Dreamwidth Spamfighters

Let's discuss briefly the Advance-fee fraud, where a grieving orphan "inheritances an important sum from my late father" and would very much like to invest it, or something -- but up front, they're going to need a small fee -- really a paltry sum -- to liberate the cash. They will of course pay you back handsomely --

... except there is no money, and they pocket the fee and leave you in the lurch.


Please continue to use the "Mark as Spam" link from your Dreamwidth inbox when you get one of these. (As tempting as it is to mark the email notification as spam, try to resist the urge -- that won't stop spammers from registering accounts on Dreamwidth and trying to send you messages, it won't report the message to us, and depending on your email system's setup, may well lead to them ditching notifications of legitimate activity from Dreamwidth. It would be so much nicer if the "report as spam" in your email box were connected to our spam system, but sadly I don't know that that ever would happen.)

After you have marked it as spam in the Dreamwidth inbox, you can feel free to delete the message, as a copy will have been dumped into the spam team's queue.


The activity in IRC when this spammer kicks into action -- this one looks to be a single person, gone through 2 accounts now -- is probably hilarious for the onlooker. There's shouting of the "MAN THE BUCKETS! ALL HANDS ON DECK!" sort, and a frantic scramble for whichever Terms of Service person happens to be on duty at the moment. There is cussing, glowering, and occasional bursts of spammer mockery. Some of this is even in the public channels.

It's been an interesting year in dw_antispam!

Every week, more or less, I pull the spam statistics for all items reported as spam sitewide. (Eventually that part of my job may be replaced by a very small script.) In some weeks I am able to review all reports, and some weeks I only have a chance to look over the top few. When possible, I make a note of how many of the reports were actual spam, and how many of them were other things that made their way into the spam reporting system. (For example, anonymous insults are certainly unpleasant and deserve deletion, but are not actually the commercially-motivated, high-volume sort of thing that the antispam system is designed for, and thus not actionable by the antispam team. Some reports, while not spam as such, were forwarded to developers who were better able to address the specific problem, such as comments that "broke" the page for other readers.)

The numbers for each item here are, in order: valid reports, invalid reports, and total reports. (When exact numbers were unavailable and the old reports had been cleared, I skewed in the direction of counting unknown/uncertain items as valid; if entirely unknown, I left the invalid number as 0.)

During some weeks, for one reason or another, I was not able to pull the reports as usual; in the interests of not having the numbers wildly out of whack, I kept the numbers the same as the previous or next week. I have noted in my source data which weeks were the result of estimates, and made a note with each total.

These numbers only take into account the spam that is deleted-and-reported, so the numbers for spam actually received across the service are assuredly higher, due to spam in abandoned journals, spam that is being deliberately saved, and spam that the journal owner either hasn't yet found the time/energy to delete or is unlikely to find the time/energy to remove at all.


TOTALS
Valid spam reports sitewide in 2011: ~4,800
Invalid (non-spam) reports in 2011: ~200
Total spam reports sitewide in 2011: ~5,000

Total registered user spammers in 2011: 16

Year Weekly Average
Valid: 90
Invalid: 4
Total: 94
Maximum reported registered user spammers in any week: 4

In an average week, 10-20 pieces of reported spam are reported by a single user. This does mean that spammers are singling out some users to barrage more than others. A rise in your personal spam does not mean that spam is necessarily up for the whole site, just that you are the unlucky user who is getting a lot of it this week.


The vast majority of spam reports are of anonymous comments. The breakdown (weeks without data were excluded from this):

Anonymous comments: 3735
OpenID comments: 62
Registered user comments, entries, and private messages: 122, of which 71 were valid; that's 58% of reports that were valid, and 42% that were not actual spam.

The vast majority of anonymous spammers are defeated by CAPTCHAs.
Most OpenID spammers originate from LiveJournal. Many of their spam comments are not left on Dreamwidth directly, but imported along with a journal.
A relatively significant proportion of the registered user spammers (most of whom are from open registration periods) were caught due to what I like to call "flagrantly notable" spamming -- spam directed at official areas of the site, where it comes directly to the attention of people who will issue the smackdown.


