YummyOreo's Notes & Blogs

Search

SearchSearch

TBFighters Website and Newsletter Incident 01

Last updated May 27, 2024

Key Take Aways

The incident started on May 4th, 2024 (2024-05-04) and ended on May 24th, 2024 (2024-05-24), lasting 20 days.

The result of the actions taken to remedy the incident make it impossible to signup if the name equals the email exactly and all signups where the name matches the email exactly and had the welcome message fail to deliver have been removed. We do not intend revert this change in the future.

Summary

Starting on May 4th, 2024 Cloudflare reported that automated (or bot) traffic had increased by 82% for the tbfighters.com domain.1 Further investigation revealed that the traffic was coming from China and Russia. This in its self is not a problem due to caching and is still ongoing at the time of writing this.

During the same time, signups to the newsletter also spiked, along with hard and soft bounces on new signups when attempting to send the welcome message.2 Signups where the name matched the email exactly also spiked during this time.3

In response, we have removed all signups where the name matches the email exactly and had the welcome message fail to deliver. We also now prevente signups from happening if the name matches their email.

Timeline

May 4th, 2024 (2024-05-04)

Bot traffic increases by 82%.1

May 5th, 2024 (2024-05-05)

Nolram notifies TBFighters in the discord of the increased traffic.1

May 8th, 2024 (2024-05-08)

Dan informs TBFighters in the web-dev thread in discord of the potential of spam signups.23

Later that day, we decide that they are indeed spam (see more here).4 Brainstorming on what to do begins.

May 10th, 2024 (2024-05-10)

We decide to send a email to Gaggle about the incident asking what they could do about the spam.5

May 11th, 2024 (2024-05-11)

PR is submitted to the tbfighters/tbfightersdotorg github repo to disable signups if the name matches the email.6

May 12th, 2024 (2024-05-12)

Gaggle responds to email saying they can’t do anything.7

May 24th, 2024 (2024-05-24)

PR is merged!

May 25th, 2024 (2024-05-25)

Dan reports that the PR worked, the spam signups have stopped.8

Rational

We believe that these signups (where name matches email) are spam because of the increase in bots on the website and, from what we could tell, there has been almost no signups where the name matches the email before the incident on the website began.4

Response

Rejected Options

  • CAPTCHA: This was considered, but due to how the signups work, it could just be circumvented by going directly to Gaggle. It would also take more time to implement, be ethically dubious (due to tracking) and complicate the privacy policy.
  • Disable Signups: This was considered as a temporary solution, but we never got to it.
  • Manual Approve: This would be too much work on the admin’s side.
  • Retroactively Auto Removal: Retroactively removing the signups was taken, but doing it in an automated way was never implemented due to the amount of development time it would take.

Chosen Option

The chosen solution/response was to have a client-side check to see if the name matches the email. If it does, the signup would not go through and it will display an error message.6

Effectiveness

This solution had halted the spam signups.8 It was quick and easy to make.

Weaknesses

This solution could be circumvented by just going to Gaggle directly.

As of now, there is no evidence that this has been done!

Future Response

  • We are currently working on a “proxy” api, so that every signup has to comply with our standards, not Gaggle’s (see here). This solution would go into effect if the spam returns.
  • We are keeping an eye on the newsletter signups to prevent the spam from returning.

Stats

Website

  • There was a 82% increase in bot traffic on 2024-05-04.1

Requests per Region for the Last 24h on 2024-05-05

RegionTraffic
United States4,218
Russia144
China137
UK103
Canada65

https://discord.com/channels/252701351786577920/1146483253725888542/1236844806869749760

Requests per Region for the Last 30 days on 2024-05-24

RegionTraffic
United States25,848
China12,473
Russia4,567
Germany2,219
Canada2,055

Newsletter

  • On 2024-05-07 and 2024-05-05 there were 885 new members and 129 failed deliveries.2
    • The two days before 2024-05-02, for reference, there were only 302 members and 54 failed deliveries.9
  • There have been at least 2,700 signups deleted where the name matched the email and had the welcome message fail to deliver.10
  • From what we can tell, there had been no signups were the email matched the name before the incident on the website started.4
  • On 2024-05-10, for reference, there was 130 new spam signups.5

Reflection

Here are a few things that we could do better:

  • Communicate the problem, the options and the decisions during the process not after.

Footnotes

  1. https://discord.com/channels/252701351786577920/1146483253725888542/1236842881746993233 2 3 4

  2. https://discord.com/channels/252701351786577920/1149204674390536262/1237375573408612392 2 3

  3. https://discord.com/channels/252701351786577920/1149204674390536262/1237904935388053506 2

  4. https://discord.com/channels/252701351786577920/1149204674390536262/1237950715704381510 2 3

  5. https://discord.com/channels/252701351786577920/1149204674390536262/1238581494193324083 2

  6. https://github.com/TBfighters/tbfightersdotorg/pull/102 2

  7. https://discord.com/channels/252701351786577920/1149204674390536262/1239315380498075658

  8. https://discord.com/channels/252701351786577920/1149204674390536262/1244066823620530297 2

  9. https://discord.com/channels/252701351786577920/1149204674390536262/1237378963693895721

  10. https://discord.com/channels/252701351786577920/1149204674390536262/1244732065451085974

Backlinks