I posted this to my coworking space’s Slack, with the caption “If you’re going to spoof caller-id, maybe choose a valid phone number?”

Based on the response, the problem with the number wasn’t as obvious as I thought. Can you spot it?

Slashdot Comment Spam

On Slashdot (which I am likely dumber for reading) comment spam takes a slightly different form. Instead of earning PageRank, commenters earn karma. The end result is that instead of creating links to sites in order to screw with search engines, the spammers try to post good comments with the least amount of effort.

Take a comment on a new largest prime number for example. It sounds pretty good, but the tone of the comment is familiar; a rote collection of facts with a neutral point of view. Sure enough, I found the exact same text in the Wikipedia article on prime numbers.

While it’s questionable whether the comment adds value to the discussion, plagiarizing the Wikipedia is certainly deceitful. I guess whenever you create something of value like karma, some people will ignore social norms to do whatever they can to get it. Someone should come up with a name for that behavior, and then someone else should come along and add the word “freak” to the beginning of that name.

Notes on mod_security vs. spam

I set up mod_security, a web firewall for Apache, to deal with comment and trackback spam on my server. This isn’t a complete guide to mod_security, just the information I wish I had when I started.

I’m using mod_security because my server has lots of different blogging tools installed, and there’s no way to centrally protect them all. This won’t take care of all comment or trackback spam, but I’m hoping it will greatly reduce the amount we get. Also, I’m expecting mod_security to be faster than other tools since it stays in memory and doesn’t hit the database.

Read More

Portrait of a broken spam blocker

For HME.PVRblog.com users get their password via email when they register. Occasionally someone will have a spam blocking service that requires people who send email to verify themselves by going to a site and passing a Captcha.

I just got one of those requests from Earthlink, and the damn thing won’t accept my input. I know I put in the right text for the Captcha, “THPN2” doesn’t have any homoglyphs like “1” and “l”. So now some guy isn’t getting his registration because of Earthlink’s broken spam blocker. I’d email him to let him know, but, well, you know…

On the plus side, I added a message to the registration page saying “If you use a spam blocking service that requires people to verify themselves before sending you mail, please add george (at) hotelling (dot) net to your whitelist to make sure you get your account details.” Hopefully this will mean fewer links I have to click.

Can anyone who uses one of these services tell me how much email they miss out on? I got an email a little while ago from Amazon telling me that USPS couldn’t deliver a package because the recipient had moved, and it came from an email address I had never gotten email from. How do people using these services get stuff like that?

[Update: I talked to Earthlink support.

‘Steven T.’ says: Thank you for contacting EarthLink LiveChat, how may I help you today?
me: I’m trying to send email to a user who has spam blocking turned on. I fill out the form and it says that the form failed and the email won’t send
me: https://webmail.pas.earthlink.net/wam/addme?a=xxxxxxxxx@earthlink.com&id=xxxxxxxxxxxx is the link I’m going to.
Steven T.: Please note that it depends upon the user accepting your request.
Steven T.: Please try to send it again and again.
me: The error message I get is “Challenge Failed. Please try your submission again.”
Steven T.: Okay, try to send it in off peak hours.
me: When are those?
Steven T.: I mean early in the morning or late night.
me: OK, I will try to schedule my email around your spam blocker.

Apparently Earthlink customers can only receive pre-approved email during the day. I’m glad I don’t rely on them for my email.]

nofollow

"nofollow" seems to be the name people are giving for the new anti-PageRank tool, it’s been pretty well received but there has been some criticism.
nofollow is not a panacea. Large-scale social problem don’t have easy answers, like stopping the spread of STDs (which I’ve heard comment spammers have plenty of). One person implementing it on their own doesn’t remove enough incentive to stop a comment spammer. Everyone using it removes the incentive for comment spammers. I’m hoping that enough people use nofollow that comment spammers will see a negligible PageRank boost (I use PageRank only because I don’t know the name for Yahoo! juice or MSN juice) and stop spending their time spamming and their money on spambots. E pluribus unam and all that.
On the plus side, the blogs with the highest PageRank are the best cared for and most likely to use nofollow. I assume software that allows comments will start shipping with nofollow in the default template, so the new blogs (and wikis, and guestbooks, and…) are taken care of. Hosted services like TypePad, LiveJournal, MSN Spaces and Blogger are deploying nofollow site-wide, which takes care of a lot of bloggers.
That leaves the abandoned blogs and the legacy blogs run by people who don’t keep up with this sort of thing. For the people who are unaware, get in touch with them and let them know how to help protect against comment spam. Reach out and touch someone and smack them upside the head until they fix their site.
Abandoned blogs are a tougher problem. Comment spammers already gravitate towards the abandoned blogs; how do we deal with a site that isn’t maintained anymore? I suspect that abandoned blogs that are self-hosted are in the minority due to the fact that it usually requires regular cash infusions to keep running, so it’s possible that we don’t need to reach those people.
One criticism I’m hearing is that removing PageRank from comments will lower the PageRank for commenting users. Guess what – if I want to support your site by linking to it from my own I’ll do it in a post. If you leave a comment on my site, that doesn’t mean your site is any good, it just means you left a comment. PageRank for comments artificially inflates a site’s worth and I think that losing that will make Google more useful. You can still earn PageRank the old fashioned way — post something interesting that people link to.
nofollow does have a fatal flaw though. When 90% Crud gets comment spam, the comments on the post are closed, and Google ads show up on posts with closed comments. It was a nice coping strategy, I could take comfort in the fact that comment spam was encouraging me to earn money on this site. If nofollow does succeed and comment spammers move on to greener pastures, I won’t be encouraged to make my 7 cents per day. Luckily it’ll take a while for the benefits of nofollow to appear, so I’ll have plenty of time to buy my yacht.
[Update: In the area of security there is a mantra: “Deny by default.” That means that the default action should be to deny access, and then if they meet the conditions, allow. nofollow is a deny-by-default approach to PageRank in comments. If you’re responsible enough to delete comment spam with whatever tool your blogging system provides, you’re already preventing comment spammers from getting PageRank (unless Google indexes your site before you get a chance to delete them…). For people who forget about or abandon their blogs, the comment spam can pile up. If no action is taken, nofollow will default to deny comment spammers PageRank.
This won’t stop comment spam overnight, but once weblog tools ship with this as the standard configuration, and once those tools are widely deployed, then comment spammers will not receive PageRank by default, it will be the exception, not the rule. At a certain point, the time spent developing and configuring spambot software would be better used doing some other sort of Google spam and we’ll see the number of comment spammers stop increasing. Then, as existing comment spammers stop and their cron jobs get broken, we’ll see a gradual decline of comment spam. In order to stop an epidemic, you need to inoculate everyone.]