What happens when your site is the target of a major spam attack? That wasn’t something we were particularly keen to find out —  but it’s a scenario we’re now fully acquainted with. That’s all thanks to a recent concerted assault on our Freedom of Information site WhatDoTheyKnow.

All is calm again now, and hopefully, as a user of the site, you’ll have noticed very little. Yes, you’ll now have to complete a recaptcha when creating a new request*, and you might have discovered that the site was inaccessible for a couple of hours. Beyond that, everything is pretty much as it was.

From our point of view, though, it was an emergency situation that meant that several of us had to put down what we were doing and join in with some quick decision-making.

Alert, alert!

It was around 12:30 on a Wednesday afternoon when Richard, one of the volunteers who helps to run WhatDoTheyKnow, noticed unusual activity on the site.

WhatDoTheyKnow was created to help people send requests for information to public authorities — a service for the wider good. Unfortunately, at this point, it was also doing something quite the opposite of good: it was providing the means for unknown sources to send those same authorities hundreds of spam messages.

We’d like to apologise to those who were on the receiving end: clearly, spam is a nuisance for everyone who receives it and we’re unhappy to have played any part in its perpetuation.

We also had a secondary concern. It seemed likely that recipients would mark these incoming emails as spam. When enough people had done that, email providers would see us as an insecure source, and block all our messages, valid or otherwise, potentially preventing the WhatDoTheyKnow system from running efficiently.

A little fire-fighting? That’s actually situation normal

Spam is an obvious example of the site being abused, but it’s perhaps worth mentioning that we work hard on many levels to ensure that WhatDoTheyKnow is only used for its core purpose: the requesting of information under the FOI Act.

And note that we’ve always been careful to protect against abuse. WhatDoTheyKnow does already have several measures in place as standard: we only allow one account per email address; we verify that email addresses are genuine; and we cap the number of requests that users can make each day (a restriction that we only override for users who are demonstrably making acceptable use of our service). We reckon that these measures very much helped to reduce the impact of the attacks.

Action

After a quick discussion between the volunteer team, trustees and mySociety staff, we took the site offline to give us time to work on a solution while stopping any more spam from being sent.

Of course, we then removed all the spam requests and comments from the site and banned the accounts that had made them. We also contacted the affected bodies to let them know what had happened and to assure them that we were taking steps to deal with it.

When we brought the site back up, a couple of hours later, we did so cautiously and with new restrictions and safeguards in place.

Spam ‘requests’ had been sent over a period of about 13 hours. There were in the region of 800 made, though only about 500 actually got sent to authorities. Additionally, around 368 spam comments were left on existing requests. These relatively small numbers lead us to believe that they were being made manually.

Time to breathe… or nearly

Once we’d discovered the issue, dealing with it and getting the site back up and running took us 2.5 hours.

Job done — so now we could sit back and relax, eh? But no: the next day we discovered that a couple of other sites running on the Alaveteli platform,  AskTheEu and New Zealand’s FYI, were being subjected to the same attacks.

So we rolled out the changes we’d made on WhatDoTheyKnow to make them available to all Alaveteli users. And then, finally, we could get back to the everyday work we’d been doing before — making our sites better for you, and the other nice non-spamming people who use them.

—

* We’ll be looking at removing it as soon as we can, though, as recaptcha doesn’t offer a very accessible experience for many disabled people. Meanwhile, we can manually remove the recaptcha for specific accounts, so if you’re struggling with it, contact the team to implement this exemption.

—
Image: Mark Granitz (CC by-nc-nd/2.0)