Secretly A Sapient Lilac Bush

https://archiveofourown.org/admin_posts/34681

Our February releases included new admin tools for our Support and Policy & Abuse teams, as well as a bunch of challenge and collection fixes and a host of small updates and improvements. We also upgraded to Rails 8 and Elasticsearch 9!

Many thanks to first-time contributor Shel!

Credits

• Coders: Bilka, Brian Austin, Danaël/Rever, FlyingFalcon, Hunter Ada Smith, james_, Jennifer He (DisappearEagle 无鸢), marcus8448, Richard Hajek, Scott, slavalamp, varram
• Code reviewers: Bilka, Brian Austin, james_, sarken
• Testers: ana, Bilka, choux, hvalrann, Lute, mumble, ömer faruk, pk2317, therealmorticia, Yuca

Details

0.9.457

On February 2, we deployed a major Rails update.

• [AO3-7231] - Updated the framework the Archive runs on to Rails 8.0.

0.9.458

On February 9, we introduced a way for our Support team to add information to the support form without disabling the form, and deployed a bunch of miscellaneous fixes and improvements.

• [AO3-6983] - It was already possible for our Support team to temporarily close the support form and replace it with a message to users, e.g. about a known site-wide issue the development team was already working to solve. Additionally, they can now add a temporary message to the form without disabling the form entirely.
• [AO3-3245] - Trying to open the posting form to add a work to a closed collection (only possible by manually typing in the appropriate URL) would lead to an error message that looked like the form had already been submitted. The URL now redirects to the collection with a more helpful error message.
• [AO3-7246] - We added a "Parent" link to comments, so you can quickly jump to the specific comment that is being replied to.
• [AO3-7260] - Passwords must now be between 8 and 72 characters long. (The previous minimum was 6 characters.)
• [AO3-7274] - Comment previews for Policy & Abuse admins were previously truncated after the first 100 characters, and admins had to click on the preview to access the full comment. Now the preview includes the first 1,000 characters, which is much more useful.
• [AO3-7279] - When a collection is set to "revealed" or "non-anonymous", the collection is placed in a queue that runs when resources are available to change the status of potentially thousands of works. This means the moderator often has enough time to quickly change the setting back if a checkbox was ticked in error. We now make sure the process really only runs if the revealed or non-anonymous option is still wanted when the servers are ready to work through the queue.
• [AO3-7240] - In our ongoing internationalization efforts, we prepared the text in the help pop-ups for Rating, Warning, and Fandom tags for translation.
• [AO3-7047], [AO3-7281], [AO3-7287], [AO3-7288] - Code clean-up, database performance improvements, and system updates.

0.9.459

Our February 17 deploy included various small fixes and updates.

• [AO3-4031] - Draft works include a message at the top, warning the creator that unposted drafts will be automatically deleted after a certain time. If you had a draft with multiple chapters, this message would not be displayed! Now it appears everywhere it should.
• [AO3-5367] - If someone bookmarked a mystery work, i.e. a work in an unrevealed collection, the bookmark would show up in bookmark searches that matched elements of the mystery work. Since we don't want information about a mystery work to be guessable in this manner, we now make sure searching bookmarks doesn't give away information about unrevealed works.
• [AO3-5870] - A blockquote in a comment would awkwardly overlap with the commenter's user icon, so we've taken steps to make sure it stays within its own boundaries.
• [AO3-5963] - You can't request an invite with an email address that is already used by an existing account. If an existing account updates their email address to one that's waiting in the request queue, we now make sure that request is deleted.
• [AO3-7206] - Downloads of a work in progress with only one chapter posted were missing that chapter's title, summary, and notes, displaying only the information entered for the work as a whole. Now all data is present and accounted for!
• [AO3-7254] - We've added a limit to how many times a specific comment can be reported to the Policy & Abuse team for review.
• [AO3-7263] - Under certain circumstances, an admin would get a 500 error trying to access a user's preferences page. Now they can access it even under those circumstances.
• [AO3-7289] - When a user tried to create a skin with faulty CSS, the parser would just throw an error 500 instead of telling the user which part was stressing it out. It now helpfully points to the problem in the CSS code.
• [AO3-7210] - The help pop-up that provides information about creating skins is now prepared for translation.
• [AO3-6853], [AO3-7048] - Code clean-up and database performance improvements.

0.9.460

A bunch of gem updates went out on February 21.

