I just got this spam on my blog - it got through Akismet, as so many spams do lately, but it’s worth posting (at least in image form so the spammer doesn’t get any juice from it):

And, yeah. I hit the “Spam” button to file this in /dev/null even if the guy was honest(ish). I’m assuming he just ripped the text out of Wikipedia or something, and used it without proper linktribution…

It’s my blog, and I get to determine what is spam and what is not. The latest round of human-generated spam is getting past the automated spamblocks because the comments look valid. They’re natural language, often on topic, and occasionally even interesting or insightful - or relevant to the post being spammed.

I’m using a few WordPress plugins to help ease the pain, but for the love of Xenu, this bullshit should not be necessary.

But, if I think a comment is spam, I reserve the right to nuke it. Or to remove the URL and leave the comment in place. It’s my blog, and I’m sick and tired of people crapping on it in order to game google. PFO.

The spam problem has been the bane of openly available “web 2.0″ sites since, well, forever. Everyone universally hates spam. Everyone, universally, wants to see it go away. Why is it still a problem?

Wait. Not everyone wants it to go away. There are two groups of people who benefit from spam.

• spammers
• google

Of course spammers won’t stop - they have a money factory running, and are locked in an arms race against the global online community in an effort to game ever larger lumps of cash from Google.

Google says they want it to stop. They came up with a wonderful solution that would have stopped spam in its tracks - the only downside was that the solution would have destroyed the network effects of the web by negating links. Baby? Meet bathwater. Meet half-assed “solution” that lets Google say “hey! we tried! Really we did!”

But, why did Google stop at a half-assed solution? Why not go fully-assed? Because they benefit from spam. Every time some moron stupidly clicks on a spam factory’s Google ads, Google gets a cut, and they happily send cash to the spammer.

The evil spam roaches inflict their spam on the various “web 2.0″ resources - anything that has an open form intended to foster dialogue and conversation - this spam gets indexed by Google, who then send the roaches a cut of all proceeds from the ads on those spam factory websites.

Anyone else see a conflict of interest here?

There is an easy solution.

Google: to stop the spam, you have to stop paying the spammers.

How to do that? Well, I’m not a multi-bajillion-dollar company stuffed to the rafters with PhDs or anything, but how about this for a start:

If someone reports a website as a spam factory, their adsense revenue goes into an escrow-like state until it can be shown to NOT be spam. They don’t lose any money if they’re legit, but they have the opportunity to lose their revenue if they are shown to be evil spam roaches. What to do with the revenue seized from verified spam factory adsense accounts? Google can’t keep it - it just maintains the conflict of interest. They should donate it all to the EFF or something similar.

Photo credits:

• Google sign
• Phat wad of cash
• Spam truck
• Web 2.0 Tag Cloud
• Roaches

My blog has been receiving spam in what looks to be a new wave of spam attacks. First, the spammers seed the whitelist by posting apparently innocuous comments with no URLs, or with a URL that doesn’t contain spam. Then, once they’re in, they wait a bit and then throw the switch. The spam starts a’comin’ and it sneaks through Spam Karma 2. Very annoying.

One thing I really like about SK2 is that it is standalone - it doesn’t rely on any network connection or other systems to flag stuff as spam. It just tracks IP addresses, user agents, and sniffs the content and URL for attempted comments.

But, that might be its weak point as well - by not harnessing the power of The Cloud, it’s more vulnerable to these kinds of guerrilla spam insurgencies. Once someone using Akismet has flagged someone as an evil spammer, everyone automattically benefits from that, without having to each individually flag the spammass as a jerkwad.

SK2 has served me well for quite some time. Here’s the current stats report:

Over 200,000 spams dealt with. But the number of moderations required is getting inconvenient - not impossible, but it’s becoming something I need to manage rather than just fire-and-forget, the way things used to be.

Now, with Akismet enabled instead, I’m at the mercy of The Cloud, but that might not be a bad thing…

I've been off-blog for a few days, and haven't had a chance to deal with this yet. I received a couple of email from folks saying they were having difficulty commenting on my blog. I thought maybe Akismet might be blocking them, so I've just switched back to a Drupal 5 development snapshot of Spam.module. Yes, it's a continuing ongoing saga of switching back and forth between Akismet and Spam.module. Hopefully this solves the comment problem without subjecting this blog to a torrential spamstorm.

