LJ PSA: you cretins

If you've been getting a whole bunch of spam in the last few days relayed from Livejournal's servers, it's because they decided to turn off all their damned spam filters. And call it a "feature". The fix for this is to completely disable your useless @livejournal.com email address. But this doesn't have a preferences checkbox, so it requires some Admin Console hoop-jumping. This won't affect comment emails.

Update: Ok, lisa says they didn't actually change anything about the filtering they do. But, I started getting relayed spam a few days ago that I never got before, and turning off the @livejournal.com address will presumably fix that, since I never used that address anyway.

Tags: ,

21 Responses:

  1. lx says:

    Thanks for the heads up!

  2. lisa says:

    Since when?

    • jwz says:

      Since a couple days ago, apparently. So says brad.

      • lisa says:

        You misunderstand. We use Spamhaus for filtering incoming mail, it obviously isn't strong enough. There has been nothing modified in the last few days with maybe the exception of more incoming spam to us. The "feature" is the ability to have your username@livejournal.com forward to your personal address. This is not new, has existed for years. And yes you're able to disable it.

        • jwz says:

          Well it sounded like he said "we used to use some blacklists, but now we don't." Maybe he actually meant "the blacklists stopped working."

          But I never got spam relayed via LJ until a few days ago, and now I do.

          • lisa says:

            This is an unfortunate problem for a lot of users and I know I personally get a lot of spam through my lj address - it is somewhat odd (and sad that I find it odd) that you weren't before. Did you use your @livejournal.com address for anything valid before? For whatever it is worth, spam filtering in general is being re-architected internally now.

            • jwz says:

              No, I never used my lj address for anything...

              • violentbloom says:

                So i have it set to send to a gmail account, which then forwards real (not spam) email to my actual account. It works pretty well, and I haven't seen any spam at all from lj.

              • lisa says:

                I'll suggest the checkbox option to the feature team to disable the incoming mail to a Livejournal address.

                "it's because they decided to turn off all their damned spam filters. And call it a "feature""

                is wrong.

              • wilecoyote says:

                Traditionally spammers harvested email addresses that had been published somewhere, e.g. web pages, mailing list archives, etc. If you had never used yours before and you're getting spam now, the conclusion seems to be that some spammer must recently have had the idea of getting a list of all the users in LJ and add @livejournal.com to them.

                (I know that you don't care anymore, but I'm throwing out this hypothesis so that the peanut gallery can speculate/further elaborate on it).

            • jferg says:

              I had the strange coincidence(?) that within a day of re-paying for my account (I had accidentally let it lapse), I started getting copious amounts of spam to my @livejournal.com address, which I almost never use, and had never gotten significant spam to before. It seems to have tapered off somewhat at this point, or maybe my filters are just working better, but it seems strange for that to be a coincidence. I wonder if someone is somehow scavenging for e-mail addresses for people who have paid recently.

          • jmtd says:

            oh gnoes, the interweb in "spam levels not consistent across time" shocker!

        • jonabbey says:

          Yeah. Unauthenticated email just seems more and more like a hopelessly lost cause.

            • QMTP doesn't seem to have any advantage over SMTP. And possibly some disadvantages; it's possible (and not completely unheard-of) to negotiate cryptographic authentication for an SMTP session, but I don't see where that could be shoehorned into QMTP.

              Anyway, most people agitating for an SMTP replacement seem to be missing a few fundamental points. One is, each SMTP hop is already authenticated: you can't forge the sending IP address without playing TCP tricks that I haven't heard of spammers using (sequence number prediction, that sort of thing). Next is, you don't want hop-by-hop authentication like you'd get from an SMTP replacement, because hop-by-hop authentication doesn't really get you very much (see previous point); you want end-to-end authentication like you'd get from PGP or S/MIME or DKIM. And the third and most important is, end-to-end authentication still won't do you any good because all that spam is being sent by botnet zombies anyway and the sender can just hijack the user's credentials.

              • gryazi says:

                Then the act of sending a mail should negotiate for and whitelist the recipient's credentials in anticipation of a reply.

                (See as ever djb's IM2000 concept, where the credential could be the address of the server hosting the mail and thus not easily forged in a useful way. IM2000 had/has the same separate-but-equal problem he was bitching about with IPv6, though.)

        • pw201 says:

          SBL-XBL, or the new Zen list (which includes the PBL)? The latter is much more effective than the former, I've found.

      • fanf says:

        My server activity graphs show that the spammers have been upping their activity again. We averaged 40 rejections per second over the weekend when we normally get 25 or 30. Worse than the peak back in November (daily average 35/sec).

    • bifrosty2k says:

      Ohyeah, when are you guys going to fix your broken networking so that isn't blackholed anymore? It was IP space assigned to you when Layer42 was one of your upstreams...