programming and human factors
by Jeff Atwood
Have you ever used Craigslist? It's an almost entirely free, mostly anonymous classified advertising service which evolved from an early internet phenomenon into a service so powerful it is often accused of single-handedly destroying the newspaper business. Unfortunately, these same characteristics also make Craigslist a particularly juicy target for spammers and evildoers. Who knows; maybe it's karma.
I consider Craiglist a generally benevolent public service. Perhaps that's why I was so profoundly disturbed by John Nagle's wartime narrative of the raging battle between Craigslist and spammers.
Spam on Craigslist has been a minor nuisance for years. Not any more. This year, the spammers started winning and are taking over Craigslist. Here's how they did it. Craigslist tries to stop spamming by:
- Checking for duplicate submissions.
- Blocking excessive posts from a single IP address.
- Requiring users to register with a valid email address.
- Using a CAPTCHA to stop automated posting tools.
- Letting users flag postings they recognize as spam.
Several commercial products are now available to overcome those little obstacles to bulk posting. CL Auto Posting Tool is one such product. It not only posts to Craigslist automatically, it has built-in strategies to overcome each Craigslist anti-spam mechanism:
- Random text is added to each spam message to fool Craigslist's duplicate message detector.
- IP proxy sites are used to post from a wide range of IP addresses.
- E-mail addresses for reply are Gmail accounts conveniently created by Jiffy Gmail Creator (ed. note: this does not break Google's CAPTCHA, as you can see in this screenshot.)
- An OCR system reads the obscured text in the CAPTCHA.
- Automatic monitoring detects when a posting has been flagged as spam and reposts it.
CL Auto Poster isn't the only such tool. Other desktop software products are AdBomber and Ad Master. For spammers preferring a service-oriented approach, there's ItsYourPost. With these power tools, the defenses of Craigslist have been overrun. Some categories on Craigslist have become over 90% spam. The personals sections were the first to go, then the services categories, and more recently, the job postings.
Craigslist is fighting back. Its latest gimmick is phone verification. Posting in some categories now requires a callback phone call, with a password sent to the user either by voice or as an SMS message. Only one account is allowed per phone number. Spammers reacted by using VoIP numbers. Craigslist blocked those. Spammers tried using number-portability services like Grand Central and Tossable Digits. Craigslist blocked those. Spammers tried using their own free ringtone sites to get many users to accept the Craigslist verification call, then type in the password from the voice message. Craigslist hasn't countered that trick yet.
Much of the back and forth battle can be followed in various forums. It's not clear yet who will win.
I've used Craigslist quite a few times in the past, mostly to sell things that are too unwieldy to ship, with generally positive results. But that's the "for sale" section, and the spammers seem to be concentrating on the personals and services. I was curious about this, so I delved into the local personals section in what I guessed to be the most popular category. (Note to my wife: this is research! Research! I swear!)
Almost immediately I found a personals ad with the following "image":
It's an encoded wartime transmission from someone battling Craigslist spammers. It ends on this dire warning:
99.9% of the ads these days are fakes. Sad but true. REALLY, ALMOST ALL THE ADS ARE FAKE!
But is it true? I saw some obvious spam in the personals section -- all of which had been flagged for removal by the time I clicked on it -- but certainly nothing to corroborate this 99.9% claim. I did a few unique term searches on random personals (my favorite at the moment is "no murderers please!"), and they came up unique.
Clearly, there's a war on, and there have been casualties on both sides. Even if the spammers aren't winning, every inch they gain further undermines the community's trust in Craigslist and devalues everyone's participation.
This is a topic I am acutely interested in as we build stackoverflow.com out. Like Craigslist, stackoverflow will offer a rich experience for anonymous internet users. We will not require you to create an account or "login" to answer or ask questions. We'll even track your reputation and preferred settings for you, as long as you allow us to store a standard browser cookie. While it's true that we'll initially be a low-value target due to limited traffic and a specialized audience, that will inevitably change over time. So you can expect some of the same measures on stackoverflow that Craigslist and Wikipedia use to mitigate anonymous evil:
The community itself can also assist. Every question and answer on stackoverflow can be rated Digg style; if a given bit of content rapidly accrues a large number of downmods, it is likely to be spam or inappropriate content, and will be automatically removed or directed into a moderation queue.