Akismet is nice, with its distributed spam blocking algorithm (hey! I sound like the schlub on Numb3rs!) but it's essentially a black box - if something goes south, there's no way to fix it from my side of the fence. Spam.module lets me tweak as needed.

Update: It took 7 hours for the first spam to sneak through. Frakking spammers. Time to re-tweak the Spam.module custom rules…

We've been running a copy of Mantis here in the Teaching & Learning Centre to track bugs and issues in our projects for a couple of years now. And over the last few months, there have been a couple of accounts created per day in an attempt to proliferate spam. They create an account, with the URL pointing somewhere spamworthy, and then never post any content.

Does anyone know why someone would try to target spam at Mantis? I can't see how that would gain them Google juice, so I'm boggled that someone's taken the time to tweak a bot to hit Mantis. 

I'll occasionally go in and prune out these orphaned accounts, and make sure they haven't lefk any content, but so far it's been a strange but harmless(?) exercise. 

I got an email from Alan last night mentioning that his blog was actually knocked offline by the overzealous actions of spammers. They were hammering his site so hard that his host had to kill the site. He had been running the CogDogBlog on some graciously donated webspace, so it’s understandable that they weren’t thrilled about the load that spammers can add to a server.

Unfortunately, Alan’s got a Day Job™ which is currently in conference management mode (i.e., traveling and busy) so he’ll be trying to get things back up and running in the few spare milliseconds he can eke out in the next little while.

Yet another reason why Google needs to step up and show some serious corporate responsibility in helping to actually solve the spam problem created by Adsense. Come ON, Google, what’s it going to take? How many billions of spamments need to be inflicted on blogs, wikis, and other open web spaces before you’ll act?

I’ve outlined some potential ways to solve the problem, but curiously never heard from Larry or Sergey.

Dear Apkakkallli spammer,

P. F. O.

You are not going to win. I will not let you vandalize my blog. Get a clue. Your 24,712 (and counting) attempts recently have all failed. Every. Single. One. Move along. Or, better yet, get a job (or a life). All you’re succeeding in doing is wasting my time, and the resources of my server. And in pissing me off, which guarantees that you will not succeed here.

You may as well point your spambot zombie farm somewhere else - or better yet, decommission it, rather than inflicting your inane Google-powered vandalism on other people. I count over 800,000 references to Apkakkalli in Google right now, including a handful of old spamments that temporarily snuck through onto my blog. And that’s with duplicates removed, so the total count of your spamments is likely in the millions. That’s a LOT of spam you’ve foisted on the blogosphere. I really hope that Karma comes back to you. Really soon.

If you’re ever in Calgary, give me a shout. I’d love to, er, buy you a coffee or something. Yeah. That’s it. A coffee…

Spam is the scourge of the internets. It clogs Internet Tubes all over the globe, overloading the trucks that take internets around the world.

And it is directly caused by Google’s PageRank and Adsense systems. They (as well as others, but primarily Google - take a look at any spam farm, and you’ll see prominent Adsense ad blocks) created this mess by enabling individuals to cash in on hijacking innocent websites that have enabled anonymous commenting.

A spammer can sit in his basement, run some scripts to find juicy targets, send out some probes, then unleash hell in the hopes that they will improve the PageRank of their (or their client’s) websites, in an attempt to increase Adsense revenue on those sites.

So, here’s the easy solution. If a website is shown to be associated with spammish activities, the Adsense account is suspended. And their PageRank is reset to 0. Take away the financial incentive, and the rules of the came change.

It’s time for Google to step up and show some corporate responsibility. The whole rel="nofollow" solution is a non-starter, since it only works if we all agree to break the nature of the web in the first place by devaluing all links contributed to a website. It’s not worth throwing the baby out with the bathwater.

Now, how to define “spammish activities” - and, who gets to determine if a spam producer is guilty of that? There could be juries. There could be committees. Heck, it could become a social software tagging exercise, where the intelligence of the hive is harnessed to determine if something is spam or not. spamornot.com? Have an appeals process, to prevent abuse. Have a responsible governance system to ensure effectiveness.