• [AO3-7036] - When reviewing comments held in moderation, to either approve or reject, there was no "Thread" link to get the URL for a specific comment, e.g. to report it to the Policy & Abuse team. Now there is!
• [AO3-7278] - AO3 admins from the Open Doors team can now track invitations in the admin area.
• [AO3-7236] - Prepared the text in a couple of skins-related help pop-ups for translation.
• [AO3-7265], [AO3-7297], [AO3-7298], [AO3-7299], [AO3-7300] - Code clean-up and database performance improvements.

0.9.461

On February 28, we upgraded to Elasticsearch 9.

• [AO3-7282] - Upgraded the search engine that powers, among other things, work searches and filtering from version 8 to 9.

https://archiveofourown.org/admin_posts/34681

https://archiveofourown.org/admin_posts/34631

NOTE: This is a living document and will be updated in response to changes and new types of spam as observed by OTW volunteers.

LAST UPDATED: March 30, 2026

As AO3 continues to grow, there has been an increase in the amount and variety of spambots that attempt to harass or scam users. Spambots may try to imitate other users and even AO3/OTW volunteers to appear more realistic. This post shares a brief update on how we're working to combat this issue, what types of spam we've seen, and what you can do if you encounter spam comments on AO3.

What We're Doing

Protecting our users from scammers and bots targeting AO3 is important to us, and we are actively working to combat spam on the site in a variety of ways—both visible and not. We will not share a detailed list of every change we've made (so as to not provide spammers with information about how to circumvent these measures), but some examples include introducing comment rate limits for logged-in users, changing the default comment setting on new works to "Registered users only", spam checking comments and comment edits from new users, and making a variety of improvements to the admin tools used by our Policy & Abuse volunteers to handle reports and remove spam comments.

We continue to consider and undertake additional technical changes to help prevent and improve our response to spambots. However, it is important to us that any anti-spam measures we implement do not substantially harm users who are browsing or attempting to comment normally. Many more aggressive anti-spam measures would make AO3 less accessible, particularly for users using assistive devices such as screen readers.

In addition to taking technical steps to help address the issues, we continue to post updates about spambots and other important changes to AO3 on our Tumblr, Bluesky, and Twitter/X. We encourage you to follow us on these platforms to stay informed about what's going on.

Types of Spam Comments

Below is a list of different types of spam comments that have been posted on AO3 over the last year. We intend to maintain this list and add new types of spam to it as they are identified; however, this list may not include every type of spam comment that could possibly be received. We encourage you to remain vigilant and follow internet safety best practices.

If you're not sure if something is a spam comment, you're welcome to contact Policy & Abuse for assistance. Before doing so, we encourage you to click through the links below to learn more about each type of comment and use your best judgement to determine if a comment appears to be genuine or could be a scam.

• Art Commission Spam: These comments come from both guests and registered accounts who pretend to be artists who want to make comics or illustrations for your fanfic. They may ask questions or praise your work to try and get you to reply to them, before convincing you to contact them off AO3 (often via Discord). They will try to scam you into paying for their art, which is either AI-generated or does not exist at all. (First reported August 2024, news post published December 2024)
• Deprecated Fandoms Spam: These guest comments claim that AO3 will be "deleting works to conserve server space". There is no such thing as a deprecated fandom and there is no limit on the number of fanworks that can be posted to a specific tag. (First reported May 2025, Tumblr announcement May 2025)
• AI Use Accusation Spam: These guest comments will accuse you of using AI in your work. They may mention a particular AI generator or AI detection service, or claim that they "saw you remove the AI prompts from your work". (First reported April 2023, Tumblr announcement November 2025)
• Harassing Spam: These guest comments will accuse you or another user of promoting discriminatory beliefs, deceiving fans, or similar behaviors. They often suggest that you "consider adding more diverse characters" to "repair the trust you've lost with your audience". (First reported October 2025, Tumblr announcement November 2025)
• Praise and Unsolicited Suggestions Spam: These guest comments will compliment your writing but then offer ridiculous suggestions for how to make your work better. Similar to the harassing spam, they may ask you to add a minority character to your work or threaten to publicly expose you if you don't do what they want. (First reported October 2025)
• Special Character/Keysmash Spam: These comments are usually long and consist entirely of emojis or nonsense, keysmash-style sequences of characters from a variety of non-Latin scripts or languages (e.g., Chinese, Cyrillic, Thai, etc). (First reported November 2025)
• Reporting To Authorities Spam: These guest comments threaten to report you or your work to the authorities or your employers. They also may allege security concerns like your email being compromised or spyware on your computer. (First reported December 2025, Tumblr announcement December 2025)
• Disparaging Spam: These guest comments insult you or your writing, claiming that you "wasted your talents" or "have no life". They may also threaten suicide or tell you to delete your work. (First reported December 2025)
• PowerShell Spam: These comments present you with a piece of code to enter into your computer's terminal/command line. While they claim that the purpose of the code is for your protection or security, the code in these comments would actually delete all documents from your hard drive. (First reported January 2026)
• Doxxing Threat Spam: These guest comments claim that they know where you live, have seen you in person, and/or threaten to meet you face-to-face. They often say that they have or will post your personal information (name, address, etc.) online or that they are stalking you in real life (e.g. "left a gift in a briefcase near your house"). (First reported January 2026, Tumblr announcement January 2026)
• Spam Impersonating OTW Volunteers: These guest comments claim to be AO3/OTW volunteers and say that there has been a data breach or that AO3 and other sites (such as Reddit) have been sending out fraudulent password reset emails. (First reported January 2026, Tumblr announcement February 2026)
• Downtime Spam: These guest comments claim that the March 2026 AO3 downtime was caused by hackers and AO3 has a virus that will destroy your device, and encourage reformatting your device or deleting all your works. (First reported March 2026)