Don't get me wrong. I've been humbled by the quality -- and the sheer size -- of the community that has grown up around this blog. I expect the overwhelming majority of people who participate in stackoverflow.com will be absolutely upstanding internet citizens. Wikipedia is a living testament to the fact that goodness vastly outnumbers evil. We good guys can win, if we've had the forethought to put some controls in place first.
Allowing anonymous users write permission creates a volatile situation where a dozen sufficiently motivated spammers can easily poison the well for thousands of typical users. These spammers don't give a damn about the community we're building together. All they care about is getting paid by posting their links anywhere and everywhere they can. They'll run roughshod over as many websites and pages as possible in their frantic, abusive pursuit of money. If I didn't so desperately want to choke the life out of each and every one of them, I might actually feel sorry for the poor bastards.
But here's the problem: following the rules and being a good citizen is easy. Being evil is hard; it takes more work. Sometimes a lot more work. The bad guys get paid to learn about their exploits. Are you willing to educate yourself about the complex evil that a tiny minority of powerful users are prepared to unleash upon your site? As with so many things in life, this is best illustrated by a scene from Spaceballs:
HELMET So, Lone Starr, Yogurt has taught you well. If there is one thing I despise, it is a fair fight. But if I must than I must. May the best man win. Put 'er there. (offers to shake his hand)
LONE STARR goes to shake his hand. HELMET takes the ring off LONE STARR'S hand.
HELMET The ring. I can't believe you fell for the oldest trick in the book. What a goof. What's with you man? Come on. You know what? No, here let me give it back to you. (offers the ring back)
LONE STARR goes up to get the ring back. HELMET throws it in a grate. The ring goes in the grate. LONE STARR tries to catch it and falls to the grate.
HELMET Oh, look. You fell for that, too. I can't believe it man.
LONE STARR gets up and runs to a corner.
HELMET So, Lone Starr, now you see that evil will always triumph, because good is dumb.
As the good guys, we can't afford to be ignorant of the spammers' techniques. If that means spelunking through the grimiest corners of some scummy black hat forums, then so be it. I'll tell you this: I've never nofollowed a single link on this blog until today. The most effective way to fight the evil spammers is to understand them, and the first step toward understanding evil is openly linking to their tools and methods, exposing them to as much public scrutiny as possible.
When you design your software, work under the assumption that some of your users will be evil: out to game the system, to defeat it at every turn, to cause interruption and denial of service, to attack and humiliate other users, to fill your site with the vilest, nastiest spam you can possibly imagine. If you don't do that, you'll end up with something like blog trackbacks, which are irreparably busted at this point. Trackbacks are the source of countless untold hours of institutionalized spam pain and suffering, all because the initial designers apparently did not ask themselves one simple question: what if some of our users are evil?
When good is dumb, evil will always triumph.
Websites that allow users to post content will always be vulnerable to the actions of a handful of evil, spammy users. It's not pleasant. It is a dark mirror into the ugly underbelly of human nature. But it's also an unfortunate, unavoidable fact of life: some of your users will be evil. And when you fail to design for evil, you have failed your community.
Yet another suggestion:
You keep track of users such that you know who's a newbie, and who's trusted. Then for each new anonymous user, you pair them with a trusted user who is also about to submit. The trusted user's job is to verify the answer that the newbie was asked.
This means that the questions can get pretty arbitrary, like "Name a difference between these two pictures".
Any newbie would have to wait for a trusted user to use the system, which would increase frustration, but a spammer would be blocked by the system itself. Oh, but wait; sufficient spammers would choke the system and no one would get verified. Yeesh.
Yeah, this is hard business.
Rob Chansky on May 29, 2008 11:43 AMSay... animated captchas is a great idea!
If you generate a piece of text rendered in 3d, then rotated in place in a few frames with lots of noise added. You could then add far more noise (because the human brain is great at picking out movement) into the animated gif than you could get away with for a stationary gif.
I do believe that would work... for a while.
Lot's of people suggesting photos or multiple photos so you get the benefits of exponentials along with an adjustment to the image to stop any hash maching.
How about magic eyes I know they are computer generated but some one would have to write code to reverse it and ocr it (if even text). Obviously again you would probably need multiple for validation and stop hash matching somehow.
