Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

The recent spam wave

by metaperl (Curate)
on Sep 02, 2011 at 15:54 UTC ( [id://923871]=monkdiscuss: print w/replies, xml ) Need Help??

Ok, the recent wave of spam is forcing the custodians of perlmonks to work overtime and I'm sure they have some ideas about stemming it at the root.

I just want to request that it become hard to get an account initially and that posting be just as easy as it is now, with no CAPTCHA or other tighter security on the posting process itself.

Why? because I just wrote an emacs interface that makes it easy to post to perlmonks from Emacs and it will fail horribly if the authentication requirements for posting are raised to more than just a saved cookie.



The mantra of every experienced web application developer is the same: thou shalt separate business logic from display. Ironically, almost all template engines allow violation of this separation principle, which is the very impetus for HTML template engine development.

-- Terence Parr, "Enforcing Strict Model View Separation in Template Engines"

Replies are listed 'Best First'.
Re: The recent spam wave (iceberg)
by tye (Sage) on Sep 02, 2011 at 21:10 UTC

    Thanks for the brainstorming.

    I just wanted to let y'all know that the part of the spam problem that y'all see is actually a pretty small part and so many of your suggestions are unlikely to be implemented because of that.

    Last time I checked, we were successfully blocking hundreds (maybe thousands) of spam posting attempts most days. (I'm not sure why people continue attempts at that volume when they aren't working, but spammers certainly often demonstrate a lack of common sense to go along with their lack of common decency.)

    The spam blocking tools were rather hastily thrown together and they certainly show it, but they also have proven quite effective with only occasional tweaks.

    But I'm extremely reluctant to talk about spam blocking techniques in even minor details in public. This is a continual "arms race" and showing "our hand" seems an extremely bad idea to me.

    The latest onslaught just requires some more tweaks. Corion has already made some tweaks and I've discussed other tweaks that I've been contemplating (and not just related to spam).

    Unfortunately, I've been largely burnt out the last month and have spent very little time actually writing code except at my day job. But that has always ebbed and flowed so I expect to be contributing more soon.

    Based on patterns already observed, I do not foresee CAPTCHA being a particularly effective addition. I do foresee upcoming restrictions on how frequently anybody can post with some limits influenced by our voting/experience system.

    The goal is to have members in good standing be extremely unlikely to even notice the new restrictions, have legitimate new members and anonymous visitors be able to reasonably contribute, and also greatly reducing the potential impact of the fairly infrequent onslaughts of abuse (and also completely blocking certain types of abuse).

    - tye        

Re: The recent spam wave
by blue_cowdawg (Monsignor) on Sep 02, 2011 at 17:01 UTC
        I just want to request that it become hard to get an account initially and that posting be just as easy as it is now, with no CAPTCHA or other tighter security on the posting process itself.

    I have to agree with this.

    Having said that, I certainly agree that "something" needs to be done about the recent spate of spammers. Keep in mind though any measures that are taken to abate the problem is normally a PITA to the innocent and guilty alike.

    Some of my thoughts on this:

    • Use a mail back scheme to validate accounts. Meaning when a new monk arrives at the Monastery send them an email pointing to a customized link validating their email address as being valid. While this is certainly not foolproof, I know I could write an auto-responder for that, it raises the bar a little. Much as I hate CAPTCHA, a hate that is visceral to the point of mania, maybe the page generated by the custom link could have CAPTCHA as a secondary layer of validation.
    • CAPTCHA on the registration page. See my comments above. I always have trouble reading CAPTCHA images and I'm certain I am not the only one.

    Where I am going with this is some means to tie a newly generated login with a real person. Other steps can be taken once the person is identifiable.

    The obvious hole in all this is the technique of creating a "throw away" account on Yahoo, Hotmail, <fill in blank> or whatever.


    Peter L. Berghold -- Unix Professional
    Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg
      The obvious hole in all this is the technique of creating a "throw away" account on Yahoo, Hotmail, <fill in blank> or whatever.

      Most user accounts are registered manually anyway, so setting up a CAPTCHA or whatever at registration would not help anything.

Re: The recent spam wave
by BrowserUk (Patriarch) on Sep 02, 2011 at 18:12 UTC

    I think the simplest mechanism would be to not allow a new account to post a second time until it had received a reply to its first post.

