Ban Evasion and Your Community

This is your periodic reminder that ban evasion is against the Dreamwidth terms of service. Using a second Dreamwidth account to comment to, or otherwise contact, a user or community who has banned your first account, should be investigated as ban evasion.

If you are a community admin who has been experiencing ban evasion from your users, you must also file a Terms of Service complaint against the accounts which continue to harass your community.

The antispam department does not handle Terms of Service complaints.

Massively unwanted contact

Yes, if you got a private message that you suspect was part of a blast to a very large number of Dreamwidth users, even if you suspect it was not a bot, you are entirely justified in deleting it as spam if you don't feel like dealing with it personally.

[Edit: The antispam team has taken action regarding the current campaign, but if you have old messages from this campaign or receive new messages that seem to be part of this campaign or related, we would still like reports to monitor the extent of what went on.]

In general: the antispam team reviews all reports sent in through the antispam team. Sometimes it is a thing we can do something about. Sometimes it is not. But we do review each and every one.

Renewed spamming

Due to some combination of people being away from their computers and spammers being away from theirs, there was a nice peaceful week or so. Alas, no more -- this round of increased spam seems to be financially-themed and short, a welcome rest from the stolen comments. (It's very surreal to see comments that you read once upon a time in an acquaintance's blog return as spam, let me tell you.)

User spammer reports: change of procedure

Greetings, dwenizens!

Tonight I bring to you tidings of a new Support category, "Anti-spam"!

Previously, when one stumbled across a registered user who was spamming, but not spamming with comments that you could delete (usually SEO spam in the entries of their own journal), one filed a Terms of Service complaint. But no more! Same information, just file that in Anti-spam instead.

That is all!

Spamwhacker and purveyor of informations

Looks like spam is up.

The vast majority of the spam has been anonymous. If you've been hit and you don't have regular legitimate anonymous commenters, one way to make your journal much less inviting is to turn off anonymous commenting for a day or two.

That was quite the dumptruck.

Hi everybody!

I just wanted to mention that we did just get a *ton* of spam.

The two most active themes in the spam I've seen over the past week or so (though I have been afk at work quite a bit) have been:

This dumptruck-load just now: a dodgy-looking link, and text that looks like it's from real people talking about pornography, some of which pornography would not be legal in the US.

A longer-lasting and somewhat friendlier campaign, rife with misspellings and alphabet-soup unique keys, with text that has in some cases been copied from comments left by or about people I actually know, with a theme of programmer culture and web development.

Please continue to delete-as-spam any spam that you can, as while a lot of the spam will be from spammers who have already been squished, some of them may be from unique sources.

D: Ewwwww.

One of the current spam campaigns is advertising some pretty sketchy stuff. If you get a comment like that, and believe me, you'll know it if you see it, delete it and be sure to mark it as spam so we can whack those bastards.

Spam overall is up this week -- lately we've been running between 100-300 reports weekly sitewide. I just checked the rolling week stats, and we're just under 400. Keep the reports coming; it's better reported than not.

If you've been hit: first, ugh, I'm sorry. Second, spammers do tend to hammer at a few journals/entries at a time, so if you feel you're being singled out by spammers, you probably are.

Most spam Dreamwidth receives is anonymous. If you have anonymous comments turned on and don't need them on, you can turn them off -- either for the foreseeable future, or for a few days until the spammers try a better target. (Setting: Enable Comments: registered accounts. ) You can set a CAPTCHA for anonymous commenters -- this is not accessibility-friendly, but does deter most spammers. (Setting: Anti-Spam: show CAPTCHA to anonymous commenters: ) You can set anonymous comments to "screened" -- this does not stop spammers from leaving comments, but does stop them from appearing to search engines before you can delete them. (Setting: Comment Screening: Screen anonymous comments before displaying them to others: )

Freaking PM spammers

Let's discuss briefly the Advance-fee fraud, where a grieving orphan "inheritances an important sum from my late father" and would very much like to invest it, or something -- but up front, they're going to need a small fee -- really a paltry sum -- to liberate the cash. They will of course pay you back handsomely --

... except there is no money, and they pocket the fee and leave you in the lurch.

