 60% of them, and it didn't flag any of the test suite of 100 real accounts as spam mistakenly. But implementing that as a screening method would involve sending user profile text to ChatGPT, and, well. *gestures wearily to the entire controversy about generative ML models*
profiterole_reads: (The Old Guard - Joe and Nicky)

[personal profile] profiterole_reads 2023-09-26 12:32 pm (UTC)(link)
It's all in your honour that I don't notice it's as bad from my side of things. I hope you'll find a way to save yourselves some time.
ganimede: keys (Default)

[personal profile] ganimede 2023-09-26 06:25 pm (UTC)(link)
I had no idea you checked every new account, that has got to be going above and beyond! Four hours is a lot of time that could probably be better spent elsewhere on the site. Is there any way some of that workload could be taken off you by a small select group of volunteers?
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-27 01:49 am (UTC)(link)
We do to some extent, but there's a lot of logistical problems with it because of how much access to sensitive user data someone needs in order to make a lot of the calls.
ganimede: keys (Default)

[personal profile] ganimede 2023-09-27 05:55 pm (UTC)(link)
I didn't realise that some of the spam accounts had got so clever as to make that access necessary. Eugh, that does make it harder. And it must be such a pain when you don't have the time to create a system to fight spam accounts because you're so busy fighting spam accounts but also not so busy fighting spam accounts to require the system... I think that just broke my brain.
vriddy: Dreamwidth sheep with a red wing (dreamsheep)

[personal profile] vriddy 2023-09-25 05:36 am (UTC)(link)
Sorry to hear spam is becoming an even worse problem. Thank you for all the good work!
ex_flameandsong751: An androgynous-looking guy: short grey hair under rainbow cat ears hat, wearing silver Magen David and black t-shirt, making a peace sign, background rainbow bokeh. (reactions: down with this sort of thing)

[personal profile] ex_flameandsong751 2023-09-25 07:09 am (UTC)(link)
Thank you for staying on top of the spam, which sounds super annoying to deal with.



Since other people brought up that DW used to have invite codes [and Ao3 still does], might it be possible to re-implement this? Would it have at least some impact on the amount of spam account registrations?
tessitura: iconriot @ dw (Default)

[personal profile] tessitura 2023-09-25 01:58 pm (UTC)(link)
While I am not trying to speak for them, my best guess as to why they don't use invite codes now is the large amount of roleplayers on the site.
ex_flameandsong751: An androgynous-looking guy: short grey hair under rainbow cat ears hat, wearing silver Magen David and black t-shirt, making a peace sign, background rainbow bokeh. (!The Squad: Sören: hrmm)

[personal profile] ex_flameandsong751 2023-09-25 06:14 pm (UTC)(link)
Hmmmm. RPers could still get invite codes though, yes? Ao3 used to generate X amount of invite codes per person, I forget the exact number, but if DW gave each user X amount of invite codes, conceivably someone who had alts for RP purposes and/or had friends wanting to RP could grab one of those and if they ran out they could sign up and wait 1-2 weeks for more, or there might be an invite code sharing comm where people could post their unused invite codes for others?

Like I said, I don't know how much of an impact this would make with spam, and Denise would probably know the answer to this.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 07:37 pm (UTC)(link)
If they worked we'd have already done it! But they don't appreciably limit the number of spam accounts (because people share their codes so widely and it's usually very easy for spammers to find lists, plus all they have to do is make one account that isn't obviously a spam account and let it age long enough to start getting invites) and it's enough of a PITA for normal use that it's generally not worth it, especially because dealing with invite-related problems is just as much admin time as dealing with spam.

The ultimate problem is that spammers are incentivized to drop their garbage everywhere because a first-page ranking in Google search for certain keywords can be worth millions of dollars and Google ranking depends at least partially on how many people are linking to you, so the people who want to boost their sites pay actual people pennies per account to create accounts on social media sites and make links all day. It's almost impossible to detect or stop because it's not automated in any way: they're real people making the accounts, and it's very very difficult to distinguish from "real people making an account to participate on the site" in any meaningful way other than the painfully painstaking method of "have a real person look at every one of them and make the call". The best automated solutions we can come up with are still only about 60% as accurate as I am :/
morrow: (Default)

[personal profile] morrow 2023-09-25 08:36 pm (UTC)(link)
What about “hiring” volunteers who, with a bit of training, do the detecting? I’d do it!
pauamma: Cartooney crab wearing hot pink and acid green facemask holding drink with straw (Default)

[personal profile] pauamma 2023-09-25 09:00 pm (UTC)(link)
Dreaamwidth already does that, although I don't know what the application and training process is these days. (I started in 2010 or so.)
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 09:51 pm (UTC)(link)
Yes, we do that to some extent! Our comment spam is handled by a volunteer team -- if you delete a comment and mark it as spam, that gets handled by the spamwhackers. But comment spam is a tiny, tiny percentage of our overall spam volume, and the biggest (by far) category of spam accounts are "search engine optimiztion/backlink spam accounts", where people make the accounts and then try to keep them as hidden as possible so only Google will see them. (Most days we don't get any comment spam at all, and hundreds of backlink spam accounts!) That means the only way for us to spot them is to go through every newly-created account in order by userid, and that particular ability comes along with the admin tools that also give someone the ability to look up the first level of personal user data, so we're reluctant to hand it out without a lot of vetting beforehand and we require signed nondisclosure agreements before giving someone access.