    Since no one replies to spam, that would prevent having to chase down and reap the 10 or 15 posts that they often manage to post before they are locked.

    It would also prevent the fairly frequent occurrence of newbie first-post, re-posts.


    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.

      until it had received a reply to its first post.

      until their first post has been approved.

        until their first post has been approved.

        No. Or at least that is not what I meant.

        I've seen some of the more carefully constructed spam nodes approved. It seems that if the first sentence scans as a legitimate question, people wiil often approve without reading further.

        But to reply, you usually have to have read the post more carefully. That's why I would use that as the criteria.


        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.
Re: The recent spam wave
by onelesd (Pilgrim) on Sep 02, 2011 at 18:19 UTC

    Correct me if I'm wrong, but don't new nodes have to be approved before they are visible? I often see "node approved by X" in my nodelet over there.

    By default, you could make all new accounts unable to post comments on existing nodes until they've had a new node of their own approved. That would weed out all but the most dedicated spammers without forcing more work upon the admins. This isn't a fully automated solution, but it also wouldn't impact the legitimate users of this site in a negative way.

    Update:
    To address the first-post re-post BrowserUK brought up, you could also require some nominal amount of XP (or node reputation) before allowing the user to comment.

      But everyone who can approve nodes could still see the spam.

      Update: I think there's a way not to show those, but then that means fewer people would be left to approve legitimate nodes. I was thinking of "Show Unapproved Nodes", but it looks like Friar on up always see unapproved nodes.

      Elda Taluta; Sarks Sark; Ark Arks
      My deviantART gallery

        I think there's a way not to show those, but then that means fewer people would be left to approve legitimate nodes.

        Allow more people to approve nodes? This is a community-driven site after all.

      By default, you could make all new accounts unable to post comments on existing nodes until they've had a new node of their own approved. That would weed out all but the most dedicated spammers without forcing more work upon the admins. This isn't a fully automated solution, but it also wouldn't impact the legitimate users of this site in a negative way.

      It would have affected me. When I first joined this site, I posted nearly 20 nodes in replies to other comments and questions on SoPW, before I posted my own question here.

      My suggestion is that the first few posts by new Initiates should go through a manual approval until the user is promoted to Novice. The moderator should have three choices: Reject, accept or immediately promote to Novice. If the user gets three rejects then their posts are hidden and their account locked. If they post something good as their first post, then the promote button lets the moderator give them an immediate +20 XP bonus, so no more of their posts need moderating. While their post is awaiting moderation it is viable only to those eligible to moderate it. (Friars and above). This means that visitors to our site and the googlebot will not see any spam.

      My other suggestion is that spam posts should be hidden more. The current This node was taken out by the NodeReaper... display takes up as much space as a normal node. I think it should shrink to a single line, or hidden entirely unless you select a "Show Spam Nodes" option in your preferences.

        IIRC, the current "show reaped nodes" shows the actual nodes, not a link to visit reaped nodes
Re: The recent spam wave
by Anonymous Monk on Sep 02, 2011 at 23:59 UTC

    I had thoughts along the same line in autoreap button for locked accounts

    spam showed for hours and hours, even after the account got locked by whatever for spamming

    users still had to consider all nodes for reaping

    users still had to vote on all nodes for reaping

    That is a lot of nodes

    I thought, make it easy to reap all nodes by account locked for spamming by making a button , it should be quick and easy to add, and its just another tool for dealing with spam that slips through

    A janitor or someone sees account locked for spam, clicks one button, and now there is no need to consider 19 nodes, vote on 19 nodes ...

Re: The recent spam wave
by Caio (Acolyte) on Sep 02, 2011 at 17:44 UTC
    What about reaping these acconts which only have 1 post and it a spam, or even all of that accounts posts being spam?
    Plus, I think it'd be a good idea to have a login captcha.

      Spamming accounts already get locked.

      What purpose would a login captcha serve?

        That should keep bots from login in and posting spam (at least that's the idea)

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: monkdiscuss [id://923871]
Approved by ww
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chanting in the Monastery: (4)
As of 2024-03-29 15:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found