In the past couple of weeks, the blog tools community has been abuzz about a rash of mass comment spamming and how to cope with it. The Movable Type community I am quite active in was hard hit because of its popularity and a couple of existing of bugs that launched resource intensive rebuilds even though they had been blocked or put into moderation. (A fix was just released.)
I've watched the discussion by many well meaning people as to how to stop this attack on open communication this past week or so with a certain sadness.
Initially that sadness was from the realization that many talented, well-meaning and intelligent people were putting a lot of thought and effort into handling this issue instead of doing what they do best. As I've read many of the view points and ideas to combating spam floods of their personal online property, it has shifted to the realization that freedom in open spontaneous communication means being
enslaved to the constant clean-up and defense of spam and the side effects of those measures.
Open communication through comments/forums and effective sustained protection from this type of abuse are in direct conflict with each other making an ideal solution unobtainable.
A lot of ideas have been floated to confuse and trick spambot from finding their targets or making automated posts through various HTML trickery. They will all fail eventually.
The truth of the matter is whatever your browser can read, and thereby you and your readers, so can a spambot. It's all a matter of them programming in the logic to interpret what is there. Some of these measures may work for a short period of time, but eventually they will be thwarted once the spambot developer catches on, another flare up and then a new trick(s) will be needed – back to the beginning.
It's also worth noting that a spammer does not mind making mistakes. If they guess wrong what you may have done to trick their bots, they get to try again until they do. Once they figure out the latest tricks in vogue they can set their bots off to make thousands upon thousands of bogus posts while the community figures out what to do next. These unscrupulous folks are a desperate lot after all.
The most difficult road block for them to work around are ones that require human intervention and intelligence to make a post. The side effect of this being that it also requires legitimate commenters to be inconvienced stepping through this same process.
In a sense repeating the content of a skewed graphic (CAPCHAs) or answering a question like
what is my last name? is along the lines of human intervention and intelligence, but not to the extent that these can't be worked around eventually since they don't match to a specific identity. Spammers have already identified a way around these test through free porn as Boing Boing reported nearly a year ago.
I thought Six Apart's attempt on marginalizing the issue of comment spam earlier this year with their TypeKey authentication service and API was laudable because it put a few of those hard to program steps in place without requiring separate accounts on each weblog or installation of additional software. It also struck a balance between distributed and localized control. Sadly it was panned by many before launch and the community at-large hasn't entirely warmed to the idea. I have to wonder if that is about to change somewhat.
I've seen the comments against implementing any authentication and login systems that say it inhibits the conversation and turns some away. I can understand that point. However I have to wonder what effect all of these automated measures in addition to new and more aggressive strains of attack are having on inhibiting those same conversations. Are these varied alternatives really any better? I think not, but admittedly I choose long ago not to enable comments on my weblog for personal reasons more then spamming concerns.
This whole matter reminds me of something Clay Shirky said during his 2003 ETech keynote
A Group Is Its Own Worst Enemy that is highly relevant to the circumstances the weblog community is currently facing. (Transcribed and lightly edited here. A long, but worthwhile read if you have yet to do so.) Under the heading of things to design for he stated:
…you need barriers to participation. This is one of the things that killed Usenet. You have to have some cost to either join or participate, if not at the lowest level, then at higher levels. There needs to be some kind of segmentation of capabilities.
It has to be hard to do at least some things on the system for some users, or the core group will not have the tools that they need to defend themselves.
Now, this pulls against the cardinal virtue of ease of use. But ease of use is wrong. Ease of use is the wrong way to look at the situation, because you've got the Necker cube flipped in the wrong direction. The user of social software is the group, not the individual.
I think we've all been to meetings where everyone had a really good time, we're all talking to one another and telling jokes and laughing, and it was a great meeting, except we got nothing done. Everyone was amusing themselves so much that the group's goal was defeated by the individual interventions.
The user of social software is the group, and ease of use should be for the group. If the ease of use is only calculated from the user's point of view, it will be difficult to defend the group from thegroup is its own worst enemystyle attacks from within.
So, the weblog community is reaching a cross-roads. Gone are the days of open spontaneous communication through comments. It can now take measures to better defend itself from itself or watch history repeat as its cherished comments wither away under the weight of a past ideal.