There's also the problem that even though the human brain is unparallelled at pattern-matching, some of these accounts are really, really good at passing as real. (Like, I've been doing this for 20+ years and it generally takes me less than half a second to make the call -- I can spot spam accounts in languages I neither speak nor read -- and I still had one today that took me over five minutes and a lot of digging to finally decide it was spam.) To really make the determination on some of the borderline accounts, you need access to the second level of "look up personal user data" admin tools, which is sensitive enough that we don't give access to anyone but staff and very, very senior volunteers who have been with us for over a decade and have proven their ability to handle confidential information (and we also require signed nondisclosure agreements for that as well).

Both of those problems are fixable -- we could build a system that gave people with access a list of accounts that hadn't been screened yet (that didn't require the "look up accounts by userid" access) and let them flag the obvious spam for suspension and flag the borderline accounts for someone with the admin tools, and that would knock out a good 80% of the spam and save Jen's and my time for the borderline cases. We probably will build that eventually, even. But it's nontrivial enough that it would be a lot of work, and we're in the awful catch-22 valley where we don't have enough time to build the system because we're too busy dealing with the daily spam, but the daily spam isn't enough in absolute numbers to justify the amount of work it would take to build the kind of robust system that would knock out enough of the trivial work for us but also have enough guardrails that we could hand out access to it without compromising user privacy or making it possible for people to game the system. (That last bit is also why we don't have any kind of user flagging of spam accounts other than directly reporting them to us: if you give the entire userbase a system that will let them flag spam accounts, there's a certain percentage of people who will immediately start using it for "I don't like this person/this account" and trying to get accounts suspended with it, so you can't make it any kind of automated threshold of "if this account gets flagged X times, suspend it".)

This is one of those hard problems that literally nobody has ever managed to solve, basically. I know people doing Trust & Safety at pretty much every major social network out there and it's one of the problems we all drink about heavily at meetups. It's one of the reasons I'm so mad about Elon Musk taking over Twitter and firing nearly the entire T&S engineering team: Twitter was doing incredible work at garbage traffic detection and we were all learning a lot from them, and then Elon fired all the people who were doing it, sigh. But if you ever wonder why most social networks are so bad at rooting out backlink spam accounts, it's because they literally can't: the only thing that can reliably detect them at a 95% confidence interval is the patternmatching ability of the human brain, and once you get to a certain scale, that's impossible and all you can do is get the 60% or so CI that automated detection can give you.

tl;dr: the economics of spam are completely broken and 100% of the cost and 100% of the burden of dealing with spam goes to the platform while 100% of the profit goes to the spammer. It's a neverending arms race and we are all losing badly.
ex_flameandsong751: An androgynous-looking guy: short grey hair under rainbow cat ears hat, wearing silver Magen David and black t-shirt, making a peace sign, background rainbow bokeh. (reactions: Kermit scrunch face)

[personal profile] ex_flameandsong751 2023-09-25 08:56 pm (UTC)(link)
Thank you for explaining this, and that makes sense. You guys deserve free coffee and cookies for life for dealing with the annoying spam.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 09:58 pm (UTC)(link)
It is kind of fascinating, in that "oh God" sort of way, to watch our regular spam networks trying to adapt to what they think are our detection methods, because the most capable of them are doing it more or less in realtime. (It is especially funny because while we do use automated detection, a huge part of our overall methods are "a human being puts human eyeballs on your account and makes the spam or not-spam call", which is the one thing that you can't automate around -- there are still ways to game it, but it's harder -- and so you can watch them adjusting things in realtime to try to circumvent detection.)

