Weekend spamtacular — what the heck happened and how we’re fixing it

19Feb/07

Weekend spamtacular — what the heck happened and how we’re fixing it

Oh. My. Gosh. This weekend sucked. No doubt about it. But we've beaten things back and we have a plan for making things better still. I'm going to tell you all about that in a minute.

But first, I owe everyone who was affected a massive apology. All the success that has come to MyBlogLog has been because of your passion for our service and I hate when something happens that causes that love to diminish. We left a hole in the code and a lot of people received a bunch of irrelevant email notifications because of it. Our bad.

In order to describe what happened this weekend, it's worth laying out a few pieces of context. First, in the States it was a three day weekend, so everyone was basking in the thought of staying offline for a few days and coming back recharged. Todd and John were back in Orlando at a wedding and Steve, who just moved out here, is busy looking for a place to live. And I'm splitting my free time between unpacking and giving my wife time off from watching our 16-month-old. No one was looking online.

Saturday evening, a member discovered an exploit where you could send someone a request to join their community as a co-author and then automatically approve the request. In other words, someone (dare I call them a jackass) could force you to be a co-author of their community. I have no idea why they would do this, other than a negligible bump in marketing, but who ever said jackasses made sense?

Early Sunday evening we were alerted to the problem. Unfortunately, we didn't grok the problem initially. We just thought that someone had used a script to send out thousands of requests for co-authors, which we promptly shuttered. It wasn't until almost midnight, when Steve had gotten back home and Todd had just landed from a cross-country flight, that we understood the bigger exploit, which we also promptly shut down. But it was too late by then, because the flood of emails had already struck.

This grief probably belongs in some frickin' griefing hall of fame (with jackasses on both sides of the entrance, mind you):

Send out thousands of emails to random people requesting that they co-author your community
Force-join them all as co-authors
Someone gets upset about being force-joined and leaves an angry message on the community, and EVERY single person gets an email alert that there's a message waiting for them (because they're all co-authors)
Now you have dozens of angry people, all leaving angry messages on the community page, resulting in DOZENS of emails alerts being sent out to each victim
And so on...

If you were one of the people that received a couple dozen email alerts about new messages, I am really sorry. It has all been fixed and no one should be able to force join anyone else again. We've rolled back all the new co-authors since Friday night so no one should find themselves co-author of something random. And while we can't pull all of those emails back into the server, we've deactivated them, so even if you mistakenly click on the approval link, you still won't become a co-author.

But we're not stopping there. As members who read this blog regularly know, we've been trying to figure out how to reduce the "friend" and "join" and "message" spam for weeks now. Pretty much since last November. What's tough is that a lot of the behaviors that tech-savvy members find infuriating (such as people sending messages to random recipients asking them to check out their community) are actually enjoyed by casual members. So we have to find a balance.

The team has spent the bulk of their holiday working out a plan of action for the next couple of weeks based upon feedback from a lot of users. I invite you to comment on the plan below and let us know if you think we've gone too far anywhere and if we've missed something that you think is vital.

MyBlogLog's Six Point Plan to Spiritual Nirvana:

1) We're going to post an official Terms of Service (ToS) and hold people accountable. It's hard kicking people's asses for breaking the rules when the rules aren't posted anywhere. That will change. Things like blatant advertising in profiles will not be tolerated.

2) By default, you now see only message from your own contacts. You'll be able to click a radio button to see messages from everyone else. Further, you'll only receive an email alert when a contact leaves you a message. Lastly, public views of your profile will reflect your message view setting, so other people viewing your profile won't see random requests to visit their community or site.

3) We will include the text of the comment and associated controls (delete,reply, etc) in the alert email. You won't have to go to MyBlogLog to manage comments on your profile or community page any more.

4) We will limit users to only five requests for co-authors a day. If you want to request more co-authors, come back tomorrow.

5) We will limit users to join 15 communities and add 15 contacts during any day. The others will still be here tomorrow.

6) After the first five are complete, we will set up a comment approval system where community members can automatically post messages and everyone else's comments gets queued for approved (a la Typepad comments).

I'll be the first to admit it's not perfect. Some of it feels a little arbitrary (15 joins per day) but it's the best that we've got for now. Of course, we'll continue to listen to feedback after these new measures are deployed and if something is too strict or too lenient, we'll make more changes.

Here's hoping the next three-day weekend is nothing but pleasant messages and happy surfers.

Eric