Continuing dispatches on the war against spam

[denise]

A few days ago we let you know about spam prevention measures that we were taking to help stem some of the flood of garbage. One of those temporary measures included geoblocking all IPs from several of the countries that are our largest source of spam. This did (as we knew it inevitably would) have some collateral damage for real users, and we're very sorry!

We're continuing to experiment: this time we've slightly expanded the range of countries we're geoblocking to include the ones that we held off on geoblocking because it would affect too much legitimate use, but we've limited the geoblocking only to the account creation page. This should mean that if you were having trouble accessing the site because of geoblocks, you should be able to access 99% of the site without a problem, and the only page you won't be able to access is the account creation page. With luck, this should cut back heavily on our spam account creation without disrupting legitimate use of the site. The current list of countries that are geoblocked from account creation are Bangladesh, Cambodia, Egypt, India, Indonesia, Morocco, Pakistan, Singapore, Turkey, and Vietnam. (If you're an existing user from one of those countries and you'd like to make an additional account, email support@dreamwidth.org with the username you'd like to register and we can register it for you. If the number of requests gets to be enough that it's taking up too much of our time, we may have to pause this until we can build automated exceptions, but we'll start there.)

We will continue to monitor the results of these experiments and adjust as necessary: when we do one of these experiments, we always make sure to define in advance what "too much interference with legitimate use" will look like, and we try very hard to stick to it. I apologize to everyone who's been collateral damage in our efforts to filter out more of the goddamn spammers.

Comments

[dennisgorelik]

Why do you geoblock the whole countries?
Isn't blocking individual abusing IP networks sufficient to mostly eliminate spam?

[denise]

That's been our tactic for quite some time, but it isn't enough anymore. It's not individual netblocks that are the issue: the major spam factories have custom software that rotates their connections through multiple networks (and through multiple browser builds, to avoid browser-based fingerprinting) after every new account in order to evade automated blocking and detection. The big social media properties can afford to have engineers working full time on adapting to the tactics they're using, but we can't; geoblocking is the next tool we have available in the arsenal (for this particular problem; there are about six running concurrently) that has the least interference with legitimate use over the more invasive options.

[dennisgorelik]

1) How do spam networks get access to IP networks that do not run public web proxies and VPNs?

2) Did you try to use mobile phone/SMS verification for Dreamwidth account registration?

3) Did you try to use Dreamwidth invites in order to connect new users to existing Dreamwidth users?

[bluedreaming]

Sorry to poke in but 2) is super restrictive to people who don’t have mobile phones and I despise it.
Also big privacy issue.

[frith]

Yup on all three points! Discord thirsts for "smartphone" phone numbers and as I have no smartphone and wouldn't share the number with Discord if I had one, I am no longer able to chat with fannish creative types there. There is 2 factor authentication but I have my doubts I'd be able bypass Discord's phone number desire should I figure out what 2FA entails. Email confirmation used to be sufficient for Discord.

[lb_lee]

I don't have a smartphone and have found ways to work around with Discord, if you're interested! I use 2FA with a YubiKey, which admittedly I had to buy, but it has been a winner in that I don't need a smartphone (or any phone, I think!)

[frith]

That's good to know. ^_^ I believe Discord sent me a link a while back to something that would accept 2FA instead of sending me into an 'enter your phone number' loop. Meanwhile, I would like to change my (outrageously expensive and sly) ISP and it looks like I am going to have to update my Firefox too.

[havocthecat]

Ooh, that's interesting - I need to look into that. I'm getting so tired of social media craving my phone number. I have some Discords off-limits now and I'm dreading Discord-as-a-whole requiring a phone number. Is a YubiKey pricey?

[lb_lee]

I got two for about $20 USD apiece, I think? But that was quite a few years ago, and prices may have changed since then. There are definitely different options at different price levels; I think I got pretty barebones ones. They also work with modern Windows and Linux! (I presume Mac as well, but haven't tried.)

Yubikeys can also be used with an authentication app that can be used on non-phones, if you don't have a smartphone!

