admin said in #3628 4d ago:
As many of you know, it has been annoying to log in to sofiechan as the code may not arrive or may end up in spam folder. Yesterday we finally looked at the logs and realized hundreds of login emails were being sent and only about 3% resulted in successful logins. Wow, are we leaving 30x growth on the table? We set to work to fix this urgent problem.
First, we switched to a new mail provider. Maybe they have better deliverability? Early tests suggest yes they do, though still not perfect. Watching their logs overnight though, we still saw a lot of bouncing emails and generally suspicious patterns. Like a consistent 10-14 "people" with normie American sounding names per hour trying to log in even at 1am Pacific. Bullshit. We suspected a bot problem, so we gamed out captcha strategies.
Google reCaptcha? Too mainstream and invasive. Off the shelf captcha providers? Mostly a pain and not our style. We even considered hitting you with the dreaded IQ captcha: https://iqcaptcha.us.to/, which would be more our style. But it was pretty hard to solve and would probably be overkill for this, so we eventually came up with a simple invisible captcha strategy that would let us get a much better picture of the situation and design an adaptive response.
This morning, we implemented it in about an hour, and the bot logins immediately stopped. Most of them didn't even attempt a login, just got tricked by the passive defenses and moved on. Only 5 have since attempted in the hours since we pushed it up, and they all got redundantly caught by our comically stupid bot traps. Problem solved.
They were just driveby automated probing so the slightest hint of a defense stopped it entirely. What this has to do with login deliverability is that mail providers were seeing 97% fake bot emails from us with a high bounce rate, which obviously didn't do us any favors in their spam calculations. So hopefully now that that's all cleared up and we have almost entirely legit email traffic, our reputation will improve and deliverability for the real emails will go back up. The new deliverability-optimized provider will also help. If you're a lurker and you've been having trouble, try again now and check your spam folder.
We don't believe the captcha will catch any actual users because you'd have to be just looking only at the raw html or running an incompatible browser to get caught by it, but if you do get caught by it, you can let us know by whatever means and we'll get you in. It will catch a lot fewer of you than the spam filters, that's for sure.
Eventually we'll need more rigorous captchas for when someone tries to attack us in particular, but we'll cross that bridge when we come to it. There's probably no point attacking our login form so I doubt they will try to innovate a response.
But I do like the idea of the IQ captcha. Maybe we should add that optionally and feed it into your taste score.
First, we switched to a new mail provider. Maybe they have better deliverability? Early tests suggest yes they do, though still not perfect. Watching their logs overnight though, we still saw a lot of bouncing emails and generally suspicious patterns. Like a consistent 10-14 "people" with normie American sounding names per hour trying to log in even at 1am Pacific. Bullshit. We suspected a bot problem, so we gamed out captcha strategies.
Google reCaptcha? Too mainstream and invasive. Off the shelf captcha providers? Mostly a pain and not our style. We even considered hitting you with the dreaded IQ captcha: https://iqcaptcha.us.to/, which would be more our style. But it was pretty hard to solve and would probably be overkill for this, so we eventually came up with a simple invisible captcha strategy that would let us get a much better picture of the situation and design an adaptive response.
This morning, we implemented it in about an hour, and the bot logins immediately stopped. Most of them didn't even attempt a login, just got tricked by the passive defenses and moved on. Only 5 have since attempted in the hours since we pushed it up, and they all got redundantly caught by our comically stupid bot traps. Problem solved.
They were just driveby automated probing so the slightest hint of a defense stopped it entirely. What this has to do with login deliverability is that mail providers were seeing 97% fake bot emails from us with a high bounce rate, which obviously didn't do us any favors in their spam calculations. So hopefully now that that's all cleared up and we have almost entirely legit email traffic, our reputation will improve and deliverability for the real emails will go back up. The new deliverability-optimized provider will also help. If you're a lurker and you've been having trouble, try again now and check your spam folder.
We don't believe the captcha will catch any actual users because you'd have to be just looking only at the raw html or running an incompatible browser to get caught by it, but if you do get caught by it, you can let us know by whatever means and we'll get you in. It will catch a lot fewer of you than the spam filters, that's for sure.
Eventually we'll need more rigorous captchas for when someone tries to attack us in particular, but we'll cross that bridge when we come to it. There's probably no point attacking our login form so I doubt they will try to innovate a response.
But I do like the idea of the IQ captcha. Maybe we should add that optionally and feed it into your taste score.
As many of you know,