Please continue to use the "Mark as Spam" link from your Dreamwidth inbox when you get one of these. (As tempting as it is to mark the email notification as spam, try to resist the urge -- that won't stop spammers from registering accounts on Dreamwidth and trying to send you messages, it won't report the message to us, and depending on your email system's setup, may well lead to them ditching notifications of legitimate activity from Dreamwidth. It would be so much nicer if the "report as spam" in your email box were connected to our spam system, but sadly I don't know that that ever would happen.)

After you have marked it as spam in the Dreamwidth inbox, you can feel free to delete the message, as a copy will have been dumped into the spam team's queue.

The activity in IRC when this spammer kicks into action -- this one looks to be a single person, gone through 2 accounts now -- is probably hilarious for the onlooker. There's shouting of the "MAN THE BUCKETS! ALL HANDS ON DECK!" sort, and a frantic scramble for whichever Terms of Service person happens to be on duty at the moment. There is cussing, glowering, and occasional bursts of spammer mockery. Some of this is even in the public channels.

New spam campaign variation - keysmash subject, financial comment

There's a new variation on one of the ever-popular testing campaigns.

(A "testing campaign" is where the spammer pokes a location that it might like to actively spam in the future, to see how easy it is to leave comments there, how long the comments last, and whether they will show up in search engines, and possibly other things. These campaigns don't actually leave spam links, but they're still run by spammers, get in people's way, and should be treated the same as spam with actual links.)

This particular spam campaign features a subject line that looks like YouTube sneezed, and then a financially-related comment. It probably makes no sense in context with the entry or comment that it's in reply to.

Other similar campaigns:
Keysmash subject, vague compliment
Keysmash subject, vague compliment (often self-deprecating) with (at least) one misspelled word (there may be other misspelled words in the comment, but those are usually in line with common netspeak; the misspelled word that identifies this campaign uses all the correct letters, but out of order)

Be suspicious of any comment that includes a random-looking keysmash, because that keysmash is probably unique to that one piece of spam, and the spammer will go looking for it later to see if what it did that time got through and made it stay in place.
Entry tags:

Yearly Stats: 2011

It's been an interesting year in [site community profile] dw_antispam!

Every week, more or less, I pull the spam statistics for all items reported as spam sitewide. (Eventually that part of my job may be replaced by a very small script.) In some weeks I am able to review all reports, and some weeks I only have a chance to look over the top few. When possible, I make a note of how many of the reports were actual spam, and how many of them were other things that made their way into the spam reporting system. (For example, anonymous insults are certainly unpleasant and deserve deletion, but are not actually the commercially-motivated, high-volume sort of thing that the antispam system is designed for, and thus not actionable by the antispam team. Some reports, while not spam as such, were forwarded to developers who were better able to address the specific problem, such as comments that "broke" the page for other readers.)

The numbers for each item here are, in order: valid reports, invalid reports, and total reports. (When exact numbers were unavailable and the old reports had been cleared, I skewed in the direction of counting unknown/uncertain items as valid; if entirely unknown, I left the invalid number as 0.)

During some weeks, for one reason or another, I was not able to pull the reports as usual; in the interests of not having the numbers wildly out of whack, I kept the numbers the same as the previous or next week. I have noted in my source data which weeks were the result of estimates, and made a note with each total.

These numbers only take into account the spam that is deleted-and-reported, so the numbers for spam actually received across the service are assuredly higher, due to spam in abandoned journals, spam that is being deliberately saved, and spam that the journal owner either hasn't yet found the time/energy to delete or is unlikely to find the time/energy to remove at all.

Valid spam reports sitewide in 2011: ~4,800
Invalid (non-spam) reports in 2011: ~200
Total spam reports sitewide in 2011: ~5,000

Total registered user spammers in 2011: 16

Year Weekly Average
Valid: 90
Invalid: 4
Total: 94
Maximum reported registered user spammers in any week: 4

In an average week, 10-20 pieces of reported spam are reported by a single user. This does mean that spammers are singling out some users to barrage more than others. A rise in your personal spam does not mean that spam is necessarily up for the whole site, just that you are the unlucky user who is getting a lot of it this week.