[arethinn]

?? Are they imposing this globally on new accounts or something? I've never provided a phone number on any of my three Discord accounts, the newest of which was created this past March. The option is there to add one, but I just leave it blank ("You haven't added a phone number yet"). Hasn't stopped me from joining servers or anything.

Discord

[frith]

My account was created around 2018. The problem is my ISP keeps switching from one hub to another making it appear that I'm logging on from a different town than last time. So every few months I'd have to prove that I'm me by using a code they'd send me by email. Until they decided that wasn't good enough and requested a phone number instead. That was two or three years ago. I gave up trying after about a year.

SMS verification

[dennisgorelik]

> 2) is super restrictive to people who don’t have mobile phones

SMS verification does not have to be mandatory.
It should be OK to maintain an old Dreamwidth account without connection to any phone number.

Other alternatives could be invite-based registration and registration from an IP network that is not blacklisted.

[talkswithwind]

SMS is subject to it's own abuses that small providers have a hard time dealing with. There is a form of toll fraud you can do if you can trigger SMS messages, "texting charges may apply," and also control a phone network (more common in the kind of countries getting IP blocks right now). SMS isn't free in good chunks of the world, and a small provider like DW isn't going to be able to eat the verification charges for long.

[lb_lee]

Thanks for explaining the SMS thing, since I don't have a smartphone and was sorta aware but not clear on this problem!

[dennisgorelik]

> SMS isn't free in good chunks of the world

I agree: an expensive SMS messaging in multiple countries - is a valid concern.

Then the filtering solution could be:
1) Invitations from existing Dreamwidth users.
2) Corporate email addresses (instead of freely available email addresses such as gmail).
3) Allow creating accounts to anyone, but severely limit the new accounts until they prove themselves and then blacklist IP address and corporate email domain in case if new account turned out to be spam.

[denise]

1) Have you seriously never heard of locations having multiple internet services they can rotate between? Because it's trivial to rotate between 30 or 40 WiFi networks even before you get into mobile SIM swapping software.

2) In addition to being a privacy nightmare, SMS authentication costs a significant amount of money for a service to provide, is plagued by an extremely high rate of toll fraud and pumping (especially in the countries that we're having the highest spam problems from), and has a very low rate of success at stopping any kind of spam because any spam network of any appreciable size has racks of hundreds of thousands of SIM cards wired into devices and software that automatically tracks which numbers have been provided to which sites, selects the next number that's up, and handles the SMS verification. You can buy a full turnkey spam system for about $1000 USD. The only reason anywhere uses SMS verification anymore is inertia: it is useless.

3) If you read the comments on the previous post, you will see I have already answered this question.

Please assume that we are competent professionals who know a great deal more than you do about the problem and are addressing the issue in the least restrictive fashion possible to us that is likely to be effective.

[dennisgorelik]

> it's trivial to rotate between 30 or 40 WiFi networks even before you get into mobile SIM swapping software

All WiFi networks that are easy to hack into and are frequently used by spammers - you can automatically blacklist: every time you ban spam account - you should also ban the IP network that facilitated in this spam account creation.

> SMS authentication costs a significant amount of money for a service to provide

Sending SMS in the US starts from $0.0079
However I see that in other countries sending SMS is [10x?] more expensive.
So I guess SMS is not a good solution for, say, Vietnam, which IP networks Dreamwidth blacklists.

> toll fraud and pumping

The first article on SMS pumping fraud I found - describes the solution as well:
https://support.twilio.com/hc/en-us/articles/8360406023067-SMS-Traffic-Pumping-Fraud

But I see that Twilio's solution will not cover the most problematic countries such as Vietnam.

I guess that Dreamwidth solution for new accounts Vietnam, could be carefully monitored invitation system.

Another component of monitoring - reports from well-established Dreamwidth users.
If old Dreamwidth user friended the new account - it is a good sign.
If old Dreamwidth user banned the new account - it is a bad sign and Dreamwidth may automatically delete such new account. Especially if this new account was created from low quality IP network.

[mindways]

[Gentle nudge to re-read the last sentence of the comment you replied to here. I realize you're probably trying to be helpful, but you're not looking good.]

