It’s just data

Russian Spam

Over the past twelve hours or so, I have received nine items of comment spam from a Russian site. is now blacklisted.

The thing that finally pushed me into activating comments was MT 2.6, which allows you to close previously open comment threads.

I don't have a way of automatically closing them after a certain time, so it's not ideal, but it still cuts down on automated comment spam.

You know, the Comment API will only make this problem worse.

Posted by Mark at

You've said that before about the comment API.  To date, I've seen no evidence to back up that assertion.

My guess is that the SMTP spam I've gotten is from people who look for mailto addresses and assume that what they found was an InBox for an individual.  In other words, they weren't specifically targetting a blog.

On the other hand, I do have two ip addresses that I block from HTTP POSTs.  These were clearly individuals that were well aware of what they were doing.

Posted by Sam Ruby at

Standardized, machine-readable, auto-discoverable APIs for posting arbitrary text and links on high-traffic sites without authentication.  Yeah, I can't imagine how that could be abused.

Ask Phil; people have already written scripts to rip through an MT site to post comments on every entry.

Nobody saw e-mail spam coming either.  That was in 1978 or so.

Posted by Mark at

Mark, it sounds to me like you are describing TrackBack.  <grin>

Posted by Sam Ruby at

Absolutely.  I have the same reservations about Trackback.  And, just as with the Comment API, there has been very little abuse to date.  I verify all the trackbacks I get (note to readers: want me to visit your site at least once?  use Trackback) and so far have had zero problems with it.

Unauthenticated SMTP servers weren't a significant problem for years.  Then it exploded.  I'm just wondering if we're doing the world any favors by sitting around saying "that would be a cool feature, and sure it could easily be abused, but let's worry about that later".

Posted by Mark at

I think maybe I'll go into the business of selling comment spamming scripts. While thinking about ways to use the Comment API, once it's widely deployed and there's a bit more consistent mapping of elements so it's not like a transporter that will get you there, but you may have an ear for a nose, I came up with eight really good ideas for how to use autodiscovery, RSS elements, changes.xml, RSD, Technorati, and BlogShares, to build a hellishly effective spamming script. Pardon me while I put on my tinfoil hat and, among other things, think about taking admin:generatorAgent out of my feeds.

Posted by Phil Ringnalda at

At least with Trackback, you could require a refering URL and check it automatically for a link to the URL they claim to be linking to.  Don't know how you'd verify the Comment API without registering.  I know: bring back the FOAF-based "you know me" button.  (I'm only half-kidding.  Gotta be careful with that; that's how we got RSS 2.0.)

Posted by Mark at

I agree with Mark that it is just a matter of time before technologies like the CommentAPI are abused by spammers. All it takes is for the technology to be used in a widespread manner.

However I also think that authentication can mitigate some of these issues. Whenever someone comes up with some sort of authentication mechanism for the CommentAPI I'll throw that support into RSS Bandit ASAP.

Posted by Dare Obasanjo at

And commentAPI couldn't require a link?

And if there was the ability to have headers, once could even require a verifiable digital signature.

If it weren't for those damned hamsters.

Posted by Sam Ruby at

Dare,  do the following words ring a bell:

I doubt I'll be doing the same for Sam's alternative SOAP version since I can't see any motivation for supporting both besides buzzword compliance.

I clearly see this differently. 

Let me turn this around.  If you wish to define an alternative to what already exists, I will support the protocol you define.  Alternately, we both could simply support what already exists.

Would you?  Could you?

Posted by Sam Ruby at

<a href=""></a>

Posted by Mark at

RE: Russian Spam

Yup, authentication would be a good reason to switch to SOAP if it makes things easier. Whenever you get a spec ready, I'll go ahead and support it as long as it isn't unecessarily onerous.

Message from Dare Obasanjo at

I always have trouble wrapping my head around security issues. Is this an authentication problem or a verification problem?

How would an ideal system work, one that would filter out spam, yet not inconvenience legitimate users.

Even with SMTP security, spam is still a problem. Either people putting up open relays innocently or ISPs that are willing to host spammers.

The only solution that seems to be getting any traction in e-mail spam is Bayesian filtering.

Sam, I'm still a giant hamster, as I
see no reason to run here:

when you could have gone here:

Posted by joe at

Ideal system:  posting software not only provides links, but also signatures.  And do so without inconveniencing the user of this software.

Software that receives the post would not only fetch the page (like Mark and I do for trackbacks), but also fetch a public key used to validate the signature.

Now, for the details.  Joe, you are pointing to the right place, but that doesn't answer the question about where in the document such signatures should be placed.  Also, should the keys be actually in the page (like trackback's metadata today), or with one or at most two autodiscovery links away (perhaps tucked away inside of FOAF or perhaps as a standalone file).

If the signature was passed as a header, without mustUnderstand being set, then those who wish to operate completely open commentAPI systems could do so.  Those that wish to check for signatures could also do so.

Mark: no, I'm not "worrying about it later".  In my typical style, I know what I am want to implement, and I am waiting for there be enough awareness of the issues that need to be solved before proceeding.

Posted by Sam Ruby at

On second thought, screw it.  Let's just worry about it later.

Posted by Mark at

  To make sure I am following your proposal,  to use the CommentAPI on your blog, I would need:

1. A public key.
2. An item on my website that contained a link to your item.

And what is going to stop that Russian site from complying with those requirements?

I'm not well versed in security, but I can only see two ways out of this problem:

1. Registration - which doesn't meet the ease-of-use criterion.
2. Bayesian filtering.

Looks like I'm ordering Bruce Schneier's Secrets and Lies : Digital Security in a Networked World tonight.

Posted by joe at

Joe, you keep repeating the filtering thought.  What you may or may not realize is that the content being sent already went through SpamAssassin.

Registration is equivalent to the public key mechanism (the russian site could simply register) from a security perspective, just less user friendly than the solution I outlined.

What registration and signing both do is remove a level of plausible deniability whereby the owner of the site could say that they didn't do it.

Posted by Sam Ruby at

Actually, the version of SpamAssassin you are running is 2.44, which does not include Bayesian filtering.  (The rest of your point stands.)

Posted by Mark at

If all this does is eliminate plausible deniability on the part of spammers, I'm not sure I see the point. Whether it's registration or a signature, spammers will take the time to write the tools to get around anything with widespread adoption. At the end of the day, the spam still needs to be deleted, the IP blacklisted and/or the account banned from further posting.

Posted by Bruce Loebrich at

Towards a spam free future

This is an executive email from billg, regarding Microsoft's efforts to stop the cockroach of the internet [Source]. If God would choose between various mailers, I hope he/she would choose Outlook 2003, which will include an efficient spam filter...

Excerpt from Matevz Gacnik's Weblog at

Add your comment