It seems to me that it would be in Google’s best interest to protect the value of PageRank and Adsense. By allowing spam farms to co-opt both systems, they devalue both. By ensuring spammers are removed from the system, we’re left with a more realistic representation of the online advertising ecosystem, with (hopefully) better representation of the actual contributors and participants.

But, this has to stop. Now. It’s only getting worse, and is threatening to smother any semblance of openness left on the web (1.0, 2.0 or beyond).

After switching from BadBehavior+Spam.module back to Akismet, I assumed I’d be in for a bit of an onslaught of spam. I was braced for impact. I can’t believe the sheer volume of sustained attempted spam comments that are constantly being flung against this blog, 24/7 now. It’s peaked at several attempts per second, which was adding a bit of a load to the server as it struggled to thwart the forces of evil.

Shortly after switching to Akismet, and enabling the experimental spam detection, I was seeing this:

Now, that might not look like much, but it suggests that Akismet was having to reject attempts several times per minute. Fast forward 24 hours, and I see this:

Again, not looking like much, but the interval between Akismet interventions is getting longer. Either the spammers are slowly starting to give up, or this is just a natural lull. I mean, there can be several minutes now without an attempted spamment posting. Entire minutes!

Now, the downside of Akismet is that I can’t use it on any of my campus projects. The cost of licensing Akismet for the number of sites we have would be prohibitive, given our budget asymptotically approaching zero dollars (CDN).

OK. Even I am getting sick of the incessant "spam blocking update" posts, but I figure if it helps even one other person put the brakes on the attempts of the evil spamroaches, it's worth it.

So, here's the latest. I got frustrated with the number of spamments that snuck through the combo of Bad Behavior and Spam.module, so I disabled both. I've reverted to using only Akismet.module, with the experimental spambot detection/prevention enabled.

And, so far, it's doing a better job at blocking the roaches. I've got no idea if it's also blocking legitimate hu-mans, though.

One nice thing about Akismet.module vs. spam.module - with Akismet's experimental spambot prevention, it's closer to acting like Spam Karma 2, where if you smell like a roach, you don't even get close enough to pop the lid off your can of spray paint.

I'll have to look into updating Akismet.module for Drupal 5. There's really no sense in actually moving to D5 without spam blocking. That'd be kind of silly.

As an aside, I was looking through some of the logs, and found an interesting user agent, which led me to the product website for one of the evil spam roach comment bot factory applications. They have disclaimers on the site saying they don't condone using their product without the permission of the blog owners. What? Permission? What a frakking load of ass-covering crap that is. Yeah. You're going to give someone permission to aim a program titled "Blog Post Uzi" - because, you know, Uzis are all warm and fuzzy, and the kind of thing that friends give permission to other friends to point at each other. Yeah. Permission to spray the output of a concealable assault gun. Whatever. Karma's going to catch up to you in spades, my friends at Promo Arsenal (dot com).

During this latest sustained spam attack, this blog has been a little less responsive than I’d like. I’m thinking it’s related to Akismet’s need to talk to the mothership to verify each comment. As an experiment, I’ve switched back to Spam.module, disabling Bad Behavior and Akismet. It’s a bit of a risk, switching spam blocking strategies in mid-attack, but whatever. That’s what backups and phpMyAdmin are for.

Already, the site feels slightly less unresponsive. I’ve never been really happy relying on an active network connection to the Akismet Mothership to check each and every comment, and Spam.module is a completely self contained solution. It’s closer to Spam Karma 2 - the best spam blocking plugin for WordPress. Bayesian voodoo checking the content. Link counting, IP checking, etc…

So far, only a few snuck through in the short time between disabling Bad Behavior and Akismet, and enabling and configuring Spam.module.

In poking through the spam log, it looks like one particularly persistant roach just won’t get a clue. None of his crap has gotten through, but he just keeps coming back. Googling a portion of his automatically generated names turns up a list of 818,000 comments this person (or group) have flung onto the blogosphere. Almost a million spam comments. There’s a brand new inner circle of hell opening up for this clown.

Of course, I’m setting myself up here. If Spam.module falls over, I’m wide open to potentially thousands of automated spam comments. This should be interesting. I’m debating requiring comment previews before submission, so Spam.module can kill spammers before anything touches the database, but I’ve never liked making anyone jump through any more hoops than absolutely necessary (no CAPTCHA, no confirmation words, etc…).

