Spamhaus and LJ

[azurelunatic]

[Edit: Kareila rightly brought my attention back to the fact that this is a problem for the people who haven't been getting comments, and pointed at http://www.livejournal.com/tools/recent_comments.bml as a resource to check for comments in your journal, at least, even if you haven't been getting email notifications or inbox notifications.]

Someone in the news comments noticed that livejournal.com is currently listed on a Spamhaus blacklist.

LJ's IP is listed in the Spamhaus Blocking List because LJ is allowing Russian pharma spammers to abuse their service. Spamhaus is one of the most respected anti spam organizations in the world, and being listed there means they've ignored spammers on their network for quite a while and virtually no large ISP/email host wants their mail until they start acting like responsible Internet citizens.

http://www.spamhaus.org/Sbl/listings.lasso?isp=livejournal.com is the listing.

astragali, in the news post from 9th March 2011

The Spamhaus listing says:

SBL104433
208.93.0.128/32 livejournal.com
02-Mar-2011 08:29 GMT
livejournal.com: Again used by botnet spammers to host

My interpretation: Looking at the listing there, it seems to be that it's spammers hosting their warez on LJ, rather than other forms of bad behavior (like spammers spoofing email claiming to come from livejournal.com, or people reporting news post notifications as spam rather than retrieving/resetting their account info and unsubscribing). So if that is correct, then LJ would want to track down the spammers who have set up little nests on LJ, and root them out and destroy them.

Some of the spammers that are on LJ don't serial-add, don't spam communities, and don't comment, they just sit around in their own journals making spammy posts (and apparently emailing people to point them to those spammy posts). There are a lot of them.

As a user, I can't take action directly against them. But I can report spam in my own journal and in my comms. I can hang out on the Latest Posts page (http://www.livejournal.com/stats/latest.bml) and use the Report a Bot form (in the contextual hover menu, or at http://www.livejournal.com/abuse/bots.bml) to get more of the bots reported to the Abuse Prevention Team.

I don't know how many hours the team has had to devote to spamwhacking, but I know I can spare five or ten minutes to report some of the bots on that page. The more we report, accurately, the more they can zap. The more we report, the more information on the bots (the IP addresses they use, the email addresses, the email domains, the other patterns) they have to analyze.

I've spent nearly ten years on LJ, through all sorts of ups and downs. Spamhaus blacklisting LJ means it's serious. We've had our differences, but I want to keep LJ around, for myself and for my friends who have made their homes here. I can spare five or ten minutes reporting bots. Who's with me?

Comments

[lady-angelina.livejournal.com]

You know what's ironic? Back when I was volunteering in the Web category of LiveJournal Support, one of the most common types of requests I ran into had to do with open proxies preventing users from posting comments. And we would tell them to contact their ISP to contact Spamhaus because they administer the public register that LJ uses for blocking IP numbers.

Have we come full circle here or what? =/ Or is it more like a dog chasing its own tail?

Ahem, anyway. Permission to repost this to my journal, with credit to you?

[azurelunatic]

Ahh, yeah, that is ... alas.

Go right ahead and repost. I'm hoping that this will help, though I suspect that more people for Abuse would probably also help. :\

[lady-angelina.livejournal.com]

Yeah. =( It's sad what LJ has become. Only a few years ago, I never would have dreamt it.

And thanks! At least, if it helps one more person aware of the problem so that they'll know to use the tools at their disposal to report the spam, that's one more step towards combatting it.

And yeah, I can't imagine how overextended the Abuse Team must be now. =/ I'd apply, except I don't have the time, and I don't think I have the right skills to handle some of the more sensitive cases anyway. =/ But it sounds like they could use extra hands more than ever.

[trixieleitz]

I think I'd quite enjoy (and be good at) this sort of investigation, but there is no way I would ever apply to join the APT because I just could not cope with all the interpersonal cases.

Well, that plus I don't really need to be taking on even more obligations in my life right now :)

[silverflight8.livejournal.com]

Yeah, I can't imagine what the abuse prevention team looks like right now. :( So much spam.

[soph.livejournal.com]

So if that is correct, then LJ would want to track down the spammers who have set up little nests on LJ, and root them out and destroy them.