Although this would be a problem if you can't do them I don't know how many can and can't.
pete on May 29, 2008 11:53 AMThe spammers are getting paid by the company at the end of their many, many links. The links the place go to someone who handles monetary transactions. This leaves trails. Why not seek remediation from the site at the end of the link? Spam will always be here until/unless this is done. Spammers are just contractors. We should go after the $$$ paying them.
Stephen on May 29, 2008 11:54 AMJust saw the buddy system post sounds good assign a new user to an existing trusted user who reviews there posts for a short period and approves them. If they get disapproved all their posts are removed.
pete on May 29, 2008 11:54 AMCraigslist is just the new Usenet.
There is no way to stop the spam, really.
The only thing to do is to run small, targeted sites using nonstandard APIs/paths/names/protocols; then there is no one big payoff for automatic spamming tools to target (major wiki software, major blog software, smtp).
Reed on May 29, 2008 11:54 AMCardspace
Brian on May 29, 2008 12:01 PMReading over the comments here there are alot of good ideas for how to implement a better captcha. (Which is of course missing the point, but there we are.) Given motivation ($$$) and time, every single one of those can be broken.
While I was pondering this (and of course, thinking of my own ideas for a better captcha - javascript animations that follow a mathematical path onscreen to form legible text after a few seconds, semi-transparent (alpha-based) overlays to reveal hidden text like those magic glasses or color-blindness tests, liberal use of XHR to get pieces of an image, etc) I had an enlightenment: the key insight behind a captcha is not that people can real squiggly letters better than a machine, but that people are flexible where machines are not. Add into this that machines see webpages much differently than people do, and that while good is dumb, evil is lazy if we let it be. The spammers and scammers aren't going away, so let's make them work for their .000001% success rate.
A simple bot can easily repeat steps. Visit this url, grab this hidden field value, post this next step, find the image, OCR it, enter text. Changing that sequence even a little - say, changing a field name - will probably break some bots. Changing it alot will probably make the bot authors rework their programs. A person, on the other hand, will notice zero difference, because the browser hides all that from them. It's not difficult for the bot writes to rework the programs - dump the page, fix the field values, set up a new url sequence, whatever. But it still takes them time. And in that time their bots are non-functional. So - change the flow of the submission. Often. Automatically. Think of 10 little things that you could change about the form submission that would each break a naive bot. Code them all up, and have the form posting method switch to the next one once a day. If it takes a spammer a day to rework the bot and distribute it, you've bought yourself 10 spam-free days. If you can think of 10 things that are independent and can each be included or not, you've bought yourself a year.
In a way, spammers on websites - blogs, CL, etc - are much like email spammers, with one very important difference: we (the good guys) completely control the admission path. So we can make the admission path complicated (put instruction text in webpages, hide the text various different ways) , and that puts the web spammers in the position of trying to figure out what is the spam and what is the ham in the form submission process. For instance: say you have an ok image-text captcha. Instead of having the user type the funny letters, instruct them to type just the first three letters. Now figure out a bunch of different ways to ask them to do it. Now the spammer-bot is in the position of needing to not only decode the captcha, but to parse the english text next to it. "Type in the first 3 letters in the box above." "Enter the frist[sic] three letters above." "Key in the letters before the E appearing in the image above". Not too hard to come up with new schemes here. Not too hard to break them either, but it is work that needs to be done. Keep them on their toes.
Any bot can be stopped - until the programmer adapts it. Any scheme can be broken, given time. The key is to take away their time to do it. The problem is that it takes our time to do that also. Which all in all, makes alot of sense: the spammers can be stopped, but it's a full-time job, because it's their full-time job to get by you.
Evil Otto on May 29, 2008 12:07 PMHow about making users interact with an obfuscated signed applet instead of just HTML/CSS/JS? With a secure applet running on the client machine, there are more options such as: encrypt verification traffic, confuse the client machine (and not the human actually using a browser), etc. You can even verify that the browser is acutally a browser or inspect the client machine for spamware! C'mon, fight sophisticated software with same! Not a hard problem to outcode the evils...
peet on May 29, 2008 12:12 PM"But here's the problem: following the rules and being a good citizen is easy. Being evil is hard; it takes more work."
You didn't listen to master Yoda...
Luke: Is the dark side stronger?
Yoda: No... quicker, easier, more seductive.
