16 Replies Latest reply on Nov 18, 2014 2:33 PM by pvanderhyde@tableausoftware.com

    Spam Attack on Community

    katiebroberts

      Have any of you guys with external communities experienced a massive spam attack?

       

      Starting this past Sunday (and still going on), we've been spammed with thousands of bot accounts and spam content.

      THankfully, the Jive Support team caught some of it early and started taking steps to stop it. Unfortunately, we have to let some of it run it's course.

       

      I'm asking about others' experience with this to learn about your governance policy, what stop-gaps you may have in place, how you handle it, what have you learned about a spam attack, did you change any profile settings as a result, etc.?

       

      We're on 702 hosted

       

       

      Thanks!

        • Re: Spam Attack on Community
          mnevill

          I think our registration process that uses single sign protects us from a lot of it. I am curious if the communities that get hit hard allow users to register directly with Jive.  I am also interested in how things are cleaned up and brought back under control when it happens.

            • Re: Spam Attack on Community
              katiebroberts

              When the attack initially happened, an alert of high site traffic was identified by the Jive NOC.

              (We're hosted)

               

              From there, as the activity continued, a tech support person was assigned the ticket.  It was at like 2am, so I was sound asleep!

              Most of the activity was coming from India, Russia, and Asian countries (pretty standard black web and spam country roots)

               

              The tech support person immediately went in and started tracking IP addresses and blocking them, adding a few domains to the blacklist, too.

              They also enabled keyword interceptors so the spam would stop before being posted.  Unfortunately, the spam was using words like "online” and "demo”, and "download” which are all pretty frequent keywords used by prospects seeking information about an online university (which is what we are!).

               

              They also turned on all content and user moderation, to stop the bleeding until we got in. From there, we kept the moderation settings on (and still do until we are out of the woods).

               

              We also sent a system announcement alerting the community of anomalies and that we were working on it. We updated it again 8 hours later with a summary of what steps we took to "rectify” the situation, and when to expect the next update from us. (When we are in the "clear”).

               

              From there, the team took a role in community cleanup

              • One person took on account moderation and approved actual users
              • One person took on content moderation and approved appropriate content
              • One person took on deleting the content posted in the community
              • Collectively, the team identified the user accounts that created the spam and went into the admin console to ban those user accounts.
              • For users that are questionable whether they are bots or real people, we set up a manual email verification step. A member from the team reaches out to them via the email they used to start the registration process with

               

              I also went into our system settings and made a number of changes to registration settings- increasing password length, increasing captcha requirements, forced everyone to logout/in, increased number of required registration fields, and some other things.

               

              We've also since gone through the leaderboard CMGR Report to identify people with REALLY high points that might be "sleepers” in the community and take appropriate action to ban them.

               

              What we still don't have 100% clarification on is whether any data was compromised in this, which is a bit unnerving from our standpoint. We are a regulated industry and we have to report this sort of thing quickly.

               

              With this said, the Jive support team was AMAZING through all of this. Our TAM, Matt Gradin really helped escalate and resolve the tickets we were putting in and working through everything. There are a number of support team members that really excelled in this situation and I'm incredibly grateful for their fast work and due diligence to work to contain the situation as quickly as they did.

               

              We are still in caution mode, and had a number weird things happen outside of Spam.

              We had some posts that couldn't be deleted by admins, we couldn't change some of the community manager permissions, there are some pieces of content that are still getting past the interceptors into moderation queue … working through many of them with Jive support still.

               

              I'm hoping as the traffic dies down, the risk of continued spam/bot traffic subsides, and we can begin to loosen the moderation queue settings. It's not practical to have everything go through a moderation queue long term given the global nature of our community.

               

               

              I hope this "plan of attack” documentation helps y'all in the event you find yourselves in my shoes!

               

               

            • Re: Spam Attack on Community
              Alban

              We get round that by using email validation mostly. It's a bit more painful on the member, but it screens a lot of spam accounts.

               

              Also, we do inbox-follow the people we suspect are going to spam to allow us not to necessarily punish before the offense. With practice, you get to know that the outlook.com email addresses with numbers are more likely to give you trouble!

               

              We always have the option to switch account creation moderation on, if we were starting to see a lot. Have you considered that?

                • Re: Spam Attack on Community
                  katiebroberts

                  We have email verification enabled, we have 8 required registration fields, and allow a single sign on and social sign on as options. The bots hit via non-social sign on.

                   

                  We do have a list of problematic email domains from our email marketing team, but it's not effective to block a domain like outlook.com since this community is primarily used as a prospect conversion use case.

                • Re: Spam Attack on Community
                  mcollinge

                  Nope; same (low) levels with us. We have a lot of anti-spam measures in place (which I've detailed elsewhere on this group).

                  • Re: Spam Attack on Community
                    cathyjliu

                    Sorry to hear about the spam attack.  I can feel the pain as my external community (on Jive 6) was heavily spammed three weeks ago.  We used email validation plus captcha; however, through Jive's investigation, these bogus accounts and spams were manually created by humans.  We had to manually monitor all new account creation plus new content for a week and a half before stopping the spam activities.  We put in place key word interceptors to help us monitor spam activities.  Clean up work was assisted by Jive through deleting bogus accounts at the backend.  As a Community Manager, I had to manually identified bogus account list for Jive. Yes, tons of work... good luck cleaning.

                    Cathy

                      • Re: Spam Attack on Community
                        katiebroberts

                        We've had to do the same thing, Cathy Liu. 

                         

                        We increased registration fields from 6 to 9, forced everyone to logout/in, increased captcha to 10 characters, increased password to 8 characters, and a few other increases since the initial attack. We have been adding IP addresses and keywords to our interceptors list like crazy, and content is still getting past the interceptors list to the moderation queue. We've also enabled full moderation on everything except for replies, which the bots/spam don't seem to be recognizing/attacking (thank god).

                         

                        Jive has helped a lot with the cleanup, but our community manager team has been tasked with much of it, too. Our BI team is working on pulling activities reports to see if we can identify some trends.

                         

                        Looks like we were just the lucky ones to have been attacked this weekend/week despite all of the protections we've put in place to mitigate the spam risk.

                         

                        Like you, all of our bots were human created and not automated.  

                      • Re: Spam Attack on Community
                        tfitzgerald

                        Hi Katie,

                         

                        We had our last major spam account about a year and a half ago. We were able to slow it down by adding words to a filter list, that automatically flags and sends them to the admins for approval. One of our developers also built a tool that will flag the account if there are over X number of posts within the first day of registering. After adding these two things, we found our spam attacks have gone down significantly.

                         

                        -Tracy