I've pulled the numbers from my weekly reports into a spreadsheet, for the curious, with some commentary:
https://docs.google.com/spreadsheet/ccc?key=0AhtWr7PvrMa4dEpFOTlRNDFtaV8xRGx0WkZmSGdwSkE

It looks like Dreamwidth needs our carpets cleaned, because a couple registered user spammers have gone and tracked their links all over! Keep those reports coming so the Terms of Service team can do their walloping.

We are looking for additions to our dedicated team of spamwhackers, to ideally reach round-the-clock coverage of incoming reports. Comments are screened, so you can leave applications here. If you have questions, ask them here as well, and someone can unscreen them for discussion. (If you'd prefer that they be left screened, let us know.)

The ideal volunteer:

• can quickly assess a given report
• can decide whether or not a given report is spam (checking with a colleague or team lead if uncertain)
• can handle spam reports reasonably quickly
• is available 2-3 hours a week to watch for fresh spam
• can handle repetitious work
• can handle possible duplication of effort

Training with the spam system and with the spam policies is provided, and we can work with people's individual schedules for training.

The antispam system is mostly as inherited from our code parent, not designed for accessibility, and allows volunteer collision/duplication of work. (It has been successfully used by a volunteer using a screen reader, but has not yet been upgraded with accessibility in mind.)

Fresh spam is announced in a usually-low-volume IRC channel. IRC access is not required, but is helpful for training and watching for spam. The IRC channel can be accessed through your favorite IRC client (unless your favorite IRC client is Mibbit, as Mibbit and Freenode don't work together), or through Freenode's webchat (visual or audio CAPTCHA, javascript required, computer capable of handling webchat required).

Spam reports contain a mix of actual spam and things that are not spam. While they are relatively rare by spam volume, some of the spam advertises illegal and disturbing materials such as child pornography. Some reports involve other general unpleasantness. Reports of this nature can be upsetting to encounter. Any antispam volunteer can decline to handle any given spam report, but what has been seen cannot be unseen in some cases. The team leads are available to chat about any spam report upon request. You are the best judge of your own capabilities and limits, and are free to resign at any time, for any reason.

1. What brought you to Dreamwidth?


2. What is your interest in working with Dreamwidth's antispam team?


3. How long do you see yourself staying with Dreamwidth and/or the antispam team?


4. Which of these sample reports would you consider spam, and why or why not? What extra information would you look for, if you are unsure?
   
   1. djurEUVKSwjvcWJDJ Jonny was here
   
   
   2. Nice blog, good job
   
   
   3. Go to hell, you're the most stupid little fuck I've ever met.
   
   
   4. BUY HIGH-QUALITY CREDIT CARDS, FRESHLY SWIPED. I ONLY DO BUSINESS WITH RELIABLE PEOPLE. EMAIL ME HERE: [email address]
   
   
   5. My dear, I have searched and I believe you are the heir of the Prince. Please contact me by private mail and furnish your full name, address, social security number, and any other information to identify that you are the legitimate heir. God bless, [signed]
   
   
   6. This device began as a four-line writing handbags machine, but eventually became capable of writing sixteen and thirty-two lines at once. Houser's invention became extremely popular- students would break rules so they could have a go at using the Graphical Device (for threepence to use it and a penny to help wind it up). Eventually, Houser's experiments came to an end when someone opened a wrong quality handbags door and the pent-up force of his prototype 256-line writing machine propelled Houser out of a fourth floor window.
   
   
   7. Weight loss drugs Best weight loss Fast weight loss Effective weight loss Wonderful diet
   
   
   8. Happy birthday, sweetie! Hope it's a good one and your hair doesn't catch fire lol, see my entry for your card [livejournal.com link]
   
   
   9. [img src=alkj58akalk.com/karklhfg/shoes.jpg]
   
   
   10. [img src=hello.jpg]


5. How many hours a week can you devote to antispam efforts if needed?


6. What times of day are you typically available? What time zone? (Times of day are appreciated in UTC. If unsure, mention your availability in your local time, with your local time zone.)


7. Do you have any previous experience with antispam work, or issue-handling queues?


8. What languages do you read at a level of fluency to be able to tell spam from non-spam?

This is a volunteer (unpaid) position, and does not require a Non-Disclosure agreement nor a Contributor Licensing Agreement, although antispam volunteers are expected to not discuss any sensitive information they are exposed to. New members are added in response to spam volume, as needed, and not all applicants will necessarily be accepted. Length of journal establishment, publicly visible journal contents, and behaviour on the site are also considered.