None of the accusations these spam comments make are true. The bots are merely spamming false accusations in order to alarm or harass AO3 users. It is generally safe to ignore these comments once you've removed and/or reported them as outlined below.

What You Can Do

Do not engage in conversation with spam commenters. Do not provide your email or social media contact information to a commenter who asks for it. Scammers try to get you to talk to them privately, because it is often easier to deceive or manipulate people in a one-on-one conversation.

Do not click on any links, run any code commands on your computer, or search out and harass any users named in these comments. Scammers often copy the username of a real AO3 user on their guest comments to make them look more real. Pay attention to the "(Guest)" indicator which will appear next to the name of anyone who comments while not logged in.

For spam comments on your own work, the best way to handle them depends on whether they are from registered accounts or guests. Refer to the instructions below on how to handle Spam from a Guest User or Spam from a Registered Account.

If you see a spambot comment on someone else's work, you can report the comment as spam to Policy & Abuse (even if it's a guest comment) as you would a comment on your own work. You can also let the creator know the comment is from a bot and that they should mark it as spam.

Please don't report comments that have already been deleted. As part of handling a report about spam comments (whether from guests or registered accounts), we will remove other comments made by the same bot. If the comments have been deleted, the bot has already been actioned and no further reports are needed.

Spam from a Guest User

If you receive a spambot comment on your work which is posted by a guest:

1. Go directly to the comment on your work, either by clicking on the link in your email or in your AO3 inbox.
   
   Note: The "Spam" button only appears when viewing a guest comment directly on your work. This is because the AO3 comment inbox is merely a copy of the work's comments—deleting a comment from your AO3 inbox does not delete the comment from the work itself.
2. Click on the "Spam" button to mark the guest comment as spam, remove it from your work, and help train our automated spam-checker to reject similar spam comments in the future.
   
   Note: Marking guest comments as spam does not submit a report to the Policy & Abuse committee, but unless you are receiving dozens of guest spam comments in a short time period, there is no need to submit a separate report.

To prevent future guest spam comments, you may also want to consider disabling anonymous commenting or restricting your work to registered users only.

If you are reporting multiple guest comments, please submit only one report and include all comment links in your report description. (You can get the direct link to a specific comment by selecting the "Thread" button on the comment and copying the URL of that page.)

If you are receiving dozens of guest spam comments in a short time period, we recommend turning on comment moderation and providing us with a link to the unreviewed comments section of the affected work(s) instead of reporting the comments individually.

Spam from a Registered Account

If the spam comment is posted by a registered AO3 account:

1. Select the "Thread" button on the spam comment. This will take you to the specific comment page.
2. Scroll to the bottom of the page and select Policy Questions & Abuse Reports.
3. In the "Brief summary of Terms of Service violation" field, enter "Spambot".
4. In the "Description of the content you are reporting" field, enter "This is a spambot, their username is USERNAME." (replace USERNAME with the account's actual username)
5. Optionally, you may also choose to block or mute the account.

Please don't report multiple spam accounts in one report. Each account is actioned separately and listing more than one account per report delays our response to you.

Closing

In general, please follow internet safety best practices and be cautious of unsolicited advertisements or harassing comments on your work. For some advice on other ways you can protect your AO3 account, take a look at this internet security guidance from our Policy & Abuse volunteers.

The Organization for Transformative Works is the non-profit parent organization of multiple projects including Archive of Our Own, Fanlore, Open Doors, OTW Legal Advocacy, and Transformative Works and Cultures. We are a fan-run, donor-supported organization staffed by volunteers. Find out more about us on our website.

https://archiveofourown.org/admin_posts/34631