The problem for craigslist or wikipedia or the godforsaken wasteland of usenet is that it's so damn *easy* to be evil, and to do it anonymously. It takes moral character to be a good citizen and follow a social contract when there's no real punishment for violating others.
infidel on May 29, 2008 12:28 PMActually, that 99.9% spam claim may be high, but not by much. On this CL city that has a "combo" area/city name, all the ones that use the same name as the CL site itself ("visalia-tulare"), are faked:
http://visalia.craigslist.org/search/cas/?query=w4m
No real person says they are from "visalia-tulare"... it's one or the other, or some other nearby town, and all the single-name towns on this page do not exist near the "visalia-tulare" area. In other words, not a single "real" post on this page. Scanning the first 300 yields only two that are *possibly* legit.
You can keep it anonymous with registration like so:
1. You must register a username to use the service. You don't need to provide any personal information, not even an email address. There is no callback verification or captcha or any of that stuff.
2. You must apply from a non-blacklisted ip address (automatic blacklist of anonymisers, or other portals that spammers like to use). Note that this blacklist is ONLY for registration.
3. The system keeps track of what IP addresses are being used to register. If too many accounts are generated from that address, the system suspends that IP until a human decides to make the ban permanent or not. Perhaps allow a way for the human to raise the maximum allowed users for an address (thinking of universities with nat firewalls here).
4. Once you have registered from an allowed address, you may post all you want. If your posts get flagged for spam, a human comes in to check, and if it is spam, your account gets banned and the registration IP you used is blocked.
5. Add a way for a user to petition to have his IP address unblocked (perhaps his machine was commandeered into a botnet).
You're starting to sound more like Joel by the day. Especially with this i'm-cursing-all-the-spammers-to-the-lowest-levels-of-hell thing.
If you were in their shoes would you act so different?
Jazz on May 29, 2008 12:52 PMJ13:
Except that the "Star Wars" shield never worked and probably will never work as advertised (total ballistic missile defense against a full nuclear exchange). Which actually makes it an apt analogy: get things to the point where the defense against them is too costly and too difficult to pull off. It's been done with nuclear weapons—there is no effective technological defense against them except for counter-attack.
The question is: are the spammers the one making nukes, or are they making missile defense? I think the former, unfortunately—finding ways to keep people from spamming is a lot harder than spamming, on the whole.
Shmork on May 29, 2008 1:10 PMIt just seems to me that if there is money involved, then no matter what you do some body some where will figure out a way to break it. I disliked the "programming question" solution posted previously. I am not a C++ programmer. I read this stuff because I want to be a decent programmer in the future, but certainly couldn't state if given a list what one word of these four is a reserved word. And that would then exclude me fom participating.
Craig on May 29, 2008 1:25 PM"...user has to organize 12 images into 2 categories..."
at which point the user decided not to bother...
The problem with all anti spam systems is that if it annoys the genuine user too much then they won't bother ...
Spammers however will because they are more persistent than a real user
"If you were in their shoes would you act so different?"
Speaking for myself, I couldn't possibly be in their shoes. It takes a certain kind of person to be a spammer.
I don't even know what you mean exactly by "in their shoes." It's not like they were forced into being spammers by circumstances. ("They killed the woman I love... they ruined my life... they made me become a spammer!")
NJ on May 30, 2008 4:06 AMOk, this idea probably fails the test of making it easier for the user, but what about having the poster add a question about the post along with one or more valid answers. For example, for this post, Jeff could ask "What word does Jeff use to describe what kind of target Craigslist makes for spammers?". The correct answer would be "juicy". It's open-ended so guessing wouldn't work. Using the Amazon turk method of having cheap people do it would become less cost effective because they'd have to actually read the article. The spammers would have to basically solve natural language to beat it. If they do, we thank them for advancing AI. The downside is people would have to actually read and comprehend the original post before commenting. The upside is that people would have to actually read and comprehend the original post before commenting.
Brian Deterling on May 30, 2008 4:25 AM@NJ:
Perhaps he means the poor spammers are trapped in a vicious cycle of poverty where they only way they can afford to feed their children is to make a few measly cents from spam.
People like Jeremy Jaynes, who apparently had to struggle by on just $750,000 a month.
http://en.wikipedia.org/wiki/Jeremy_Jaynes
Graham Stewart on May 30, 2008 4:39 AMIsn't that "guess which picture below is a cat" unbreakable? Why craiglist do not use it? I think that is less troublesome than normal CAPTCHA.