Edited 2011 12 05 to clarify a few small points and add a language question.

It's time for some informative digressions on Joe Jobbing.

What are Joe Jobs?

Rather than being Steve's less-famous younger brother, a Joe Job is where some spammer, scammer, or other lowlife forges a third party's information when carrying out an attack.

This is to be distinguished from the sort of attack where the lowlife cracks or otherwise gains access to the third party's property in order to carry out an attack.

From Wikipedia:

A joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against him (see also e-mail spoofing), but they are now typically used by commercial spammers to conceal the true origin of their messages.

The name "joe job" originated from such a spam attack on Joe Doll, webmaster of Joe's Cyberpost. One user's joes.com account was removed due to advertising through spam. In retaliation, the user sent another spam with the "reply-to" headers forged to make it appear to be from Joe Doll. Besides prompting angry replies, it also caused joes.com to fall prey to denial-of-service attacks that took the web site down temporarily.

Some e-mail joe jobs are acts of revenge like the original, whether by individuals or by organizations that also use spam for other purposes. Spammers use the technique to cycle through domains and try get around spam filters and blocks.

Joe-jobbers could also be businesses trying to defame a competitor or a spammer trying to harm the reputation of an anti-spam group or filtering service. Joe job attacks in other media are often motivated politically or through personal enmity.

The parties in this scenario are the Attacker, Joe, and the Recipient.

Joe Doll on the Joe Job
Steve's JoeJob Page (warning: Comic Sans)
Fighting the email Joe Job on your personal domain: SPF (Sender Policy Framework)

The Joe Job in Spam

( In spam, the joe job is generally found in e-mail, where the spammer (Attacker)forges their e-mail headers to appear that it is emitting from poor Joe's email address or domain.  )

Who is the victim in a Joe Job? How are they hurt?

( There are two victims: the recipient(s) and Joe. )

Who benefits from a Joe Job? How do they benefit?

( The attackers benefit from the joe job. )

I'm a Dreamwidth user. Am I likely to be the victim of a Joe job?

If you have a paid account and the paid account forwarding email address, it may be forged as a part of a spam campaign, making you (and, by extension, Dreamwidth) Joe. This form of joe job is rampant on sites such as LiveJournal.

This address may also be the recipient of spam, including possible spam sent as part of a joe job.

Any forum that allows anonymous comments or any other form of anonymous posting, or allows un-authenticated user accounts (such as a form where you enter your name and email address, but does not confirm that you own the email address) is vulnerable to someone simply posting a comment signed with someone else's name. If you have anonymous comments enabled, or frequent other journals that have anonymous comments enabled, this can be used against you.

If someone wishing to cause trouble for Dreamwidth emits spam that appears to benefit or otherwise implicate Dreamwidth, the whole site will suffer.

How can I help?

( Use SPF records, respect SPF records, and be aware of Joe Jobs as a form of spamming. )

Spammers who have run afoul of Spamhaus won't be troubling Dreamwidth anymore. :D

http://changelog.dreamwidth.org/276673.html

There are three major tools Dreamwidth offers to help you protect your account from spammers: comment access, comment CAPTCHAs, and comment screening. These can be set individually, in any combination you like.

Visit the My Account Settings: Privacy page, and take a look at your comment options. (To set options for a community of which you are an administrator, pick the community name from the 'Work as account:' menu, then click the 'Switch' button.)

These options cover a number of groups of users: Everybody/anonymous users, registered accounts, your Access List, and nobody. (When working as a community, the Access List applies to the community's members.) These options do not treat the people that you are subscribed to but have not added to your Access List separately, nor any custom access groups.

You control the members of your Access List. As a general best practice, if you know a Dreamwidth user to be a spammer, you should not add them to your Access List.

Registered Dreamwidth users are not typically sources of spam. As Dreamwidth uses invite codes to create free accounts, this means a would-be spammer who wants to register a Dreamwidth account must either request an invite code from another party, or pay to create an account. Neither of these options are particularly attractive from a spammer perspective. (If you learn that another Dreamwidth user is a spammer, please do take action. If they have left you a spam comment or a spam entry in your community, select the option to report it as spam and delete it. If they have not spammed you, but you can establish that they are behaving in a way that is against the Terms of Service, contact Abuse.)