[dennisgorelik]

I do not see any technical arguments in the last sentence of the comment you are referring too.

[denise]

*sigh*

Let me try this one more time: the people running these networks are not using hacked WiFi or single internet connections or even IP addresses that have poor reputations in any available system that a site can hook into any kind of reputational check. We already do the things you are suggesting, and we have for years. These tactics no longer work, because spam is a trillion-dollar industry and there is more than enough money sloshing around in the ecosystem to build systems that evade even the most sophisticated reputational checks. The people who run these networks have a massive supply of IP addresses from multiple netblocks, from multiple providers, that are completely clean in every reputational database, and they use them until they start building up negative reputation and then pass them along to someone else to deal with the shit reputation while they move on to the next group of clean ones. I guarantee you that if I pulled the IPs of our last 100 spam accounts, every single one of them will have a cleaner reputation than the IP address you are currently using. Because they stop using them when they start accumulating negative reputation.

We are not talking "hacked wifi" or "scam ISP" here. We are talking people operating out of buildings that have multiple network drops from multiple providers with multiple completely clean reputations. For shits and giggles I tracked the network origins of our spam account creations from Bangladesh for about a week, because Bangladesh has a small number of ISPs, they're all licensed by the government, and you can get a list of the current license holders and therefore an accurate and complete list of all ISPs operating in the country. At the time I did that, there were about 130 ISPs licensed to operate in Bangladesh. We saw spam from over 100 of them.

Likewise, if your only understanding of toll fraud comes from a Google search and reading a surface-level article by a provider of SMS verification services with a vested interest in assuring the reader that the problem is not as bad as it actually is, you do not understand the problem well enough to be making suggestions for it. Up until Elon Musk bought it and laid them all off, Twitter had a team of about 20 engineers whose full-time duty it was to minimize the amount of money Twitter loses annually to toll fraud, which, as of my last information (since everyone I knew at Twitter got laid off) was eight figures a year -- and that's with aggressive engineering work to detect and prevent it. Add that to the fact SMS verification does nothing to actually prevent spam, because the networks we are talking about have access to an infinite number of phone numbers and the hardware setups needed to swap them instantly. SMS verification is not a spamfighting tool and hasn't been since at least 2015. It is expensive, it is a privacy nightmare, and it does nothing to fix the problem.

Site behavior is also not an accurate spam detection system. We already do it! We have for years! It detects less than 5% of spam account creation, and some days less than 1%. We have spent the last two years building increasingly sophisticated detection and prevention systems, both using in-house tools and demoing various externally available systems. We have found one option that was better than a 50% hit rate, and it was a) around 60% and b) also would be a massive privacy nightmare to actually implement.

You do not understand the scope of the problem, the sophistication of the operations that are involved, the cost of every single system that exists to address the problem (and how bad every single one of them are at actually detecting spam), or the sheer volume of garbage we're talking about. Between Mark's and my contacts, we probably know at least half of the top 100 people in the world at dealing with this problem at scale, and we have talked the issue out with them extensively. The suggestions you are making are easy, obvious, and don't work to solve the problem because they are the attack methods everyone was using to fight spam a decade ago and the spammers already adapted to them.

[dennisgorelik]

> IP addresses from multiple netblocks, from multiple providers, that are completely clean in every reputational database

I am suggesting to use your own reputational database of IP addresses, and keep your own database private.
So it will be hard for spammers to find out if their IP address is already blacklisted.

Bad IP should not prevent Dreamwidth account creation, but instead should allow spammer to create the account, so Dreamwidth can collect other spam indicators, such as:
- Email address and email domain.
- Connections to other Dreamwidth accounts.
- Content keywords.
- Other involved IP addresses.
- ...

> move on to the next group of clean ones

Do you mean that it is easy for a scammer to get access to clean IP addresses?
The spammer's dilemma is that if IP address is easy to access - then this IP address is quickly getting blacklisted.


> if I pulled the IPs of our last 100 spam accounts, every single one of them will have a cleaner reputation than the IP address you are currently using

Does Dreamwidth maintain the internal database of IP addresses Spam/Ham scores (based on Dreamwidth users activity)?