Seriously, I really hate CAPTCHA, specially bad made ones. Torrent leech CAPTCHA sometimes takes me 4 or 5 trys to log in. I fear of a world where I will need to fill a CAPTCHA in order to login in WoW.
Hoffmann on May 30, 2008 6:34 AMrandom limit generator http://sirnot.110mb.com/c/?f=limgen.py
+
captcha backend
=
captcha from hell! http://img154.imageshack.us/img154/1544/captchafromhelltm7.png
Have you noticed how hard it is to leave a comment these days? I remember the old days when you could just pop in to a blog, leave a comment, and hit the road. Then along came captcha technology. Now it seems that everyone wants you to register for an account to leave comments, and I'm just not down with that.
GreenLantern33 on May 30, 2008 7:30 AMIt takes a certain kind of person to be a spammer.
Unfortunately the world has an endless supply of that kind of person.
Rhywun on May 30, 2008 8:20 AMCan you blame them? Craigslist is huge! It's a great place to get rid of second hand stuff or sell things in general. Plus its free. Who wouldn't want to be there?
Michael on May 30, 2008 8:43 AMHaving to pay for everything can't be the answer to SPAM. SPAM is sometimes mail, sometimes SMS, sometimes a chat message, sometimes a comment on a blog, sometimes a comment in a forum. You want all of these to cost money? Do you think the Internet would be where it is right now if all this would cost money? Some suggested to not have people pay per submission, but only noce to sign up. Some spammers make $10'000 a month. Do you think they care if you they have to pay $100 to sign up for 100 forums, if they can then spam them into the ground? It will only stop them, if they have to pay "per post" or "per mail". But that would also hit normal users and would be "the end of the world as we know it".
Have you ever considered it might be a war we can't win? Every war has a winner and a loser (usually wars don't end with a tie) and there is no reason to believe, that this is war we will certainly win. Maybe spammers will win! Maybe the evil *can* actually win and will finally win and spammers will make the Internet as we know today unusable.
Maybe the solution is a completely different one. IPv6 might be it. Stop dynamic IP addresses! Every user gets his/her own IP address (or address range as IANA wants to give everyone a whole network bigger than the currently available IPv4 address space altogether). If you always come in with the same IP address, IP address blocking finally makes sense again. Spammers will get on black lists and be permanently banned from a couple of sides, finally on the blacklist, being banned from almost anything. Okay, they can use open proxies, but guess how fast they will end up on blacklists, too.
If the only way to ever get a new IP address is changing your provider (which can be very hard, since some say contracts will last for at least two years), this could be a real problem for spammers if all open proxies are blocked, too. Especially if providers say "If you ever come back to us, you will of course get your old IP block back. Thanks to IPv6 we have so many IP addresses, if we have handed out every customer in our company history a whole subnet block and reserved that thereafter, we would still have not even used 5% of all addresses we have been getting assigned by IANA".
Of course that means you lose anonymity completely. Should ever anyone find out who is owning which IP block, you are "tagged" and everyone knows who you are, where you go and what you do. If you give up being anonymous, there might be an even easier solution. We need a way to 100% verify the identity of a person when signing up for anything on the Internet. E.g. a WWIC (World Wide Identity Card). Every new PC ever produced would have a card reader built-in (such a reader costs $20 for an end user, $10 for a bigger company getting 1000 at once). If this card is unfakable (unless you are the Ueberhacker), you can block actually "people" of your service. They can't sign up for a new account, since they can't identify as another person than the one you already blocked. Actually the system does not even have to break anonymity completely. The WWIC may just transfer a world wide unique number to you. So you know the number (that you can use for blocking) and the nickname of the user. It still won't give you the real name or street address.
Though maybe breaking anonymity alone in some way is already the perfect solution. Do you think many people will still be spamming, if everyone can look up who they are? I don't think so. Not that I would support such actions in any way (fighting evil with evil makes you becoming part of evil), but I guess if they overdue, one day their car will be beaten to crap, their cat might be dead when they come home or their house mysteriously has caught fire. And these might be more harmless things that can happen. People get killed weekly for much less than spamming.
Mecki on May 30, 2008 9:41 AMI would actually support the death penalty for spammers.