Saly, I don't think they can lookfor bots of their own accord; that would threaten their common carrier status, wouldn't it?

[azurelunatic]

There may be exceptions for spam. I don't know. And if they can't, all the more reason for users to go hunting.

[soph.livejournal.com]

Unfortunately not, I believe; the Abuse team told me as much a few years back when I was offering to run a program that would automatically find some types of spambots. (Although that said, I did hear in less public channels that they might have been able to accommodate it, so I'm not sure.)

[azurelunatic]

And things do change from year to year.

[surliminal.livejournal.com]

Why are you assuming US law applies to LJ? It is owned in Russia and has account holders all over the world. But in fact no, this idea of "common carrier" status is long dead - most ISPs and hosts now operate notice and take down on request re illegal/abusive content, and, as relevant, bot isolation schemes. I suspect if LJ don;t it's either for lack of manpower or lack of internal political will (are the spam a/cs paying?? do they belong to people who have clout? I have to wonder if it is connected to the transfer of ownership..) I am interested in this - being blacklisted by Spoamhaus is bad news but Spamhaus have also got blacklists wrong before and backed down -- and chance of that?..

[azurelunatic]

Because last I heard, SUP may be in Russia, but as of 2007 after the acquisition, LiveJournal, Inc. is subject to the laws of the US and California. They have an office in San Francisco. When I volunteered here I dropped by occasionally to say hello.

http://www.livejournalinc.com/
http://www.livejournal.com/legal/tos.bml#t20
http://news.livejournal.com/104520.html

If I had to guess at an internal cause, I would speculate shortage of labor coupled with prioritizing nonspam abuse incidents. Also, the version of the spam report system that I work with on Dreamwidth is prioritized to getting rid of the spammers who are bothering the most of our users the fastest. I do not know if this is what LJ is using now, but it is the same thing that they had at the time the Dreamwidth code was forked off.

From the phrasing of the Spamhaus complaint, it does not seem to be about the sort of spammer who actively annoys LJ users, it's about the sort of spammer who puts spam entries on LJ and either waits for Google to index them, or email-spams people and points them to the entries.

From the construction of the system I work with, and also because of some of the spam comments I've gotten, I could believe that spammers with few complaints against them get set aside and left for longer while spammers blasting all over the place disappear fast. When I ban a spammer I often set a note on that account so I can tell why I banned them later when I go back through my ban page to clean it out, and there are still some spammers remaining un-suspended that I reported quite some time ago, even though a lot of the spammers do get suspended.

The phrasing of the complaint sounds like it would apply to spam that gets reported but sits around too long, no matter if it's eventually taken care of. Based on my leaving notes on spammers alone, this complaint is justified. If they are still using the same system I use, I can see how it could happen just with a labor shortage.


I don't think spammers are paying LJ. When I volunteered with LJ, I got to hear about some pretty vigorous steps that were being taken against spammers. The simplest explanation is that LJ is the biggest name in blogging in Russia (I suspect that was because LJ was available in Russian translation and not owned in Russia in the right place at the right time), and therefore the biggest target for Russian spammers. I don't know of anything that's going on with LJ's spam situation that can't be explained by that and lack of labor.

[surliminal.livejournal.com]

That all sounds pretty plausible. Thanks for the info. Since LJ's income is dependent on ads and that is in turn dependent on people being able to use the service properly, it sounds like they need pronto to make reponding to reports of accounts hosting spam material for outsiders , as opposed to users spamming other accountholders internally, top priority and get delisted. But if a/cs are now mostly Russian and say 50% of Russian accounts are for posting soam - then really LJ IS just one big spam haven and arguably should be shut down, sad as it for us (I have no idea about these figs btw - just hypothesising from that current feed link you posted.)

(I'm still getting comments notification btw - Gmail, yup. Surely Google takes Spamhaus??)

It does really sound like a FoaF verification like the old invites mght be the way to go..

[xlerb.livejournal.com]

That didn't stop Blogspot/Google at one point from automatically deciding that my short-lived Serious Blog was potential spam and locking it down until I asked nicely for human review.

