I am lead dev at Downtime Monkey - a website monitoring site. Recently we’ve been hit by a large amount of spam sign-ups that seem to originate from glitch.me
It seems bots have set up accounts, usually with random gmail addresses on our free plan. Then they proceed to add lots of monitors for glitch.me sites - most of these don’t seem real because they monitor the site without alerting anyone.
This uses overhead on our servers so it’s a bit of a problem - if anyone here knows anything about this please let me know. I’m going to have to take some action and although I’d like to avoid a total ban on glitch sites, I might have to go down that road at least for our free accounts.
Thanks for the advice. They are getting through the email verification and rate limiting which we have in place already. Max number of free monitors per account is 60 but with hundreds of accounts this is adding up.
Someone accesses the user-facing side of a Glitch project that is not a static site
As you’ve figured out, “pinging” in this community refers to HTTP requests.
These HTTP requests trigger this “accessing the user-facing side” condition, which causes the project to continue using Glitch’s project hours, i.e. to have background processes continue running. This comes from a desire to build programs that aren’t websites on Glitch, where shutting down the background processes has a meaningful effect.
So that’s what they gain by “monitoring” even though there is no alert.
People in this thread are telling you to forbid monitoring .glitch.me websites. That’s because Glitch doesn’t want to allow this kind of automated access (see the excerpt at the top of this page Glitch: The friendly community where everyone builds the web), and these users want to help Glitch stop this kind of access.
@flyinRyan00 Pinging services are against the Glitch TOS
j. Infrastructure Integrity
We reserve the right to delete, suspend, or terminate your access to, or ability to use, any and all Services that we determine to be placing undue strain on our infrastructure. These changes were made in response to ping services on Glitch and our efforts to make the site more stable. You can read more about those efforts here.
The reason they use their services is because if the project isn’t accessed in 5 minutes it gets shutdown. It takes anywhere from 10 seconds to a minute for the project to be restarted. If this is a discord bot and not an actual site the bot completely stops working until it is manually restarted. Running anything 24/7 takes up resources as you are experiencing now. Since this is a free service Glitch is pretty much taking the hit for the cost of running each free project. The solution to having a project up all the time is simple, pay $96 for boosted app.
What do you mean “apps that stay awake”?
For free users, Glitch apps go to sleep after five minutes of inactivity — if an app is waking up, your users might see a loading screen (we do this to keep our servers happy). Boosted apps don’t sleep and are always ready to go.
As pinging services are against the TOS my suggestion is you block *.glitch.me and suspend any accounts that have any monitors to those domains as it’s a violation of Glitch TOS anyways. I can’t afford boosted apps but, i thank Glitch for what resources that have given me so far!
Just going to follow up on this to let you know how things have panned out…
After the advice from this thread I wrote a quick script to play ‘whack a mole’ with the spam sign-ups. It allowed me to just click a button to delete the monitors and Downtime Monkey account of anyone who tried to set up a monitor for glitch.me
The plan was to give me the time to observe the situation and setup something better without things getting out of hand. While doing this I noticed a few things:
the bots that signed up were quite clever - they are managing to bypass the Google reCaptcha v2 protection which we have in place about 50% of the time. They can also automatically verify their email addresses.
it’s more than one bot and/or person - in fact we had one user contact support to ask why it happened. When we explained we didn’t get a spam signup for several minutes but then they started again.
It looks like the bots have been developed to automatically signup and add a monitor when their glitch server spins down. When I deleted an account that tried to add a particular URL there was often another new account signed up within minutes and the process repeated.
Some of the URLs looked pretty malicious - things like virus dot glitch dot me, spambot dot glitch dot me etc. Others just looked like apps that didn’t do much - display color gradients etc
I managed to develop and test an update to the main add-monitors page so anyone trying to add a glitch site has their account auto deleted. It’s live now.
I also was contacted by glitch support who were very helpful and are in the process of blocking our IP address so if anyone tries redirecting etc the monitoring won’t get through.
I’ll probably write a blog about this and if I do I’ll post it here but that’s all for now - it’s been a long day!
@glitch_support Is the only one who can help you now. I would send an email as this is against the TOS. And glitch can ban the request from that host. That is what they did to other ping services.