Logged-in OpenID users (such as LiveJournal or InsaneJournal users) who have logged in and set and confirmed an email address are classified with registered accounts. (OpenID accounts cannot join communities at this time.)

OpenID users who have not confirmed an email address are currently classified with anonymous users. However, Dreamwidth plans to change this behavior in the future.

Anonymous users include your friend whose browser ate their cookies again, a well-meaning user who does not want to take credit for a good deed, a well-meaning user who does not want to be associated with the information they have just shared, friends from other sites who haven't got their OpenID accounts working quite right, friends and/or relatives who haven't gotten into the whole blog concept, anonymous users without accounts, spammer-controlled zombie computers posing as legitimate anonymous users, and that person you banned (along with several of their friends).


Why does Dreamwidth allow anonymous commenting at all, when it can be abused so easily? Why not make all anonymous users solve CAPTCHAs?

Some people, particularly people with visual disabilities and people who use screen readers or other browsers that do not load images, have difficulty with CAPTCHAs. Anonymous commenting is useful because it has so many legitimate applications. Some people can't get or just don't want accounts. Some information wants to be free, and some of that information really shouldn't be associated with any kind of identity. Some games are more fun when played anonymously.

However, you personally may or may not have a reason to want anonymous commenting in your journal or community. If you are having anonymous spam problems, review whether you can use a CAPTCHA or screening to reduce or hide spam, whether you can leave anonymous commenting turned on for only short periods of time, or whether you actually need anonymous commenting turned on at all.

Enable Comments settings:

Nobody: This disables comments completely, and hides all old comments. This is not typically used to control spam.

Access List: Only people on your Access List are allowed to comment.

Registered accounts: Allowing registered accounts to comment is unlikely to allow actual spam.

Everybody: This allows anonymous comments (only to public posts).

Anti-Spam (CAPTCHA) settings:

Dreamwidth allows you to display a CAPTCHA to people leaving comments. This is in addition to any site-wide reasons that a user or IP address might be given a CAPTCHA, for example, if they are commenting very rapidly or if spam has been associated with the IP address in the past. (This setting is separate from the Enable Comments settings, so you are not stopped from selecting a silly combination like no one allowed to comment but everyone given a CAPTCHA, even though it will mean that no one is allowed to even try to comment at all.)

Keep in mind that CAPTCHAs may also be difficult for genuine users with accessibility issues to decipher, particularly people with visual disabilities, and people using screen readers or browsers that do not display images. If you know that your journal is read by these people, think carefully about whether you need to enable CAPTCHAs or not, and for whom.

Nobody: No one will be displayed a CAPTCHA on your journal, unless there are site-wide reasons to do so.

Anonymous commenters: When this level is selected (and when anonymous commenters are allowed to comment), all anonymous commenters will be displayed a CAPTCHA, but allowed to comment if they pass the CAPTCHA successfully. All other users will be able to comment normally.

People not on your Access List: When this level is selected (when people not on your Access List are allowed to comment), any anonymous commenters (if allowed) and any registered user commenters who are not on your Access List will be displayed a CAPTCHA, and people who are on your Access List will be able to comment normally.

All commenters: Everybody gets a CAPTCHA, including people on your Access List.

Comment Screening:

Comment Screening allows you to make potential spam less of a problem for your visitors by reviewing comments before they are visible to others. Once you have reviewed the comment and confirmed that it is not spam, you can unscreen it so your visitors can see it as well. (Note: you must delete spam in order to report it.)

All comments: This includes people in your access list. (This level is often useful for things besides anti-spam precautions.)

Comments from people not on your Access List: Again, the risk of spam from registered accounts is low; this level is often useful for dealing with potential harassment, rather than anti-spam. (Anonymous comments will also be screened.)

Anonymous comments: Legitimate anonymous comments will not be seen until you have unscreened them. Anonymous spam comments will not be seen, and you can delete and report them.

Questions? Comments? Ask away!

You may also want to check out the FAQ or contact Support, depending on what you want to know.