The ammount of attempted spam I've had in the past 24 hours has grown massivley (judging by the number of failed email verifications I see anyway). So I thought I'd share this trick for fighting spam (for now anyway) with the rest of the list.
---------- Forwarded message ---------- From: Billy Crook <[email protected]> Date: Mon, Aug 3, 2009 at 16:36 Subject: Re: [Laconica-dev] A plan for spam To: Evan Prodromou <[email protected]> Thank you Evan, for all your work so far! I'd resorted to running this in a screen session: while true; do cat badpeople | while read badperson; do echo DELETE \`Micro_KCLUG_com\`.\`notice\`.\* FROM \`Micro_KCLUG_com\`.\`notice\` LEFT JOIN \`Micro_KCLUG_com\`.\`user\` ON \`Micro_KCLUG_com\`.\`notice\`.\`profile_id\`=\`Micro_KCLUG_com\`.\`user\`.\`id\` WHERE \`Micro_KCLUG_com\`.\`user\`.\`nickname\` LIKE \'$badperson\' \; update \`user\` set \`password\`=\'nomorelogin4u0000000000000000000\' where user.nickname like \'$badperson\'\; | mysql --user=root --password=pwhere -D Micro_KCLUG_com ; done ; echo . ; sleep 30; done One of the lines in ./badpeople is 11%99 since, somehow, the majority of spamer IDs match that. It's almost like they're taunting us. "Here, We'll give you something arbitrary to filter us by so we can change it later and waste your time." Something like that. I think all accounts should have a 'karma' value. It would start at 0. It would increment by one for every notice they send, and decrement by two for every post they have sent that later gets flagged as spam. (one and two are obviously arbitrary, and would be tunable by the admin. The admin would have access to add entries to a list or regular expressions, and minimum karma required for a notice that matches on that expression. In this manor, a default match might require 10 karma to show on the main page. One containing an email address or url might require 30. One containing acai or cialis 50. Definitely a recaptcha on account creation, an optional recaptcha during posting from the web interface should cause karma to be evaluated as if it were higher than they currently have. (If they choose to fill out the recaptcha and they do it successfully, they get +10 or x1.1 karma when deciding if that notice should be visible on the main page. Accounts with high karmas that have existed for a while should be permitted to post faster than new accounts or ones with low karma. How about some sort of account suspension (or -500 karma) when the associated email address bounces? I don't think we should stop [human] spammers from signing up for an account, and I don't think we should keep them from posting notices privately, If someone wants to subscribe to a spammer they should get all the spam they can handle. The way to put a stop to it is to dis-incentiveize spamming, and all that's needed to do that is to keep the spam from showing in the default stream of notices. Reputation is important. When anyone can create a new identity at the drop of a hat, the best way to identify and dis-incentive bad behaviour is to let those identities build a reputation, and only trust ones good reputations with the privilege of showing up on the main page. This will also have the effect of making the experience more competitive. +1 and -1 buttons could be used for karma. Each member could vote that message's karma up or down so people would have a good reason to only post interesting notices. 2009/8/3 Evan Prodromou <[email protected]>: > Any type of software that allows posting from arbitrary humans on the > Internet is going to have to deal with spam. Here are a few of the methods I > think we can use: > > Third-party services. There's a Mollom and BlogSpam plugin. We need plugins > for Akismet and Defensio, and we need to make sure that those services know > we'll be checking with them. > User reporting. "This is spam". Probably our first line of defense; data > from here can help feed automated systems below. > Captchas. These keep bots from doing things only people should do. I think > the reCaptcha plugin is great for registration. Not sure how it would work > for posting. > Throttles. These keep the same account from posting too often. This is > already in place, but I'm not sure how accurate it is. > IP lookups. We should try to prevent posting from known botnets or open > proxies. We may want to keep our own IP block list. > Bayesian filters. Checking words, author, context, that kind of thing. Seems > to be pretty effective. > Keyword filters. More direct: you can't say "viagra" on this system. > Bad behaviour. Sniffs HTTP messages for tell-tale signs of poorly-programmed > Web tools. Not sure it's going to be effective for Laconica; > poorly-programmed Web tools are our major interface. > > Finally, I'd like to integrate the current ban and blocklist into the UI > (for admins only). > > -Evan > > -- > Evan Prodromou > CEO, Control Yourself, Inc. > [email protected] - http://identi.ca/evan - +1-514-554-3826 > > _______________________________________________ > Laconica-dev mailing list > [email protected] > http://mail.laconi.ca/mailman/listinfo/laconica-dev > > _______________________________________________ Laconica-dev mailing list [email protected] http://mail.laconi.ca/mailman/listinfo/laconica-dev
