Since 1996

Textual kudzu

By Dave Menendez
Saturday, November 15, 2003, at 8:30 PM

Summary: Spammers are starting to attack weblog commenting systems, and some are preparing to fight back. Do they know what they’re in for? Have they learned from the past? Is there anything we can do in a larger sense?

We’re starting to see spammers taking advantage of weblog commenting systems, which leads naturally into attempts to fight that spam. Mark Pilgrim paints a grim picture of what lies ahead for such spam-fighters:

If you want to be an anti-spam advocate, if you want to write software or maintain a list or provide a service that identifies spam or blocks spam or targets spam in any way, you will be attacked. You will be attacked by professionals who have more money than you, more resources than you, better programmers than you, and no scruples at all. They want to make money, this is how they have decided to make money, they really can make a lot of money, and you’re getting in their way.

To be quite honest, I’m astounded that people are seriously proposing to fight spammers of any sort with domain- or IP-address–based blacklists; there are simply too many ways for that sort of thing to go awry. Bayesian content filtering would probably be more successful (my e-mail filter has been 99% accurate over the past 14 days), but they require time and effort to train.

In the end, any system that allows third parties to store information on your computer, whether by posting a comment or sending an e-mail, is vulnerable to spammers. The easier we make it for people to contact us, the easier it becomes for spammers to abuse. It’s a lot harder to spam a message board that requires membership to post, but how many legitimate readers will simply decide not to leave a message if they have to register first?

One of the goals for TDL was to make it easier for people to make comments between weblogs. That is, if I wrote a post and you had a response, you would make it on your own weblog rather than a comment section at mine. Naturally, this only works if you have a weblog or somewhere else to post comments, but it does take care of the spam problem—somewhat.

The difficulty lies in the ability to link my original post to your comment. If my system is set up to automatically detect that your post responds to mine, then all the spammers have to do is fool it into thinking their pitch is a legitimate response. Setting it up so that human intervention is required is simply impractical, because of the boredom.

I don’t think it’s a hopeless situation, but neither do I think it’s a simple one. Especially, though, it’s a situation where it pays to learn from the past.