The vast majority of spam reports are of anonymous comments. The breakdown (weeks without data were excluded from this):

Anonymous comments: 3735
OpenID comments: 62
Registered user comments, entries, and private messages: 122, of which 71 were valid; that's 58% of reports that were valid, and 42% that were not actual spam.

The vast majority of anonymous spammers are defeated by CAPTCHAs.
Most OpenID spammers originate from LiveJournal. Many of their spam comments are not left on Dreamwidth directly, but imported along with a journal.
A relatively significant proportion of the registered user spammers (most of whom are from open registration periods) were caught due to what I like to call "flagrantly notable" spamming -- spam directed at official areas of the site, where it comes directly to the attention of people who will issue the smackdown.

I've pulled the numbers from my weekly reports into a spreadsheet, for the curious, with some commentary:
rydra_wong: Dreamsheep holding a hammer; "Dreamwidth Antispam". (dreamwidth -- spamsheep)
[personal profile] rydra_wong2012-01-10 06:25 pm


Linking here as suggested by Azz -- please feel free to spread around if you think it'd be useful to anyone:

PSA: Today, you get ALL the spam

Looks like we need our carpets cleaned!

It looks like Dreamwidth needs our carpets cleaned, because a couple registered user spammers have gone and tracked their links all over! Keep those reports coming so the Terms of Service team can do their walloping.

Yes, Virginia, it is a spam campaign! (Keysmash + misspelled vague compliment campaign)

Hi, Dreamwidth!

Since I saw a couple people wondering, I wanted to confirm that there is a known spam campaign that leaves anonymous comments with a subject that looks like a cat walked over the keyboard while a second cat was repeatedly batting the caps lock key off and on, with the body containing a vague compliment with at least one word where the letters have been artfluly rearranged.

The keysmash subject is likely a unique identifier, so the spammer can tell which specific comment got through when it checks or searches later.

Why the vague compliments? Well, a compliment may well fit in to the existing conversation, and may be a way of attempting to build up a reputation as harmless/helpful for that IP address.

Why no spammy links? This may be merely a test campaign, to see how soft a target we are. Or they may just be attempting to build up good reputation so that when they do make with the links, they won't immediately get kicked off the site. Or they may not have anyone paying them to spam right now. But the IP that's emitting gibberish and compliments today is surely tomorrow's viagra-and-handbags vendor.

If you find that you've been getting keysmash-and-misspelled-compliments, please do go ahead and delete them as spam if you have the time and energy. A lot of them, even old ones, are from unique IP addresses, so you may have been the only one hit by that particular specific source.

If you have questions about other comments that don't fit this pattern, you can ask: here, in Support, in the latest [site community profile] dw_news entry, and probably some other places. There are usually a lot of helpful people around who either know off the tops of their heads, or know where to find a spamwhacker.
Entry tags:

Call for antispam volunteers!

We are looking for additions to our dedicated team of spamwhackers, to ideally reach round-the-clock coverage of incoming reports. Comments are screened, so you can leave applications here. If you have questions, ask them here as well, and someone can unscreen them for discussion. (If you'd prefer that they be left screened, let us know.)

The ideal volunteer:
  • can quickly assess a given report
  • can decide whether or not a given report is spam (checking with a colleague or team lead if uncertain)
  • can handle spam reports reasonably quickly
  • is available 2-3 hours a week to watch for fresh spam
  • can handle repetitious work
  • can handle possible duplication of effort

Training with the spam system and with the spam policies is provided, and we can work with people's individual schedules for training.

The antispam system is mostly as inherited from our code parent, not designed for accessibility, and allows volunteer collision/duplication of work. (It has been successfully used by a volunteer using a screen reader, but has not yet been upgraded with accessibility in mind.)

Fresh spam is announced in a usually-low-volume IRC channel. IRC access is not required, but is helpful for training and watching for spam. The IRC channel can be accessed through your favorite IRC client (unless your favorite IRC client is Mibbit, as Mibbit and Freenode don't work together), or through Freenode's webchat (visual or audio CAPTCHA, javascript required, computer capable of handling webchat required).