Also… I thought I recalled that pretty much anything short of a phone company in its capacity of carrying phone calls is not technically a common carrier, and Wikipedia seems to agree with me (http://en.wikipedia.org/wiki/Common_carrier#Telecommunications). Which doesn't mean that there isn't another legal principle that would apply and do roughly the same thing, but I Am Not A Laywer.

[pauamma]

I think the ECPA has similar provisions, and has been ruled to apply to blogging services. But IANAL either,

[gushi.livejournal.com]

There's irony here. LJ has been putting all their efforts into spamming the users with their own ads instead of quality-controlling their site, and doing botnet detection on their own userbase. This seems strangely apt.

[lady-angelina.livejournal.com]

As far as I know, Gmail isn't blocking them. That's where my email account is hosted, and I've been getting my notifs more or less on time. Don't know about others, though.

[trialia]

Actually, I haven't been getting notifications from LJ through Gmail unless I track them, for months, and LJ say it's on my end, which I don't believe...

[azurelunatic]

That says something weird in the subscription to comments, to me, not an email-end problem. Email-end problem, I should think that it would be none.

My ex-Support advice would be to go in, un-check the 'send me comments' type settings, save, come back, add again.

[lady-angelina.livejournal.com]

Yeah, what Azz said. Also, don't be surprised if you find that some of the standard subscriptions ("someone comments in my journal on any entry," "someone replies to my entry in a community," "email me copies of my comments") are unchecked. =/ Not through any fault of your own, but sometimes, LJ screws up that way. And when you save the changes on the page, go back to it and check to make sure they "took," because sometimes they don't.

[azurelunatic]

I am getting notifications in Gmail just fine, and I believe they don't even require invitations anymore.

Some of the spammers are posting in Russian, some are posting mixed, some are posting in English. I have been leaving the Russian ones where I don't know for sure that it's spam alone.

[azurelunatic]

I have a whole gallery from two years ago.

[xlerb.livejournal.com]

I just tried the latest page. The English posts I saw were all spam except one that was angsty poetry; the Russian ones I can't actually read, but as near as I could tell, while a bunch of them were spam, a lot of them looked legit. (And one of them had a neat photo.)

This may just be an artifact of what times it is right now for most of the English- and Russian-speaking userbases.

[azurelunatic]

There's a lot of spam. It makes me sad.

I'm wondering if an emergency return to invite codes wouldn't be warranted.

[pauamma]

The rule of thumb I used for Russian (or Cyrillic, rather - I might be able to spot Pontic Greek, but not to tell Slavic languages written in Cyrillic apart) is: If several people post the same maybe-spam entry, report all. In the (IMO unlikely) case they're not all spammers, they're all false positives, and thus presumably easy to close in job lots with no action. (It might be a good idea to check that assumption with a current abuse handler, though.)

Pointing to a friend's post.

[pingback-bot.livejournal.com]

User gushi referenced to your post from Pointing to a friend's post. saying: [...] comment notifications because Livejournal's Mail Server is listed on Spamhaus. Her post is here [...]

[fiddlingfrog.livejournal.com]

I had a really silly suggestion (http://community.livejournal.com/suggestions/1047180.html) last year to give spam points to people when an account they reported was suspended for spam/bot reasons. I submitted it even though I'd heard over IRC that even that level of encouragement from LJ to have users policing other user's activity would jeopardize LJ's common carrier status.

[elf]

I stopped reporting anything to Livejournal after my last couple of questions--about what qualifies as "adult content"--were set to "answered" even though they weren't.

LJ's made it very clear that the userbase is not their real customers anymore.

[azurelunatic]

I said March to D that one time, didn't I. *cryptic*

[ruisseau.livejournal.com]

Fair warning that there's no way to filter images and such on that page. I had to leave it because someone had posted a picture of a cat being strangled by a snake. *shudder/cry*

[lady-angelina.livejournal.com]

Actually, when visiting that page, I strongly suggest disabling images from being loaded (you generally won't need them to determine what's an ad and what isn't), and disable scripting of all kinds. Not just because of nasty content, but because some of the content (including the images) might contain malware.

That just dawned on me when I went to load the page to report a bunch of spambots myself. Hard to tell with the Cyrillic language ones, but yeah, like someone else said, the only one in English that wasn't a spam post was someone's fanfic.