> Because they stop using them when they start accumulating negative reputation.

If Dreamwidth does not immediately delete spam accounts, then it may be quite tricky for spammers to detect that their IP address accumulated negative reputation in internal Dreamwidth database.

> there were about 130 ISPs licensed to operate in Bangladesh. We saw spam from over 100 of them.

So penalize IP addresses from 100 Bangladesh ISPs and do not delete accounts created from the remaining 30 Bangladesh ISPs.
This will put users' pressure on the bad ISPs to deal with spammers in their own IP networks.

> if your only understanding of toll fraud comes from a Google search and reading a surface-level article

I run a job board and deal with spam and scam every day.
Spam is a relatively minor issue for us vs scam (which is operated manually and not on a bot scale).

For spam indicators we use:
1) IP addresses (and networks).
2) Email addresses.
3) Content keywords.
4) Browser User Agents.
5) User's feedback.

> Site behavior is also not an accurate spam detection system.
> It detects less than 5% of spam account creation, and some days less than 1%.

What do undetected spam accounts do?

If they do something harmful - why you cannot detect such harmful behavior?

[dissectionist]

Denise, by this point I feel like this guy is just sealioning you. I’m sorry you’re having to deal with it.

[denise]

Let me try this again in extremely small words:

When we suspend a spam account, we already block the IP address. The spam we see is from fresh IPs that have never been used to create accounts before. The parts of your "one simple trick" suggestions that aren't useless, we have been doing for years, and they have stopped working.

Please stop. You are not making helpful suggestions. We have consulted some of the world's foremost experts on social media spam management. You are not one of the world's foremost experts on social media spam management. If you were, you would not be making useless suggestions that stopped working in 2015 and demanding that I explain the absolute basics of the field to you.

[dennisgorelik]

If you think that the spam detection system I describe is "one simple trick" - you misunderstand what I describe.

If you are not interested in the discussion about spam detection strategies - it is ok.

I thought that you posted about spam problems in order to get more ideas that might help you with improving your spam detection algorithms.

[denise]

I have explained to you repeatedly why your suggestions are not helpful and asked you to stop. Because you haven't listened to that request, I have banned you from dw_maintenance. In the future, to avoid being banned in other official communities, if site staff ask you to stop commenting in a discussion in an official community because your contributions are not helpful, stop commenting.

[marinarusalka]

Denise, you have the patience of a saint. I would’ve banned that dude three comments in, and not nearly as politely as you did.

Thank you for your hard work.

[kore]

Oh my God seriously. That was some deep level explaining he didn't deserve but it was intriguing to hear about, like an irritant ending up as a pearl!

[denise]

I am usually very happy to explain the nuances of things! My willingness to do so is often directly proportional to how many times I've explained it to the same person, heh.

[lovingboth]

A rare upside of spamsplaining :)

[andrewducker]

Seconding all of this.

[havocthecat]

I'm sorry you had to deal with that, but I learned a lot from reading it, if it helps to know someone else got something out of...that.

[denise]

It is actually sickly fascinating, in the way that people genuinely do not believe how bad the problem is and how absolutely localized the worst of the operations are. I just did the first full spam run with 24 hours of having geoblocking on and compared it to last Saturday (since there are absolutely weekly patterns): last week 69% accounts created were spam, this week it was 19%. And 2/3rds of that 19% were actually IPs from one of those 7 countries, just not flagged as such in our intermediary's geolocation database: it would have been 6% if their db were more accurate.

[tornir]

1) Bogons. Look them up. Most of the shittiest spam-friendly ISPs announce them.

[dennisgorelik]

I guess Dreamwidth blocks Bogon IP addresses anyway.
The more tricky problem is how to treat legitimate IP addresses that are abused by spammers.

[grey_and_furry]

2)
Nice catch, comrade major...

[dennisgorelik]

There is no need to introduce SMS verification for already established Dreamwidth accounts.

[grey_and_furry]

Thank you for the reminder, but my obvious concern is valid new users (i.e. not spammers).