Spam reports contain a mix of actual spam and things that are not spam. While they are relatively rare by spam volume, some of the spam advertises illegal and disturbing materials such as child pornography. Some reports involve other general unpleasantness. Reports of this nature can be upsetting to encounter. Any antispam volunteer can decline to handle any given spam report, but what has been seen cannot be unseen in some cases. The team leads are available to chat about any spam report upon request. You are the best judge of your own capabilities and limits, and are free to resign at any time, for any reason.

  1. What brought you to Dreamwidth?

  2. What is your interest in working with Dreamwidth's antispam team?

  3. How long do you see yourself staying with Dreamwidth and/or the antispam team?

  4. Which of these sample reports would you consider spam, and why or why not? What extra information would you look for, if you are unsure?
    1. djurEUVKSwjvcWJDJ Jonny was here

    2. Nice blog, good job

    3. Go to hell, you're the most stupid little fuck I've ever met.


    5. My dear, I have searched and I believe you are the heir of the Prince. Please contact me by private mail and furnish your full name, address, social security number, and any other information to identify that you are the legitimate heir. God bless, [signed]

    6. This device began as a four-line writing handbags machine, but eventually became capable of writing sixteen and thirty-two lines at once. Houser's invention became extremely popular- students would break rules so they could have a go at using the Graphical Device (for threepence to use it and a penny to help wind it up). Eventually, Houser's experiments came to an end when someone opened a wrong quality handbags door and the pent-up force of his prototype 256-line writing machine propelled Houser out of a fourth floor window.

    7. Weight loss drugs Best weight loss Fast weight loss Effective weight loss Wonderful diet

    8. Happy birthday, sweetie! Hope it's a good one and your hair doesn't catch fire lol, see my entry for your card [ link]

    9. [img]

    10. [img src=hello.jpg]

  5. How many hours a week can you devote to antispam efforts if needed?

  6. What times of day are you typically available? What time zone? (Times of day are appreciated in UTC. If unsure, mention your availability in your local time, with your local time zone.)

  7. Do you have any previous experience with antispam work, or issue-handling queues?

  8. What languages do you read at a level of fluency to be able to tell spam from non-spam?

This is a volunteer (unpaid) position, and does not require a Non-Disclosure agreement nor a Contributor Licensing Agreement, although antispam volunteers are expected to not discuss any sensitive information they are exposed to. New members are added in response to spam volume, as needed, and not all applicants will necessarily be accepted. Length of journal establishment, publicly visible journal contents, and behaviour on the site are also considered.

Edited 2011 12 05 to clarify a few small points and add a language question.

Spam in the news: CAPTCHA issues: humans used to evade CAPTCHAs

The concept is not news to security professionals, but it is gaining a little more attention in the news due to a recent in-depth study done on exactly how this is accomplished.

Via Marginal Revolution:

How Spammers Use Low-cost Labor to Solve CAPTCHAS

... the inventors of CAPTCHAS probably didn't anticipate this: Hundreds, possibly thousands of laborers working for less than $50 a month to solve an endless stream of CAPTCHAS delivered to them by automated middlemen who sell the results to spammers in real time, so that their spam bots can use those solutions to post to forums and blogs as well as set up fraudulent email accounts, says a paper about to be delivered at the USENIX Security Symposium.

Clever analysis of the location of the workers involved in this scheme revealed that they are based in India, Russia, Southeast Asia and China. The system is so efficient at delivering CAPTCHAS to workers in these remote locales that the average time for delivery of a solution hovers around 20 seconds.

No system is perfect, but the antispam team is still dedicated to rejecting the spammers who do make their way in. The incidence of spammers who make it past CAPTCHAs is very low.

Joe Jobs and You: how innocent bystanders get dragged into spam attacks

It's time for some informative digressions on Joe Jobbing.

What are Joe Jobs?

Rather than being Steve's less-famous younger brother, a Joe Job is where some spammer, scammer, or other lowlife forges a third party's information when carrying out an attack.

This is to be distinguished from the sort of attack where the lowlife cracks or otherwise gains access to the third party's property in order to carry out an attack.