Update: Well, it hasn’t been 100% bulletproof, but I only woke up to find 3 comment spams that needed removal. The sustained attack continues, though, so hundreds of other attempts were successfully blocked. Not bad. I may turn Bad Behavior back on to try the combo of BB+Spam.module…

Update 2: The spammers are getting frustrated. It looks like 2 separate attackers. One is using a single IP address, which was easily blocked via .htaccess. The other apparently commands a zombie network with an unknown number of computers from various networks. Hard to block via a simple htaccess deny access directive. But spam.module cleaned it out pretty quickly.

Now, they’ve resorted to simply salting the earth. If their links can’t get onto this blog, they’ll settle for just polluting it with as many garbage nonsense random ascii comment filler as possible. It’s either to vandalize for vengeance, or to confuse the Bayesian magic that filters incoming comments. Either way, I had to spend half an hour manually nuking the garbage that got past the filters. What a waste of time.
The spam.module log database table currently has over 25,000 entries. And it’s only been turned on for just over 24 hours.

This blog has been under a pretty heavy sustained spam attack for the last couple of days. In the last 12 hours, over 500 attempts got past Bad Behavior (gods know how many were blocked in that period by BB) - but not a single one got past Akismet, which handles anything that isn't obvious spam. I was trying to figure out why the sudden attack, and then it struck me - the Google Pagerank of the site must have changed, making it a juicier target.

For some reason, the Google Pagerank is now up to 7. For a mundane, narcissistic, banal collection of stuff.

Google Pagerank for D'Arcy Norman dot net

For perspective, I checked what the PR of the City of Calgary website is. 6. Weighted higher than a website for an entire city of a million people. Granted, the city website sucks twelve ways from sunday, but still…

The University of Calgary? 8. This blog is weighted almost as highly as an entire research university's website. w. t. f. ?

That's just bizarre. Hopefully just a glitch in the PR algorithm. But it does explain the sudden surge in spam attacks. They must be using Google's own APIs to determine juicy targets to hit. Nice. Thanks for that.

Another factor that might make this blog a juicy target for spammers is that I don't use the rel="nofollow" attribute on comment links. If a comment isn't spam, it deserves to be counted as a link. That's what the internet is based on, not discounting an entire set of links just because they may or may not be spam - especially when the comments have already been marked as non-spam. Spam comments don't get posted (or if they do, they don't live long) here.

I was just clearing out the last of the comment spam - I'd let it stew in the database (unpublished) but thought I'd take a quick peek to see if there were any false positives. I thought I'd found one - a comment marked as spam, but with content portraying sympathy with my plight against these spammers - that they must be stopped.

A Spammer Responds (screenshot): This spam roach was trying to get whitelisted by commiserating on the evils of spammers… It didn't work - Akismet sniffed it a mile away.

So, without thinking, I clicked "submit ham" - to tell Akismet that it was a bona fide comment. Then, I checked the URL to see which friendly blogger was commenting.

And got a spam site.

The spammer was trying to get through the filters by reading my recent post and trying to get whitelisted by posting something not spamish at first glance. But, Akismet had stopped him in his tracks - until I clumsily intervened. It's now re-flagged as Spam, and banished to that special inner circle of hell reserved for these roaches.

The spammers started trailing off not long after I wrote the previous post - before hitting their target of 20,000 spam attempts in 24 hours. They punked out at about 18,000 - then I closed the door with the Bad Behavior module.

It was kind of interesting leaving the spammers swarming around my blog as a honeypot, but the load was just getting annoying. Since enabling Bad Behavior, Akismet has had to deal with less than a dozen spammers getting through in about 24 hours - and I haven’t had to deal with (or even be aware of) any of them. That’s a wee bit of a change…

Bad Behavior makes me a bit nervous though, because it is rather unforgiving by design. If it thinks you’re a spammer, or if your IP has been used by a spammer, you’re locked out. No second chances. That’s good, but it’s also a bit authoritarian. There’s also no admin interface for it, so if I want to unblock someone, I have to dig around in the database to nuke the appropriate records.

I’ll keep an eye on things, but it’s pretty cool knowing that this blog could handle a pretty intense load without breaking a sweat, that spammers will not be getting in, and that it takes basically no effort on my part to maintain things. Very cool.