By the time we reached this stage, we had in excess of five hundred accounts to monitor, with more appearing all the time.  Some of them were backed up with fake looking blogs, so if at first sight they weren't instantly obviously junk, then they were thrown over into a pile for further investigation (for which Sassafras went way beyond the call of duty).  From looking at the accounts created, it appears that the attack was coming from the machines of a large number of individuals in a network of spammers or a network of machines infected with a form of Trojan bot software: individual machines have been acting as proxies for the attack on us.  This prevents a simple defence of blocking individual attackers' IP addresses, as the next account created could be coming from anywhere.  From scanning the list, a vast majority of the spam account originating machines are based in the US, although there were a selection coming from the Philippines (and a particularly nasty one from Wolverhampton, trying to sell us websites and web hosting as estate agents and accountants).

The attack was more serious than we thought at first after the first round of clearing, we realised that some of the initial accounts we had cleared, had been posting comments in diaries - possibly automated, but in some cases clearly not.  This suggested activity beyond simply getting spam into user info, and it also suggested we were not up against a spambot alone.  Our next step was to comb through comment threads and eliminate comments from identified spammers, whether the comment contained spam or not (spam could be added to comments later via the signature).

A couple of people's comments might have been wiped with the underlying spam account comments, and if you have seen your cogent criticism of the world's finance system vanish along with them, we apologise profusely, but dealing with these idiots is a necessity.  (As far as we are aware, nothing important was destroyed alongside the garbage, if you feel we are incorrect in that, please get in touch.)  If we hadn't dealt with the problem, we would have started to see the diary list filling with stories like the multi-part epic that graced the pages in midweek.  (That came from an account that we had missed, it had been created just before the main burst, and was missing most of the signs to look like a definite spammer.)  In all, five diaries and between ten and twenty comments were given the chop.

The worry during this attack was that the spammer(s), maintaining their automated account creation 24/24, could create a large enough user base to recommend a set of rapidly-unleashed spam diaries into the rec list, and piggyback on ET's reputation and usually good Google referencing to bump their spam suddenly higher in the search engine rankings.  There was also a concern that, if the attempt worked here, other community blogs might then be targeted.  As far as we know, that hasn't happened.  We have contacted a number of similar sites that might be subject to similar attack methods just in case, they are watching out for this to occur too.  (Please don't name sites you think we might have missed in the diary, it would be best not to give anyone ideas, if you have an idea of someone you think might have missed then feel free to email me, but don't post it on the board.)

:: :: :: :: ::

Having run through the initial storm of accounts, the editorial team first spent several days, in shifts (a 24/24 watch) monitoring new accounts as they were created, and splatting them as soon as they popped up, an admins version of whack-a-mole.  As with all admin activities, we didn't manage it without a lot of tears before bedtime, the odd misunderstanding, and much head-scratching, plus several discoveries of what the scoop software is doing deep in its steamy bowels.  ARGeezer should be thanked in particular for his work on the nightshift, when all the Europeans were tucked up in bed.

Once we had things more or less under control, someone (yes, someone) was able to make a couple of changes, and from there get this particular attack approach finally stopped.  We have introduced a piece of programming to hopefully prevent scripted account creation. Since this, we have not seen any new accounts created from the same type of source, and have managed to reduce the amount we are watching the new user account creation.  Some of us might even get back to feeling guilty at the lack of diaries we have been writing recently, having had a perfectly justifiable excuse for ten days, but no longer, not that it's stopped some editors, who were hard at work dealing with the problem, worrying that they should be writing diaries too.

So what situation are we in now?  Well we have around 800 accounts marked down as spam or have failed at some point in their creation process.  These have all been dealt with.  However, if you are a reader who has created a new account in the last ten days that you seem to have been excluded from by mistake, please get in touch, and we will investigate, it is possible that we have chopped off an account or two by mistake, we don't think we have, but it is always possible.  (After all you could be a person who genuinely wishes to take part in the discussion here with a sideline in penis enlargement medicine.)  Apart from this, from the same time period, there are sixteen new accounts that we think are more than likely OK, but are still sufficiently suspicious to still be under review.  About half of these are yet to return their registration email and will more than likely naturally decay away within the next few days.

So what next?  Well the editorial staff will carry on looking, trying to make sure that things run smoothly.  There will be at least one more diary dealing with what was found looking at the sites being advertised by these false accounts.  For that though, you will all have to wait for afew to strip his wetsuit off and have a shower after his trip into the sewer.