[thatwasjustadream]

I managed spam posts on a web site for years. In the end, we had to remove commenting because it was impossible to keep up. User blocking was a joke. IP blocking didn't really touch the problem, either. Am sharing that to say I understand how hard it is. I think I'm still a little scarred from all the cr*p I read in the deleted comment files all those years. :\

I hope you can find the right formula, and I'm sure people will (should) understand. This is not an easy problem to manage.

[denise]

It's gotten so, so much worse lately, too. We had the spam percentage down to a good 20-30% for a while but they keep adapting, and now we're back up to 80% on a bad day and hitting 60% regularly. I feel like Sisyphus pushing a rock up a hill most days, sigh.

[thatwasjustadream]

Ugh. :| I hear that. I hope the new measures help.

[bradygirl_12]

You must feel like Monty Python yelling "Spam!" 😠

[shadowbliss]

Thank you for all you do Denise

"They're coming in too fast!"

[tornir]

Been there, done that, got the userpic. :P
Thanks for all your hard work. :)

[dylan_mx]

thanks for the hard work! It's much appreciated!

[pebble_in_a_lake]

Sorry you're continuing to have to deal with the spam problem. It sounds like something I'd never have the patience to handle. We appreciate all your hard work in keeping the site safe and free of spammers. Thank you!

[profiterole_reads]

Thanks for your work!

[bluedreaming]

Thank you for your update!

[sixbeforelunch]

Would bringing back invite codes help? Or does that fall too heavily on the side of restricting legitimate use?

Thanks for the hard work! I’m sorry the spammers are making your job so hard. :(

[denise]

I covered it in comments to the last post: the problem is it's easy enough for spammers to get codes (between people posting lists of invites and the "create an account, age it and wait for it to start generating codes" tactic) that it's not an effective deterrant and it takes about as much administrative time to deal with invite-related problems as it does to deal with spam so it would just be a giant pain in the fucking ass for no net benefit.

[sixbeforelunch]

Ah. I figured there was a good reason why you weren’t doing it but I was wondering what it was. (Sorry should have checked comments on the last post before asking.)

Spammers are relentless and I hate that they exist (but probably not as much as you do).

Invitation tree

[dennisgorelik]

> is it's easy enough for spammers to get codes (between people posting lists of invites and the "create an account, age it and wait for it to start generating codes" tactic)

You should record the connection between new accounts and the accounts that issued the invite for these new accounts.

Then if you catch a spam account - you can quickly detect the whole tree of accounts to cleanup.
All new accounts in this tree - delete automatically (and automatically blacklist all IP networks that participated in creating these spam accounts).
The old and legitimate account that issued invite code - block from issuing any new invite codes again.

This automatic monitoring strategy should quickly stop invite-based spam accounts creation.

Re: Invitation tree

[ninetydegrees]

"and automatically blacklist all IP networks that participated in creating these spam accounts"

I quote Denise's comment in he previous post: "a massive number of the IPs that are in those abusive-IPs databases are VPN IPs and that would have a tremendous amount of splash damage, so we'll never be able to do it."

I suggest you read the comments to the previous post on it as this answers several suggestions you've made.

Re: Invitation tree

[dennisgorelik]

ninetydegrees

> a massive number of the IPs that are in those abusive-IPs databases are VPN IPs and that would have a tremendous amount of splash damage

The IP blacklisting does not have to be permanent.
It may be sufficient to blacklist IP network for ~30 days.

Blacklisted IP does not need to mean absolute block of new account creation.
Bad IP should lower HamScore that account that uses this IP address has.

If HamScore of the account (due to other indicators) drops below blacklisting threshold - only then delete the account (and blacklist all indicators that participated in creating this spam account).

In this case blacklist is not absolute - the "splash damage" will be minimized.

[qitian]

Hi Denise, thanks for the update. Just a few questions:

1) Will Dreamwidth periodically review the list of countries subject to signup blocking and update it?

2) What's the anticipated turnaround for the support team to respond to account creation requests? I'm not asking this for the purpose of holding the team to some hard timeline, but if the process is expected to take longer than a day then I'll probably send in my requests for throwaway account creation in batches instead of doing them individually.

