Thursday, January 03, 2013

When spammers attack!

If you logged into AQ this morning, you might have received a "spam attack." They happen on occasion, but fortunately not often. I thought y'all might be interested in what happens on our end of things when spammers attack!!!!

If you ever do get spammed on AQ though the AQ mail system, use the "Report as Spam" button. It's located immediately below the message, on the right.

When you use that button, this is what happens on our end of things--and the reason us admins are do darned fond of people using that button. It makes our job to managing spammers a lot easier and faster!

The first thing that it does is alerts us to a spam problem. It does this by creating a giant button with bright red letters in the upper-left corner of the page for us. It's all but impossible for us to miss this. It doesn't matter what we're doing on the website--reading message boards, AQ mail, listing boxes.... It's a hard button to overlook! And it's not just something that I see--but all of the admins on AQ will see it until the problem is handled. Here's what it looked like when I got to AQ this morning:

The spam alert jumps into action!

So before I even read a single message board, before I read a single AQ mail, before I knew anything else, I knew there was a spamming issue that I needed to investigate.

When we click that button, we get all sorts of information about the reported spam and spammer!

The spam report. Click on this image to see it in full size--I shrunk this
view to better fit on the blog.

The top of the page starts with the "spam summary"--a list of all of the reported spam. I can immediately see that there have been nine spams reported (actual spam counts are usually much higher--most people don't report spam at all!), all messages from the same person, all with the same subject, and all sent within a half hour of each other. It also gives me links to examine a specific spam report (by default, it'll show me the most recent report, but clicking on the report number allows me to see other reports), and a link to read the spam if I felt it was necessary.

Below that is the actual AQ message that's being reported as spam. By default, it shows the most recent report--at the time I logged in, it was a spam sent to (and reported by) Road Junkies. And, looking at it, I agree completely--definitely a spammer at work. (I blurred out the email address--no reason to give the spammer the satisfaction of having their email address more widely distributed!)

Below that, it gives me more information about the spammer including other messages they've sent recently (likely more spam that hasn't yet been reported), account information (spammers are often  new members with little or no information on their account), the IP addresses they've used recently (this one is from Dakar, Senegal--one of the biggest sources of AQ spammers), and their most commonly used IP addresses (which, in this case, is the same as their more recently used IP address).

In this case, everything all matches up--spammer through and through.

AQ tends to suffer from two distinctly different types of spammers. This is the first kind. Someone, usually from Senegal, creates an AQ account and immediately starts firing off spam to as many people as they can get away with on AQ.

The second kind are from genuine members of AQ who've had their email account hijacked. Since it's possible to send AQ mail through their email system, these spammer will send a message to everyone in address book of the hijacked account--including to AQ members. In this case, there usually aren't very many spams--perhaps four or five typically--since the spammer only knows people from the address book of the account they hijacked. Or rather, only four or five sent to AQ. Their address book might have hundreds of email accounts, but only a small handful lead to AQ and there's nothing I can do about the others in any case.

In each of those cases, how to handle the spam is very different. The first guy, I just don't want on AQ all. Ban their IP address, freeze their account, delete every AQ mail message they've ever sent, etc. The whole shebang!

In the second case, when the spam comes from a legitimate member of AQ but through a hijacked email account, I won't ban the IP address or freeze their account, but I will delete all of the spam and remove their email address from their account. Since AQ only accepts mail from "known" email addresses, by removing their email address from their account information, their email address becomes "unknown" and AQ refuses to accept anything coming from their account. Then I'll send them an AQ mail to tell them their email account has been hijacked and they need to get control over it again before they add their email address to AQ again.

That's a lot of stuff to do manually, though, so I made it easy for us admins to handle such situations. Below the spam report, it gives us options:


The three main things for me to worry about are what to do about the IP address, what to do about the AQ mail they sent, and what to do with the spammer's account. By default, the actions won't do anything. I don't want to accidentally go banning IP addresses by accident! But I did write some code so AQ can try to determine what kind of spammer is involved and even include suggestions about how to handle the spam. In the spam event of this morning, I agree with the suggestions of banning the IP address and deleting AQ mail from within the past 24 hours (which happens to be all of the AQ mail they've ever sent since their account wasn't even 24 hours old).  And I wanted to freeze the account, so I clicked those options, clicked "action", and with that click of the button, I blocked the IP address, deleting all the AQ mail they ever sent (at least from AQ's servers--forwarded AQ mail to real email addresses I can't do anything about), and froze their account.

You might be a little curious about all of those different options under "Delete AQ Mail." The main reason there are so many options in that category is because of hijacked email accounts. Hijacked accounts have usually sent legitimate AQ mail in the past, which I don't want to delete. So I have a few options to try to filter the gems from the dirt. Most of the time, spam was spent recently, which is why there are the "24 hour" limits. Older messages that haven't been flagged as spam usually aren't.

Spammers also tend to use the same subject and/or message over and over again. Generic form letters. It's not worth their effort to hand-craft personalized messages when you want to spam hundreds or thousands of people! If for some reason spammer emails have been mingled in with legitimate AQ mail, often times I can target any message with the same subject as the reported spam, easily deleting just the spams and avoiding the legitimate messages.

And, if a spam appeared to be an isolated incident, I can delete just that message and no others.

Once I've handled a spammer and deleted all of the spam they mailed out, my spam report automatically figures that out. So although nine people actually clicked that "report as spam" button this morning, I don't have to wade through eight more reports after that. The other eight that had reported a spam problem had been taken care of at the same time, and AQ is smart enough to realize that causing the "spam alert" button will now go away.

From the time an admin logs in and sees the spam alert, it can take mere seconds to process and ban the spammer's IP address, delete all of the spam, and freeze their account using this little setup. I actually spent the better part of a week working on this feature--one of those little things that you guys will never actually use yourself, but which you all benefit from since it makes things a lot easier and faster for us to deal with rouge spammers.

By comparison, when you forward spam to me or report it on the message boards, this is what likely happens:

* I usually read message boards before AQ mail, so I might be reading them for several minutes before I notice a post about spammers. There's no way for AQ to bring such a message to my attention. If nobody has posted about it, it might be even longer before I got to my AQ mail and notice a message about a spammer there. Eventually I'll get the message, but it'll certainly take a lot longer!
* When I do finally get the message, there are admin tools I've built that allow me to look up information about the spammer, freeze their account, delete their messages, etc., but they aren't integrated into a single, easy-to-use page. So I actually find it faster and easier to log into the account of the person who reported the spam, click the "Report as Spam" button myself, then log back into my administrative account and actually handle the problem as seen above.

Consequently, I'm big on pushing the use of that "report as spam" button. You'll get results faster--more people will get the report (all admins, instead of just Wassa or myself), it's much more obvious to us than other ways of reporting spam so one of us will likely notice the problem sooner, and it's a lot faster for us to handle through that integrated spam-handling page.

So there's your little behind the scenes tour of what happens when a spammer is found on AQ. I hope you enjoyed the tour and maybe learned a little about how things work! =)

4 comments:

Raine said...

That is wicked interesting!

lou p otter said...

Thanks for the lesson.
It's often interesting to check out what's behind the curtain

Mrs. Hansberry said...

I received one of those emails this AM. It was interesting to see how the whole process works. Thanks.

MO UR4?e said...

Very interesting. Thanks for taking the time to share.