From Wikipedia:
A joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against him (see also e-mail spoofing), but they are now typically used by commercial spammers to conceal the true origin of their messages.

The name "joe job" originated from such a spam attack on Joe Doll, webmaster of Joe's Cyberpost. One user's account was removed due to advertising through spam. In retaliation, the user sent another spam with the "reply-to" headers forged to make it appear to be from Joe Doll. Besides prompting angry replies, it also caused to fall prey to denial-of-service attacks that took the web site down temporarily.

Some e-mail joe jobs are acts of revenge like the original, whether by individuals or by organizations that also use spam for other purposes. Spammers use the technique to cycle through domains and try get around spam filters and blocks.

Joe-jobbers could also be businesses trying to defame a competitor or a spammer trying to harm the reputation of an anti-spam group or filtering service. Joe job attacks in other media are often motivated politically or through personal enmity.

The parties in this scenario are the Attacker, Joe, and the Recipient.

Joe Doll on the Joe Job
Steve's JoeJob Page (warning: Comic Sans)
Fighting the email Joe Job on your personal domain: SPF (Sender Policy Framework)

The Joe Job in Spam

In spam, the joe job is generally found in e-mail, where the spammer (Attacker)forges their e-mail headers to appear that it is emitting from poor Joe's email address or domain.  )

Who is the victim in a Joe Job? How are they hurt?

There are two victims: the recipient(s) and Joe. )

Who benefits from a Joe Job? How do they benefit?

The attackers benefit from the joe job. )

I'm a Dreamwidth user. Am I likely to be the victim of a Joe job?

If you have a paid account and the paid account forwarding email address, it may be forged as a part of a spam campaign, making you (and, by extension, Dreamwidth) Joe. This form of joe job is rampant on sites such as LiveJournal.

This address may also be the recipient of spam, including possible spam sent as part of a joe job.

Any forum that allows anonymous comments or any other form of anonymous posting, or allows un-authenticated user accounts (such as a form where you enter your name and email address, but does not confirm that you own the email address) is vulnerable to someone simply posting a comment signed with someone else's name. If you have anonymous comments enabled, or frequent other journals that have anonymous comments enabled, this can be used against you.

If someone wishing to cause trouble for Dreamwidth emits spam that appears to benefit or otherwise implicate Dreamwidth, the whole site will suffer.

How can I help?

Use SPF records, respect SPF records, and be aware of Joe Jobs as a form of spamming. )
Entry tags:

2009 Antispam in Review

Quarter 1:

Closed beta. Site owners handled all spam.

Quarter 2:

[staff profile] denise got tired of handling all the spam and appointed [personal profile] azurelunatic head of antispam. [personal profile] invisionary became co-head.

Open beta.

Internal tools and policy were worked out.

Quarter 3:

[personal profile] exor674 discovered a bug whereby spam was getting through that ought not to have been. She and Mark got this squared away very quickly, which lessened the load on the team and the entire site.

Dreamwidth picked up the Spamhaus drop list.

There were continued improvements to internal tools and policy.

Quarter 4:

There was a notable rise in erroneous reporting of non-spam but unwanted comments, followed by a fall back to previously established levels.

Weekly reporting started. There was a drop in spam over Christmas and the new year.

One of the very few advantages to seeing this much spam is being able to note the highlights.
  • There is a surprising amount of spam that does not actually include directly profitable content (links at which you may be persuaded to partake of their dodgy goods and/or services, or links to drive up their search engine credibility). The working theory is that these are test runs so they can see what's being left unguarded. The occasional quotes from a variety of dead philosophers are just a bonus.
  • Santa Claus and Viagra in the same sentence makes me run screaming.
  • Styles designed for non-LiveJournal-based blogs are not likely to work on Dreamwidth.
The spammers would also like you to know that there are many fine establishments on the internet where you can obtain
  • adult goods and/or services
  • pharmaceuticals, recreational and otherwise
  • Genuine fakes
  • shoes
Perhaps you will choose one of theirs?

Policy and internal tools, as ever, improved in response to c'thia.

Woohoo Spamhaus drop list!

Spammers who have run afoul of Spamhaus won't be troubling Dreamwidth anymore. :D