3) Since the instructions in your post do not require users to provide the passwords they wish to use when creating new accounts via email request, I presume this means that the support team will generate the passwords and email them to the user.

Will the created passwords will be unique to each email request or to each account created? E.g. I send in a batch request to create 5 new accounts. Will each account have a different password or will all accounts in that batch have the same password?

4) Will the blocked signup page be enhanced so that users from geoblocked locations have access to the instructions that they need to email support in order to create an account? Right now it's just a 403 error page.

[denise]

1) We keep a regular eye on the hit rates of every access restriction we place, yes. It is very rarely that we can lift one once we place it, however.

2) It absolutely will not be faster than 24h turnaround; there's no way we can commit to that. The exact speed will depend on the volume and on how much admin time we claw back from spam handling. If that doesn't work for you, you can also use a VPN service to get an IP that geolocates outside of one of the blocked countries just for account creation, although VPN abuse is another one of our big issues right now and we have the "filter traffic from netblocks with bad reputations" filter with our DDoS provider turned up pretty high right now.

3) The account creation admin tool generates a random password that can't be emailed to you (it's impossible to extract an account's password: writing the password to the database is a one-way operation) and you will have to reset it once the account has been created through the normal password reset email workflow to a password of your choice.

4) Not easily technically possible, I'm afraid.

I know it sucks, and I'm sorry. We have been holding off on this step for a very long time, because we know it's disruptive. But we are absolutely drowning -- on a bad day our account creation volume is 80% spam and an average day is running around 60% -- and we need to take drastic steps in order to preserve the service for everyone.

[qitian]

1 + 2) That's what I expected, but it's good to have confirmation. I've been following your tweets and the site's updates regarding Dreamwidth's challenges with combating spam so I was aware of the VPN-related issues already, but I really appreciate you raising it as a possible solution and highlighting the issues associated with that. :)

3) I'm very glad to hear this actually; yay for protections to account access. So will the process look like this from the user's end?
I email support with usernames of accounts to be created → Some unspecified amount of time later, I receive emails that my accounts have been created and verified (i.e. just like I would have under the old process) → I do a password reset for those accounts via the usual process and change my password at that point

4) In that case, would it be possible to add a new FAQ on this topic? This is for the benefit of entirely new users to Dreamwidth / existing users from those countries who may not see this post and won't have a clue what's going on when they hit the 403 page.

I understand that this is a measure of last resort and implementing it was a difficult decision to make - I absolutely don't begrudge the team for doing this. Rather, I'm grateful to you all for not just the work put into keeping the site useable, but also for the consideration towards the userbase!

[denise]

3) Correct, that's what it will look like.

4) Someone who doesn't read dw_maintenance doesn't read the FAQs either :)

[qitian]

4) What if an existing user were to be away from the site for some time and missed this post? Not to mention new users who don't even know this community exists. I think it's reasonably fair to expect that someone who's trying to troubleshoot the 403 block would check the FAQ, and so some of the freed-up admin time ought to be allocated towards drafting a new FAQ.

[mildred_of_midgard]

Seconding this. I spent years checking the FAQ before I started following this community.

[octahedrite]

+1, it's unreasonable to expect a new user from a blocked country to dig through dw-maintenance. In fact, the sign-up flow instructions should be on the home page for those countries.

[denise]

We'll document it once we have more than two hours of data from the test drive to see if it works, if we're keeping it, what we're changing (if any), etc: the FAQ is for permanent or very long term information, not for "we're trying this thing, it may work, it may not, we may change it back". But I will note that the reason we chose those particular countries is because the amount of legitimate usage from them is very, very low, and the vast majority of new account creation from them is overwhelmingly spam.

[tessitura]

Thank you for the updates, constant vigilance, dealing with bad faith actors (spammers/several passive-aggressive at best comments on DW update posts/etc) and making DW such a cool place to hang out on in general

[kore]

Absolutely seconded!

[dreamtigress]

Thank you for all of your hard work!