Jim on May 30, 2008 11:02 AM"Ship the commenter a product of two primes and the JavaScript to extract the primes. pick ones large enough that it takes about 15 seconds. Users wont care but you just cost the spammer 15 computer seconds per post."
If javascript can factor it in 15 seconds, high-performance mathematical software will do it in 1/100 that time, with throughput even higher on a multi-core machine. In-browser computational challenges won't slow spammers unless you're willing to seriously inconvenience many regular users, because spammers can afford to develop efficient non-embedded challenge solvers that run much faster. Even if you could equalize solver performance, are you going to make someone with a 4 year old PC wait 2 minutes to solve a challenge that a brand new machine does in 15 seconds? Will the challenge take 15 minutes to complete on an iPhone?
Matt on May 30, 2008 12:43 PMMecki: Well, if the spammers are adapting their methods of obscuring - and thus hiding - spam, we should stop thinking about just single recognizers for spam.
I am currently wondering if it would be possible to create a system of spam recognizers, message normalizers and similar agents that results in some emergent behaviour that digs through lots of obscurations.
I think, at first, you have to normalize the messages in some way, because in the last years, the simple "buy via_gra" turned into some "buy v1agra", "buy viiIiIi1agraAaA4" and then turned into "buy v1i1iiIagraA4aa4aAsagrrwezrb". However, such obscurations can be reverted with pretty good precision.
After that, you can throw your regular byanesian network on it, or create some agent that tracks the distribution of words in all posts and flags anomalies suspicious. For example, if all the comments here contain the words "This", "spam", "freaking", "annoying", all with a probability of like 22%, rest noise, and some other post contains none of those words, but loads and loads of noise, its suspicious.
Given enough suspicious points, you will flag it as spam eventually.
Im pretty sure that such a system might be fairly mighty, with regard to work required, cpu-cycles eaten and spam recognized.
PS: haha, I am not allowed to post, gotta obscure things
Hk on May 31, 2008 3:17 AMReverse CAPTCHA.
It is much easier to make a bot/program prove that they are such than to make a human prove they are human.
"Do you think they care if you they have to pay $100 to sign up for 100 forums, if they can then spam them into the ground?"
The charge to register of course would not be the only measure. If they have to pay $1 to re-register for the forum every time their account is deactivated because they're spamming, it would become far too expensive to be worth it.
It's a decent idea on some level but not really practical. Aside from the obvious issues that quite a few people would not want to participate because they don't have a credit card or don't want to give it out, it would also probably result in more attacks aimed at hacking users accounts, and then you will have users losing their buy-in because somebody hacked their account and used it for spam. I would rather deal with spam than hacked accounts.
There's probably never going to be a 100% foolproof way to eliminate spam, but anything you can do to reduce the negative impact spam has on the users experience with your site, without unnecessarily burdening the legitimate users in the process is probably worth doing. i.e. captchas that are easy for normal users, filtering, moderators, etc.
While these issues aren't going to stop all of the spam, having recently visited some of the bigger sites that don't use them (just try reading some comments on a USA Today story), vs other big sites that use them, the difference is night and day. While spam is still a minor annoyance on some of the sites that do use anti-spam measures, it makes the comments sections pretty much useless on the sites that don't use any.
----
Personally I'm developing a blog for myself that is almost entirely Flash-based and is run through a Red5 media server instead of via HTTP. While I can see some drawbacks to it, some of the additional features will be pretty neat and it should help keep me free of spammers for a while. At least the spammers will need to work on an approach that is specifically aimed at my site in order to spam me; will have to be able to decode my obfuscated Flash, or sniff and break my encoding scheme, etc.
Best Regards,
Gerald
CAPTCHA is one of these useless things that are promoted as being effective. To whom?
To the average user the idea might seem amazingly smart and effective and in that sense CAPTCHAs have done a great job to say to their main target (the average user) "Great the service/product I am using is up to date with new technologies and fighting for my interests! I like them". Or piss them off completely (as I sometimes have hard time recognizing what the letters/digits are).
How effective are they? Well... How effective is the serial key on a windows installation (or for that matter on any other software product). Useless! The only thing it achieves is to piss of the legit user with entering the code and presents the illegal user with the inconvenience of entering a few digits during the installation process. Same goes for the other "more complicated" schemes like online activation (for product that entirely relies on your own computer)... Same goes for CSS DVD rubbish and other digital media nonsense...