[thette.livejournal.com]

I did some bot housekeeping on the Latest Posts list. It's depressing. More than 90% spam. I want the invite codes back, ASAP.

[pauamma]

Unfortunately, the invite codes handling in LJ suffered from severe bitrot in 2008 that when Afuna and I considered reusing it for Dreamwidth, we quickly decided to tear it out and reimplement from scratch instead. I doubt the situation is any better 3 years later.

[toucanpie.livejournal.com]

Do we know how the bot report system works? If a bot account only gets one report, will it still flag up to the APT? Because if it's a case of it not becoming visible to the system until it gets say 3 complaints, this could be a slow process (unless we made a centralised list for people to report off, I guess?) I find myself pessimistically thinking that they can likely create new accounts just as fast as we can report them, too. The latest posts page also only shows all of two minutes worth of entries but takes me more like ten minutes to work through reporting as I go - I think there would need to be a lot of people doing this to make a significant impact :/

[azurelunatic]

I do not know exactly how the bot report system works. I do have some knowledge of how the spam system works, though. (I help with the Dreamwidth antispam team, and our spam system there was originally copied from LJ's, though it is possible that they have different settings, or have changed things since we forked off; I know we've changed a few things.) In the comment and entry spam system that I work with at Dreamwidth, which is at least similar, one spam comment or entry deleted by someone is enough to put in a report.

I think it is likely to be slow anyway, but I also think that making a centralized list would not be helpful. There's nothing that I can think of about the bots on the latest page that makes them any better or worse than any other one out there; if they're really vigorously spamming up the latest page, and people are watching it, then they're going to eventually wind up with more reports anyway. I know I've seen multiple entries from the same account in one page, and I have no reason to believe that they're going to stop blasting out entries, so they'll probably have entries there when someone else loads it.

And yeah, I hear you on the new-account-creation front. I suspect everyone dealing with spammers is discouraged by that part.

[nameandnature]

Looking at the listing there, it seems to be that it's spammers hosting their warez on LJ, rather than other forms of bad behavior (like spammers spoofing email claiming to come from livejournal.com, or people reporting news post notifications as spam rather than retrieving/resetting their account info and unsubscribing)

Yes: LJ is providing what are called "spam support services", in this case, hosting websites for spammers. Spamhaus will blacklist for that even if LJ is not sending spam itself.

Disclaimer: I'm not Spamhaus, I just used to hang out in news.admin.net-abuse.email in the 1990s.

People spoofing email from LJ or reporting notifications as spam won't get you on a Spamhaus backlist. Spamhaus are running their own spamtraps and probably even reporting the problem to LJ (though possibly not under their own names, as you want to be sure that reports from ordinary users are handled correctly, same way as restaurant reviewers don't book saying "I'm Jones from the Times").

To get listed, you need an incompetent admin who's not reading mail to abuse@lj or not acting on it quick enough. Spamhaus aren't very sympathetic to responses telling complainants to log into LJ and use their own reporting system, typically: they expect abuse@lj to be read and acted on.

[azurelunatic]

I suspect that abuse@ files an abuse report, and I suspect that abuse reports about spam involve the bot-reporting system. So I would not expect the sympathy of Spamhaus there, based on what you've said.

If I were the person running a department using some of the same software that LJ has (I'm an antispam head on Dreamwidth, but not all of the same tools that LJ Abuse uses have been ported over: notably, we don't have the bot-reporting system, and I can only extrapolate how that works from how some of the other stuff works; we also don't have the same scale of spam problems, so I'm very acutely aware that I'm basically at hobbyist-level; LJ is enterprise-level and then some) first I would possibly raise unholy hell to *get* better tools, such that the spam team could deal with abuse@ requests in a fashion that gets logged &c; failing that, I would (see if I legally could) set policy such that any report of a journal emitting spam sent to abuse@ would involve the person dealing with that report looking at the journal and judging it spam-or-not; if spam, then the person dealing with it would be the one to report it as a bot and thus get it into the system all right and proper. (I don't then know what would become of it based on number of reports/age; I know what we're using as far as priority goes, but can only speculate about LJ.)