But this is one of those problems absolutely nobody has been able to solve. We are small enough that we can be absolutist about even the borderline accounts, but most places have to rely on automated detection and just get the percentage of accounts automated detection can get them. It's part of the reason why Google search results have gotten so much sharply worse in the last year or so: even Google with all their resources can't distinguish "real person authentically linking to this site" from "garbage backlink spammer linking to this site" with the degree of reliability they used to be able to, and to some extent they've just given up.
murphys_lawyer: The avatar for Mozilla Firefox (Default)

[personal profile] murphys_lawyer 2023-09-25 12:02 pm (UTC)(link)
Another vote for some sort of other check if you have a VPN. I use one of the ones you've mentioned, and while I'm resigned to always being "randomly selected" to take a Captcha every time I visit here, I absolutely loathe them, especially when I'm one pixel out on selecting something.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 07:43 pm (UTC)(link)
I know it's annoying, and I'm really sorry. But 80% of our account creation is spam on a bad day (a good day is only 40%), and of that, easily a third of it comes from those two VPN services -- and we're not the only ones who have that problem. (The visual captcha comes from our hosting provider, who uses data about abusive behavior across all the sites they host: if you're getting the captcha from them, it means you're on an IP that has been demonstrating sustained, consistent bad behavior.) We're trying very hard to use the least restrictive means possible to handle things, because we absolutely know that VPNs are an important privacy and security tool, but we're absolutely drowning here and we're not the only ones. Those two providers in particular are the source of so much garbage, internet-wide, that it really is important that they keep hearing from their customers that more and more sites are restricting their IPs and they really need to start removing abusive customers.
murphys_lawyer: The avatar for Mozilla Firefox (Default)

[personal profile] murphys_lawyer 2023-09-25 09:22 pm (UTC)(link)
Thanks for replying, and I appreciate your work on this. Truly.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 10:17 pm (UTC)(link)
We are trying so, so fucking hard to keep our spam prevention methods from impacting legitimate VPN use. I know it's deeply annoying, and it's just as annoying for us -- like, if we could just say "nope, we are blocking access to the site from every single IP address that has a score over a certain threshold in two separate abusive-IPs databases", it would make our lives so much easier, but a massive number of the IPs that are in those abusive-IPs databases are VPN IPs and that would have a tremendous amount of splash damage, so we'll never be able to do it. But yeah, the experience of using a VPN service that has a high percentage of customers generating abusive traffic is likely going to get worse and worse for you over time, because it's a massive internet-wide problem, it's getting much worse, and nobody knows how to solve it without seriously inconveniencing or blocking the people who are using VPNs for legitimate reasons. It sucks, and I'm really sorry. (I like to joke that I am an internet privacy and anonymity activist except for the four hours a day I'm doing the spam queue, during which I would like to require internet connections to be tied to your forensic DNA profile and require an on-the-spot DNA test to activate the internet connection every time you do. Some days it is less of a joke than other days, sigh.)
groovesinorbit: (Default)

[personal profile] groovesinorbit 2023-09-25 01:26 pm (UTC)(link)
Thank you for all your hard work!
filialucis: (Default)

[personal profile] filialucis 2023-09-25 03:45 pm (UTC)(link)
Hmm, thanks for this detailed explanation of the issues. I use a different VPN and have been considering switching to either NordVPN or ProtonVPN when my subscription expires later this year. I'm less likely to do so now that I know that they're known sources of spam!
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-25 10:20 pm (UTC)(link)
Every VPN is going to be a source of spam and other abusive traffic -- the free VPNs more so, but even the paid VPNs, because spamming is so profitable that the cost of the VPN subscription is almost nothing in comparison -- but those two are currently the worst, yeah. There are a few other paid services that are bad-but-not-as-bad, but those two are the bane of my existence. (Which sucks, because from the user end they're both really good services and I'd love to be able to recommend them to people who ask me what VPN to use! But unfortunately, people also recommended them to the spammers.)
chestnut_pod: A close-up photograph of my auburn hair in a French braid (Default)

[personal profile] chestnut_pod 2023-09-27 02:00 am (UTC)(link)
Thank you for all the detailed responses to this post! It's inspired me to go look up some of those economics of spam: grim.

If you don't mind, could you name some of those bad-but-not-as-bad ones? Are there any paid VPNs that are solidly neutral or good in terms of not attracting spammers?
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-27 02:38 am (UTC)(link)
It is so absolutely grim. Brian Krebs' "Spam Nation" mostly covers email spam and phishing scams that are more security-related, as is fitting for his interests as a security journalist, but even despite that and the fact it was published a decade ago and so is very, very out of date by now (since security years are like dog years), it's a great introduction to the kind of perverse incentives that spam has.

I hesitate to make any definitive statements, especially because we only do lookups on a non-randomly chosen subset of accounts (the IP address reputation databases have daily limits of how many queries you can run without paying and we can't afford the rates on any of the more accurate ones, so we have to limit our queries to just the accountst that we need additional IP data on) and because a lot of smaller providers can slide under the radar if they're moderately clever about their configuration. I will say that for over a decade when I need a VPN I've used Tunnelbear, which is short on a bunch of additional features but functions great as a "make my connection looks like it comes from a country that has access to this media" tool, and I've never once seen a spam account that's been made from it (or I would have grumbled about my provider of choice being used by spammers, heh). It very well could be coincidence, their IPs not looking like they're their IPs, or just the fact it's less popular, though, so don't take my statement as any kind of official stamp of approval!
chestnut_pod: A close-up photograph of my auburn hair in a French braid (Default)

[personal profile] chestnut_pod 2023-09-27 03:19 am (UTC)(link)
Thank you for the Krebs recommendation. Perverse incentives are so often perversely interesting, even when they make you want to run into the mountains and live as a hermit.