[folk_melody]

I am glad that users from the geoblocked countries can now access the site without a problem and thank you for that :D I hope the new measures work and reduce the spams! Thanks for the update!

[bastun]

Thanks for all your hard work. It is very much appreciated!

[frith]

I think that geoblocking the account creation page is a clever solution! I like it. I wonder if the elimination of tracking-based targeted advertising would starve off Search Engine Optimization spam.

[paserbyp]

Good job! I can see right now that I can’t catch any SPAM anymore to report it. Bravo!

[ex_flameandsong751]

Thank you for your hard work.

[grey_and_furry]

Thank you and dw team for your work

[pangolin20]

Thank you for putting in all this work!

[juni]

thanks for the update!

[rampitec]

Not sure if anyone has suggested it yet: make registration from these IPs paid? I am just following Musk's idea for Twitter.

[denise]

Unfortunately, as Elon is also discovering, spam is so profitable that the registration cost is a drop in the bucket. Metafilter charges $5 to register an account and their spam rates are only slightly lower than ours.

[got_quiet]

It's crazy to me that this is the case. I don't mean that in the "I don't believe you" sense but the wtf sense.

Thank you for fighting the fight.

[denise]

The difference between the first page of Google search results and the second page of Google search results can be measured in the millions of dollars for some keywords. It is genuinely fucking wild, and all the profits go to the spammers while all the costs go to the platforms. Spam is a trillion dollar industry globally and I don't want to think about what it costs us all to fight it!

[tornir]

So they want free SEO?
Could you set up a flag for identified spam accounts that sets the system to nerf any posted URL to point to a LOLCat/RickRoll/"Don't Spam!" page for visitors and spiders, then lock the account so it stays there pushing them down the search rankings?

[denise]

Wouldn't make a difference: Google couldn't see us at all for about five months while we were dealing with the last abusive traffic problem and spam went up: the spray and pray is so profitable that they don't even bother checking. There's just no reliable way to get Google to penalize a URL in a way that any of these people will notice. We already do a ton of things that signal "this is malicious SEO" to Google and it makes no difference in our spam volume, and anything else we did would start having problems for legitimate users trying to index their journals through Google. The only thing that's effective is preventing the account creation in the first place or suspending the accounts as fast as they're made. (Hilariously, a good percentage of the spammers then write in to us to demand that we unsuspend them because they didn't violate the ToS. About three months ago I started noticing that a good 80% of the emails are now written by ChatGPT. It's grimly hysterical.)

[watersword]

This is, truly, the worst timeline.

[siderea]

Daaaaaaaayum. I hadn't heard that.

[axiomwitch]

Do you need new antispam volunteers?

[denise]

Unfortunately, the kind of spamfighting we can use volunteers for is no longer the primary type of spam we get -- the kind that 99% of our spam is now needs access to the admin tools that also allow access to nonpublic user data, so we can't hand out access as freely. (The tool that lets volunteers handle reported comment spam doesn't involve nonpublic data, so we can give that one out right and left! Except we don't get much comment spam anymore; everyone's moved on from that.) The majority of the spam we get now is designed to be as invisible as possible to anything but Google, so finding it is the world's worst scavenger hunt. I have the outline of a system in my head that will let us abstract away that user data and recruit volunteers to handle the like 70% of it that's very obviously spam and leave us more time to find the 30% that requires more digging, but we haven't had the time to build it because we've been handling the spam. With luck this will give us some spare cycles to get that built!

[axiomwitch]

Makes sense. Good luck to y'all!

[medusahealing]

Wow...Just wow...who knew peeps could be so animated...

thanks for the good work. I do have access to the VPN from Proton but rarely use it. So...there's that. I'll keep this in mind though.

[pronker]

Thanks for all your work to solve this ongoing problem - this may be unrelated, but the a-href isn't working for a fancake link? I don't claim to be computer-literate to a great degree and it's possible I'm messing up somehow ... :/

EAD: NM, I used the embed link. :D

[kore]

Thank you so much for all the hard work you do, ESPECIALLY patiently and clearly explaining at length in these posts and comments, which are really enlightening and a unique resource!