Brad Fitzpatrick (bradfitz) wrote in lj_biz,
Brad Fitzpatrick

LiveJournal Spam: Overview / FAQ

This is an overview of the spam problem on LiveJournal and answers to frequently asked questions. Comments are off because I'd rather this post just serve as a reference and not as a venue for debate.

First off:

The spam problem on LiveJournal is a much easier problem than spam on the Internet at large. Because:

-- we can change the rules/infrastructure at any point. The Internet email infrastructure is very fixed and changes happen at glacial speeds to preserve compatibility everywhere. Because we can change everything at once, we don't need to worry about that.

-- we have a global picture of who's commenting where. as such, we can detect patterns/trends/spikes easily, by source account, dest account, source IP, etc.

-- we can do interactive challenges which don't work in the email "point and fire" model. (although an increasing number of people are using, for example, TMDA)

So what is LiveJournal doing to stop spam?

This stuff is already live and working: (and doing an awesome job)

-- Anonymous comments are only allowed very slowly from a given IP. If they come too fast, the poster is challenged to prove that they're a human with a captcha (fuzzy image or garbled audio) .

-- Comments from registered accounts are also human-checked, albeit at a higher limit. (this wasn't live until this morning, due to a bug, but it's working now)

-- New accounts require a human check.

-- We have reports which show us at any time the most frequent commenters.

What else is LiveJournal doing to stop spam?

This stuff is in production and will be going live soon:

-- We've made a Comment spam reporting system whereby journal owners can delete a comment while also tagging it as spam. We then save the comment for human review. We'll be giving lots of trusted support volunteers access to this tool, so we'll have round-the-clock spam checkers, suspending accounts which are spamming. (a single "delete as spam" report doesn't automatically trigger an account suspension... our reports show the most reported IPs/users, and that just alerts us to do a manual review....)

-- In addition to rate-limiting comments base on time before human checking, we'll also be monitoring breadth. (how many different journals you comment in) For example, 20 comments in one account (a community you watch on your friends list) is a lot less suspicious than 20 comments in the same time period, all to different people who you've never had any contact with or watch on your friends page (in particular, those that weren't your friend as of a week ago). so if the comment breadth alarm goes off, we can both review comments as spam, and/or start doing human-checks for that account earlier.

Why don't you just bring back invite codes?

Mostly because it wouldn't work. Certain types of attacks (anonymous comment spam) wouldn't go away, and would still require the anti-spam infrastructure we've already built. Other types (from authenticated accounts) would just require one rogue account to invite others. Or paid accounts with stolen credit cards (which is not coincidentally very common from Russian accounts, where a lot of spam comes from as well)

But also because we hate invite codes. They were a temporary measure that lasted too long and we're glad to be rid of them. When invite codes were removed, we warned there would be temporary problems, and here they are. But we also had said repeatedly that we were committed to analyzing the problems and solving them. We're currently doing that.

In summary:

-- the problem's not that hard
-- we can make it difficult/slow enough to spam here that it's not worthwhile
-- invite codes are a false sense of security and wouldn't actually fix the problem
-- we're committed to fixing the problem
-- please, have patience. we're on it.

Please share this URL with others who you find talking about the LJ spam situation:
Comments for this post were disabled by the author