My website monitoring site is receiving lots of spam from glitch.me

@flyinRyan00 is it possible to create a domain verification system? like you must add a file or code like in the bing search console

It’s possible but I don’t want to put any friction in place for normal users - we do check the domain is up and responds with 200 OK

2 Likes

i think your best idea is to add this feature- it can be automated in it’s current state so you’ll need to introduce a bit of friction

Yeah, but free is free I guess.

2 Likes

So is there no real email verification?

2 Likes

So is there a reason why they are they setting up the monitors - what’s in it for them to ping the sites?

2 Likes

some wish to overload your server and ruin the experience, there are people intent on doing that sort of thing.

3 Likes

New users have to click a link in their email within an hour to verify

2 Likes

OK - thanks for the responses. I think I understand more now and will go ahead and put things in place.

4 Likes

glad to help! feel free to reply and we’ll be happy to help you out further!

3 Likes

Again, this is why we really need Glitch to have a custom header!

4 Likes

Recently, Glitch banned pinging projects to save resources. By keeping the projects up, projects were taking up resources.

4 Likes

99% of the time, malicious bots ignore robots.txt, unfortunately.

Just saying, Tasha has seen this thread :))

1 Like

Hi flyinRyan00.

You’re right about this. See this article about Glitch’s free plan: https://glitch.happyfox.com/kb/article/17-what-are-the-technical-restrictions-for-glitch-projects/#Uptime%20&%20Project%20Hours

Project Hours are spent when:

  • Someone accesses the user-facing side of a Glitch project that is not a static site

As you’ve figured out, “pinging” in this community refers to HTTP requests.

These HTTP requests trigger this “accessing the user-facing side” condition, which causes the project to continue using Glitch’s project hours, i.e. to have background processes continue running. This comes from a desire to build programs that aren’t websites on Glitch, where shutting down the background processes has a meaningful effect.

So that’s what they gain by “monitoring” even though there is no alert.

People in this thread are telling you to forbid monitoring .glitch.me websites. That’s because Glitch doesn’t want to allow this kind of automated access (see the excerpt at the top of this page https://glitch.com/legal), and these users want to help Glitch stop this kind of access.

6 Likes

@flyinRyan00 Pinging services are against the Glitch TOS

j. Infrastructure Integrity

We reserve the right to delete, suspend, or terminate your access to, or ability to use, any and all Services that we determine to be placing undue strain on our infrastructure. These changes were made in response to ping services on Glitch and our efforts to make the site more stable. You can read more about those efforts here.

The reason they use their services is because if the project isn’t accessed in 5 minutes it gets shutdown. It takes anywhere from 10 seconds to a minute for the project to be restarted. If this is a discord bot and not an actual site the bot completely stops working until it is manually restarted. Running anything 24/7 takes up resources as you are experiencing now. Since this is a free service Glitch is pretty much taking the hit for the cost of running each free project. The solution to having a project up all the time is simple, pay $96 for boosted app.

What do you mean “apps that stay awake”?

For free users, Glitch apps go to sleep after five minutes of inactivity — if an app is waking up, your users might see a loading screen (we do this to keep our servers happy). Boosted apps don’t sleep and are always ready to go.

As pinging services are against the TOS my suggestion is you block *.glitch.me and suspend any accounts that have any monitors to those domains as it’s a violation of Glitch TOS anyways. I can’t afford boosted apps but, i thank Glitch for what resources that have given me so far! :smiling_face_with_three_hearts: :heart_eyes:

1 Like

Just going to follow up on this to let you know how things have panned out…

After the advice from this thread I wrote a quick script to play ‘whack a mole’ with the spam sign-ups. It allowed me to just click a button to delete the monitors and Downtime Monkey account of anyone who tried to set up a monitor for glitch.me

The plan was to give me the time to observe the situation and setup something better without things getting out of hand. While doing this I noticed a few things:

  1. the bots that signed up were quite clever - they are managing to bypass the Google reCaptcha v2 protection which we have in place about 50% of the time. They can also automatically verify their email addresses.

  2. it’s more than one bot and/or person - in fact we had one user contact support to ask why it happened. When we explained we didn’t get a spam signup for several minutes but then they started again.

  3. It looks like the bots have been developed to automatically signup and add a monitor when their glitch server spins down. When I deleted an account that tried to add a particular URL there was often another new account signed up within minutes and the process repeated.

  4. Some of the URLs looked pretty malicious - things like virus dot glitch dot me, spambot dot glitch dot me etc. Others just looked like apps that didn’t do much - display color gradients etc

I managed to develop and test an update to the main add-monitors page so anyone trying to add a glitch site has their account auto deleted. It’s live now.

I also was contacted by glitch support who were very helpful and are in the process of blocking our IP address so if anyone tries redirecting etc the monitoring won’t get through.

I’ll probably write a blog about this and if I do I’ll post it here but that’s all for now - it’s been a long day!

10 Likes

@flyinRyan00 Would you like me to help test your glitch site filter to make sure it’s working properly?

1 Like

Thanks but there is no need - it’s been used for real at least a hundred times already!

1 Like

@glitch_support Is the only one who can help you now. I would send an email as this is against the TOS. And glitch can ban the request from that host. That is what they did to other ping services.