Phishing and spam

By Bjarni Rúnar 2018-07-26, 01:20

Dear customers, and dear abusers,

For the past few days, there has been a rash of abuse, where criminals host phishing sites behind PageKite and then send out spam e-mails to attempt to harvest people's data. We are aware of this and we are shutting down the offending accounts as quickly as we can. If you receive spam e-mails with PageKite URLs, please let us know by e-mailing support.

Unfortunately some slip through now and then, and enough did that we got blacklisted by Google - causing scary red warning pages to appear in Firefox (and probably Chrome as well) when people attempted to view their own flying kites. We are deeply sorry about this.

Sadly, there is absolutely nothing we can do to prevent people from sending out spam e-mails with links to PageKite.

However - we can make sure that those links are useless, and we have been preparing code to do exactly that for the last few months. Things have now come to a head, so I will be cutting the testing short and deploying the new protections later this week. So, dear spammers, if you are as elite as you think you are, you will stop using PageKite: the incoming traffic will be blocked automatically; you will be wasting your time.

Legitimate users should not be impacted, unless they are serving content to the wider public. Small personal sites and testing setups won't notice any difference, but busier websites may need to contact us to get the limits removed. In the future, we will be adding controls to the account management page so paying customers can adjust their limits themselves. We're sorry if this causes inconvenience, but our hand has been forced here.

The changes will roll out either on Friday or Monday, depending on how preparation work goes.

Update, July 26:

The new limits are now in place.

White-label and subscription accounts are unchanged, but trial and pay-what-you-want accounts can now only handle a limited number of different clients over a given period of time.

The number of clients and the window of time varies, but the default for a new trial account is to only allow 5 different clients over any given 3 hour period. Customers who have paid for service have both higher limits and shorter "windows." All these numbers are likely to change over time as things develop.

Clients are recognized by IP address and (in the case of HTTP requests) user-agent and accepted language. So if you run both curl and Firefox from the same machine (the same IP), that will still count as two separate clients.

Planned enhancements:

• An updated pagekite.py which reports what your actual limits are
• An updated Temporarily Unavailable page which explains these limits
• Information about these limits on the My Account page
• Tools for changing your own limits (paying customers only)
• Internal tools and processes for flagging and reviewing accounts that hit the limits

We'll post again when there is more news.