I won't take your statements about Tunnelbear as a red-letter stamp of approval, but it's definitely helpful information to squirrel away, so thanks for that also!
mdlbear: blue fractal bear with text "since 2002" (Default)

[personal profile] mdlbear 2023-09-25 05:59 pm (UTC)(link)

Thanks for the heads-up, and for your good work. I'm not having any problems so far, but it probably explains the persistent CAPTCHAs I've been seeing on other sites.

chicklet_chatter: (Castle)

[personal profile] chicklet_chatter 2023-09-26 01:24 am (UTC)(link)
Thank you for the update. I was seriously considering going to VPN soon. This is a major point against that option. Thank you very much for informing us!

Chicklet - They/Them
arkessian: (Default)

[personal profile] arkessian 2023-09-26 01:54 pm (UTC)(link)
Can I steal some of these words for a site I moderate where VPN users are getting annoyed (nay, abusive) because they're being blocked by our spam filtering service.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-27 01:08 am (UTC)(link)
Feel free!
arkessian: (Default)

[personal profile] arkessian 2023-09-27 07:12 am (UTC)(link)
Thanks.
lovingboth: (Default)

[personal profile] lovingboth 2023-09-26 03:20 pm (UTC)(link)
Yep, sympathy. I do consultancy for a message board and what used to be a problem with Tor exit nodes is now a problem with VPNs... as well.

denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-27 01:08 am (UTC)(link)
Yeah. Spammers fucking ruin it for everyone, part 824934.
albedinous: A cross-stitched owl on blue fabric, partially complete. (Default)

[personal profile] albedinous 2023-09-28 12:14 am (UTC)(link)
Thank you, Denise! I'm not affected by VPN issues, but appreciate the heads up; four hours is SO much spam-detection, my goodness.

I'm going to go renew my paid account, because you guys seriously deserve a coffee after all this.
pritkiy_kaban: (Default)

[personal profile] pritkiy_kaban 2023-09-28 12:12 pm (UTC)(link)
Yup, browser plugins and Proton tend to trigger (almost) blanket 403 when using free plans.

Knowing how deeply spam and ad industries metastased into current Web economy, I hate them filters much like I hate lying in dentist's chair for costly treatment of acute pulpitis.
Edited 2023-09-28 12:16 (UTC)
omnicat: (Default)

[personal profile] omnicat 2023-09-28 08:53 pm (UTC)(link)
I remember you mentioned an unusually steep, internet-wide uptick in spam this year in an earlier Maintenance post too. Do you peeps in the business have any indication of the reason this is happening?
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-29 01:40 am (UTC)(link)
Everybody's got their own pet theories, and it's hard to know which one is correct! My pet theory is that it's a combination of multiple factors: Google being less committed/less able to block "this URL has been heavily spamvertised and so should get a search engine penalty", various economic factors in terms of income/purchasing power disparity making backlink spamming a more lucrative career for people in the countries most of the spam is coming from, and the prevalence of ChatGPT making it easier/cheaper/faster to generate both the backlink spam and the sites being spamvertised are all things I think play into it. (I am virtually positive that I'm missing a few factors in the analysis.) I also have a massive grudge against Fiverr, which is where most of the people doing this get hired. (99% of "digital marketing experts" on Fiverr are fronts for the spam factories.)
cellio: (Default)

[personal profile] cellio 2023-09-29 12:55 am (UTC)(link)

Thank you, as always, for your thoughtful and transparent communication, and for the great service. I was wondering why I was getting those captchas (I just started using AdBlock VPN). I can disconnect when using DW, and don't mind that minor hassle to help the spam monster from expanding even more. Grr, spammers ruining things for all the rest of us...

denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-09-29 01:41 am (UTC)(link)
It is just so exhausting trying to keep up.
cellio: (Default)

[personal profile] cellio 2023-09-29 01:48 am (UTC)(link)

It sure is. Thank you for continuing to fight the good fight for your users! Locking everything down thoroughly would be easier but less friendly, and I appreciate your ongoing attempts to place as few barriers as you can in front of legitimate users.

redwolf: (Default)

[personal profile] redwolf 2023-09-29 08:11 am (UTC)(link)
Huh. I wonder if this is the same bullshit I'm being inundated with on a corporate mailing list.
Flat | Top-Level Comments Only

Page 1 of 2