It's very simple. You can't expect to be able to give the user the flexibility and technology of redistribution and then control them. Or to stay in context, with regards to the spam and CAPTCHAs - allow the user to post freely. This is the same as telling the people they can vote but then asking them to vote for whoever you want them to vote for! Good luck controlling them!
As for CAPTCHA and images of animals and etc... that's the same rubbish as the previous. It creates more trouble for the user and little or no challenge for the person who has to break it. If there is a truly revolutionary strategy to combat misuse it would very likely involve a change in the whole basic model.
My opinion is that instead we would enter an even more open world where the value each entity would equalize. So that whoever makes the mainstream something (music, movie, forum, blog, social network, etc...) will simply be making more reasonable income(less than before) while the entities who have equally good products but are not as popular will make also a more reasonable income (more than before). We can argue if that will increase or decrease abuse.
Bottom line: misuse (such as spam) is not a problem that can fully be eliminated by a technical solution(especially without troubling the legit user too much), it can only be minimized by an insignificant amount. It can probably be solved socially or some other way...
Nick on June 3, 2008 5:52 AMI just saw a story about Wal-Mart doing a beta of free classified ads to compete with Craigslist. http://news.cnet.com/8301-10784_3-9958140-7.html?part=rsssubj=newstag=2547-1_3-0-5
I wonder what they're doing about this?
Jeff Schwandt on June 3, 2008 9:30 AMHey, fellas! Has anyone heard about an accident in Russia, where a spammer got caught and literally battered to death? Do you think it was deserved?
Clever guy on June 6, 2008 1:20 PMVigilante justice against spammers. In a civilized society, this cannot be allowed, so we tell ourselves.
But at what cost do we dis-allow the vigilante justice.
Let's take, for example, spam emails. A spam email sent out to 100,000,000 email addresses may reach say 10,000,000 invidividuals (remember, some of these individuals WILL NOT filter their emails because in certain cases the consequences of a single false positive detection may be disastrous to their businesses).
Now, if each of these 10,000,000 individuals spend 10 seconds downloading, reading the subject, making the decision to delete, and then deleting the messages, we're up to 100,000,000 seconds of human life wasted (just over 3 years). Of course, that's just waking hours. Since humans need to spend some time sleeping, this would really take 5 waking human years.
If said spammer sends, say, 1000 different spam emails over his/her spamming career, then said spammer has wasted (stolen) 5000 years of human lifetime.
Therefore, there is a school of thought; frightening, but perhaps justified. This school of thought would hold that a spammer who wasted 5000 years of human life is guilty of the same crimes against humanity as the murderer who murders 100 people (who had avg. 50 years each to live).
And yet, we wouldn't dream of punishing the spammer in the same manner as a mass-murderer who has killed people, taking away 5000 years of human life. But that's not the same thing., come the cries of the civilized society.
Why is it that different?
Food for thought.
i need money in any condition
gilbert on September 12, 2008 6:38 AMevery body will pay attension to me , because i will feed you all please if you need any way of knowing why email me here now (b.yar_stephen@yahoo.com) beware for the kingdom of God is at hand now ....
stephe on October 25, 2008 12:27 PMBUCK OFF
SUSAN on November 22, 2008 3:24 AMIt amazes me that people have the time, resources, and skill to write programs that could circumvent all of these safeguards so effectively. This is such a waste of good programming resources and obviously intelligent and determined people. If we could only get them employed into serious development roles, I'm sure they'd make way more money than will scammed affiliate click-through revenue and would bring some much-needed talent to an ever-expanding industry.
It's a shame to see Craigslist under seige. It is one of the few surviving remnants of the original internet and it's collaborative intent.
-- Stu
Stuart Thompson on February 23, 2009 11:04 AMFor evil men to triumph it is only necessary for good men to do nothing (Edmund Burke)
Andrea on February 23, 2009 12:47 PMHey. The crux... is that the vast majority of the mass of the universe seems to be missing.
I am from Islands and too poorly know English, give true I wrote the following sentence: Discover discounted internet fares when you book online.
:D Thanks in advance. Aricia.
