The end of centralized blacklists and more...
Filed under: cyberspace
Number of comments: 
Number of trackbacks: 
Tagged with: 
Lately there have been some notable changes when it comes to comment-spam on weblogs. These changes don't look very good for us webloggers. First of all there's a new emerging trend in spam techniques, hitting innocent webloggers such as myself and a growing amount of others. I've already spotted the first incident on an innocent weblogger being added to a centralized blacklist. As I've noted earlier, this marks the beginning of the demise of such blacklists. But there's more to worry about.
When maintainers of centralized blacklists start adding sites from webloggers that never performed any spam runs it's not hard to see there's harm being done. At first it's tempting to add the spamvertised weblogs to the list because it's only a small amount of sites at this point. The problem however is the fact that anyone can be next to be spamvertised, including the maintainer's own weblog. Therefore it's quite clear that adding these sites to a blacklist is not the solution. More and more innocent sites will be added, taking away a part of the fun in weblogging for these people because they can't leave a link to their site in their own non-spammy comments anymore. As we all know, participating in discussions on other weblogs in a meaningful way is an excellent way to get some more attention for your own writings. It's part of what makes the blogosphere such an exciting phenomena. Currently only a relatively small list of weblogs are being spamvertised in pollution spam-runs but I expect this list to grow rapidly. Why the spammers have chosen to perform this type of spam-runs is yet unknown but it's here and I don't expect it to go away anymore.
Then there's other anti-spam techniques using Javascript such as Elliott Back's Hashcash. If you look at these screenshots of you'll see that we now have an advanced comment-spam tool which isn't script-based anymore. It's not just firing off dumb requests but utilizing a real browser engine to do it's evil. This means that any javascript used to protect our comments is rendered useless because the browser engine will execute any script it will find in the page. Then there's Bad Behaviour, a technique that tries to detect spam by investigating the request (headers, user agent and some other features) for unusual patterns. If spammers however use real browser engines to send off their garbage, plugins like Bad Behaviour will lose their ability to tell spam from legitimate comments as well.
Finally there's the turing-style spam protection schemes such as the one used on this weblog. A simple question is inserted into the comment form. The question can be changed periodically to prevent the correct answer from ever appearing on spammers' pre-fabricated lists of spam urls. Of course we don't want our comment-form to become an IQ test which is why the questions are trivial. As some collegues of mine pointed out it's already possible to create software that can answer questions of a trivial nature. It's not quite mature yet so we're safe for now but it's a matter of time until this technique can be defeated as well if creators of blogspam software try hard enough.
So what have we got here? Blacklists are a dead end. Javascript techniques and user-agent/header sniffing? Same old story. Captchas then? These too have been cracked already. Inserting trivial questions? AI software to answer them is not far away anymore. I'm afraid we're moving towards the end of truly open commenting on weblogs and other community sites. Requiring registration or moderation queues that slow down the discussion enormously are probably the only options that will be able to protect our weblogs in the long run. Of course I might be forgetting some holy grail solution here but I'm afraid the future doesn't look particularly bright for free, unrestricted interchange of thoughts in the blogosphere.
Then there's other anti-spam techniques using Javascript such as Elliott Back's Hashcash. If you look at these screenshots of you'll see that we now have an advanced comment-spam tool which isn't script-based anymore. It's not just firing off dumb requests but utilizing a real browser engine to do it's evil. This means that any javascript used to protect our comments is rendered useless because the browser engine will execute any script it will find in the page. Then there's Bad Behaviour, a technique that tries to detect spam by investigating the request (headers, user agent and some other features) for unusual patterns. If spammers however use real browser engines to send off their garbage, plugins like Bad Behaviour will lose their ability to tell spam from legitimate comments as well.
Finally there's the turing-style spam protection schemes such as the one used on this weblog. A simple question is inserted into the comment form. The question can be changed periodically to prevent the correct answer from ever appearing on spammers' pre-fabricated lists of spam urls. Of course we don't want our comment-form to become an IQ test which is why the questions are trivial. As some collegues of mine pointed out it's already possible to create software that can answer questions of a trivial nature. It's not quite mature yet so we're safe for now but it's a matter of time until this technique can be defeated as well if creators of blogspam software try hard enough.
So what have we got here? Blacklists are a dead end. Javascript techniques and user-agent/header sniffing? Same old story. Captchas then? These too have been cracked already. Inserting trivial questions? AI software to answer them is not far away anymore. I'm afraid we're moving towards the end of truly open commenting on weblogs and other community sites. Requiring registration or moderation queues that slow down the discussion enormously are probably the only options that will be able to protect our weblogs in the long run. Of course I might be forgetting some holy grail solution here but I'm afraid the future doesn't look particularly bright for free, unrestricted interchange of thoughts in the blogosphere.
At 01 October '05 - 21:06 Simon wrote:
On the other side, I’m certain there is always something we can do to stop those jerks from screwing up our precious weblogs. You won’t give up, do you Marco? ;)
At 01 October '05 - 21:56 weefselkweekje wrote:
The only thing I can think of is to make spam useless. Like the nofollow attribute, or perhaps by not allowing any kind of hyperlink in comments.
Another thing is legislation. But the police will have to wise up before they can even go after spammers.
At 01 October '05 - 22:21 weefselkweekje wrote:
SK is “self learning” and combines just about every technique ever invented to tell spam apart from regular comments.
I’m definately an optimist (not just in this matter) and I sure hope thet you (Marco) will continue to help bloggers with creative new anti-spam ideas.