Aricia on April 15, 2009 2:59 AMHi. Nice to meet you all guys and hoping to learn more from this guestbook. Help me! There is an urgent need for sites: kitchen islands. I found only this - a href=http://kitchen-islands.info/Kitchen-islands/Farm-house-kitchen-islands/Farm house kitchen islands/a. Affordable cheap airline tickets, discount hotel. Oktober when are plane tickets the cheapest, how to get a cheap airline ticket, cheap. THX :cool:, Raegan from Egypt.
Raegan on April 17, 2009 6:47 AMThat's SO right! It's about time people realised that exposing the evil is the best way to fight it. Be aware of the techniques so you know what to design for. It'll also keep the elitists busy coding up new tools and researching techniques that circumvent the new knowledge granted the majority of the public.
They'd have to tire sooner or later. And if they don't, at least make them work for their money!
Josh Smeaton on February 6, 2010 10:24 PMWhen doctors are trying to fight cancer or HIV, they use a cocktail of drugs - it is harder for diseases to adapt when every environment is different. That's why it's important not to hang your spam fighting strategy on one approach. (or even captcha implementation)
When analyzing security, one metric is the resources an attacker needs to muster in order to defeat the measures you put in place, and when the cost of spamming outweighs the value of the prize, generally you're safe. For your blog, the Orange captcha is probably fine because the existing tools that harass Wordpress and Movable Type users won't work out of the box so the cost is high enough not to be worth it. There are plenty of people with old and unmodified blogging package installs to give the Googlebot plenty of links to digest. (Although I am a little surprised you don't nofollow the links in your comments)
It's helpful to look at the measures that different sites put in place. On Slashdot, karma, the ability to moderate posts and comments up and down, is not distributed evenly to all users; it is doled out randomly. That is why Slashdot is gamed a lot less frequently than Digg or Reddit even though it's been around longer.
On Wikipedia, most of the juicy topics have people who really care about them and watch edits obsessively. Also, all edits are out in the open, tagged to at least IP addresses, and it is very easy to roll back undesired changes. Plus the external links are 'nofollow' to decrease the value of getting your spam up there.
Facebook sends external links through a redirect page and LinkedIn 'nofollow's them in attempt to devalue links on their sites.
Craigslist, by showing posts strictly chronologically, allowing anonymous users to flag an unlimited number of posts, and allowing almost all non-script HTML entities and elements invites bad behavior in areas where spam is profitable (real estate, services, etc.) There is a lot of innovation in the 'spamming Craigslist' space because of the enormous amount of traffic they get. It's a cat and mouse game - the Craigslist folks work hard to keep their identity while fighting spam, but they are outgunned and outnumbered. It is easy to generate a good income by spamming Craigslist if you're halfway good at it.
Hit 'em in the wallet.
1. Create a new tier of OpenID (or whatever) that requires a $1 buy in.
2. Keep a separate repositories of blacklisted accounts. Sites can share blacklists as they see fit (so one bad apple site doesn't poison the list with non-spammers)
If, as a comment poster, all your sites use this central ID then a single $1 buy-in will get you posting rights to all of them.
Requiring a buy-in for each site wouldn't be worth it (to me, at least).
Sites with a pay-to-post model usually have a very high signal-to-noise ratio. You can look at SomethingAwful, for example. While it has its own share of shenanigans going on, it doesn't have a problem with spammers.
Ron H on February 6, 2010 10:24 PMSpam makes money because it costs very little to send a millions of spam messages (whether those messages are to a forum or to email addresses). Sending a 1,000,000 messages costs next to nothing, and with a click rate of 0.1% 1,000 clicks are still created. I think that attack to take is to charge for the message.
This is a very difficult thing to do on a small site, and impossible to do with your email address. How do you charge for people to send you email? Still, I think it is an obvious solution. What if it cost $0.01 per email? I send 5 or 10 emails per day. What is a dime for me to send email? Big deal! Plus charges could be avoided with white lists.
I am not the first to have this idea. I believe MS tried to push it a while back. The problem with email was getting everyone to use it. The problem implementing the same solution on a forum would be getting users to enter a CC number (or PayPal or whatever) just to use your site's comment section.
Someone like PayPal should consider implementing an API for this type of thing. Imagine submitting a comment on CodingHorror, then being redirect to a PayPal page for login to pay your 1 cent. Maybe it would be free for comments marked as good, and $1.00 for comments marked as spam...
Jason Jackson on February 6, 2010 10:24 PMReliable and effective ad posting on classified websites at half the cost!
craigslist poster
The comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |
