Comments on: Link Spammers

Link Spammers

brownpau — Mon, 31 Jan 2005 13:42:24 -0800

Interview with a Link Spammer. [via] Get to know one of the scummy linkpimping bottomfeeders who abuse our referrer logs and weblog comments, then take measures to protect yourself. AnnElisabeth.com has much more (just keep scrolling), and of course, check your own weblog software for rel="nofollow" updates.

By: Pretty_Generic

Pretty_Generic — Mon, 31 Jan 2005 13:44:40 -0800

Like this guy?

By: Steve_at_Linnwood

Steve_at_Linnwood — Mon, 31 Jan 2005 13:53:36 -0800

Seven-figure salary for GoogleBombing?

By: TeamBilly

TeamBilly — Mon, 31 Jan 2005 13:57:18 -0800

Part of me wants to wager with law enforcement: how many LEOs will it take to pry my thumbs off his larynx before I crush it? I say four. But another part of me has to shrug. While exploiting proxy server weaknesses is nasty, it is incumbent on sysadmins to prevent this sort of thing, isn't it? I mean, I'm not excusing the behavior at all, but it seems that it would be relatively straightforward (if not easy) to put a stop to this. Or maybe I'm wrong.

By: orthogonality

orthogonality — Mon, 31 Jan 2005 14:01:43 -0800

THESE IS A GRATE LINKS!!1!!1! Shrink yur p3n1s! With a low rate mortgage! while you work more productively!

By: John Kenneth Fisher

John Kenneth Fisher — Mon, 31 Jan 2005 14:06:27 -0800

Just because I find it interesting to know who is and is not using this, I have my browser's custom CSS set to make nofollow links bright green. This allows me to see at a glance, for example, that the "scummy" link above is protected. Or that Wikipedia's external links are nofollow'ed. Etc. To do this: a[rel~="nofollow"] { text-decoration:blink !important; color:lime ! important; }

By: walrus

walrus — Mon, 31 Jan 2005 14:10:14 -0800

"So what does put a link spammer off? It's those trusty friends, captchas - test humans are meant to be able to do but computers can't, like reading distorted images of letters." Seems like this would be the next must-have feature for open comments software.

By: Freen

Freen — Mon, 31 Jan 2005 14:17:05 -0800

Yeah, there's a plugin for moveable type that does this called Scode. It's quite easy to install, but the algorithm it uses by default to produce background noise is pretty weak (just plain crosshatch, no randomness). I used it on my blog, and presto, from 50 comment spams a day to none. I worry about when they start using people trying to find porn to solve captchas. gonna happen any day now. Maybe it you didn't allow hotlinking to the image....

By: Freen

Freen — Mon, 31 Jan 2005 14:18:02 -0800

Oh, another problem with captchas is that they can limit accessiblity, specifically to those net users who happen to be blind.

By: John Kenneth Fisher

John Kenneth Fisher — Mon, 31 Jan 2005 14:19:57 -0800

Yeah, that's pretty much the only reason I don't use them on my (incredibly unpopular) weblog. I may not have any blind readers, but then again, I MIGHT, and they should be allowed to comment just like anyone else.

By: jperkins

jperkins — Mon, 31 Jan 2005 14:21:19 -0800

Maybe it you didn't allow hotlinking to the image.... The image can be downloaded by the spammer and then they can serve it to others for solutions.

By: me & my monkey

me & my monkey — Mon, 31 Jan 2005 14:29:04 -0800

"So what does put a link spammer off? It's those trusty friends, captchas - test humans are meant to be able to do but computers can't, like reading distorted images of letters." I recently saw a lower-tech (and probably more accessible) alternative that would probably work for most cases - ask the user a question via text. The example I saw was a math question. With a wide enough variety of questions, it just might work.

By: delmoi

delmoi — Mon, 31 Jan 2005 14:29:13 -0800

The problem with showing captchas to people intrested in seeing porn is that 1) there's plenty of free porn out there, and 2) once you have the traffic you can just link to adult friend finder(nsfw) and make decent money off the traffic. Now I suppose that there are plenty of wankers who don't know about 1 (the good porn on the net) and plenty of bottom feeders who don't know about AFF. You know really, the worst thing about these idiots is that they really make it difficult to actualy find the good porn out there, if you don't already know where to start.

By: JZig

JZig — Mon, 31 Jan 2005 14:29:44 -0800

Livejournal provides two captchas: one visual and one automated audio version. I don't know what the technology they use is, but if I were going to use captchas, I would only do it using that. Especially because captchas have gotten to the point that I can't read them half the time.

By: delmoi

delmoi — Mon, 31 Jan 2005 14:31:01 -0800

I recently saw a lower-tech (and probably more accessible) alternative that would probably work for most cases - ask the user a question via text. The example I saw was a math question. With a wide enough variety of questions, it just might work. That might be better for the blind, but it also might be worse if you don't speak english. On the other hand it might be better to use these little tests rather then some huge orwellian central authentication system.

By: Freen

Freen — Mon, 31 Jan 2005 14:34:42 -0800

My blog is very specific and community oriented. We use it to plan our burningman camp, and so I know just about everyone who posts and comments on it. I tried to get freephilter to work, but alack no love. Maybe I'll keep trying in case we get a blind camp member or something.... On preview: If i start getting comment spam again, i'll switch so something more like metafilter, or do something like randomly change where the image lives, or have a real-time captcha. Post a link and the captcha pops up with a limited time window for completion.

By: mrgrimm

mrgrimm — Mon, 31 Jan 2005 14:34:53 -0800

Sam explain the important thing to remember is it's nothing personal.

By: walrus

walrus — Mon, 31 Jan 2005 14:36:23 -0800

It's a difficult problem technically to provide a solution which doesn't limit access. Perhaps there isn't one in the longer term, but it would be a pity to think that. On the subject of audio "captchas", speech recognition is way ahead of image recognition, so the current rarity of this solution is probably its only advantage. There are also ready algorithmical solutions for maths tests ... the question then becomes one of recognising the question.

By: walrus

walrus — Mon, 31 Jan 2005 14:37:41 -0800

"have a real-time captcha. Post a link and the captcha pops up with a limited time window for completion." Problem being, if you have an algorithmical solution then computers are faster than people ...

By: Freen

Freen — Mon, 31 Jan 2005 14:40:25 -0800

Captchas aren't algorithmic. They require human interation usually. So a potential spammer would have to take my image, serve it so a meatspace person elsewhere and have them solve it and bring the solution back in time. they probably could, but it might be enough to foil them for another round.

By: walrus

walrus — Mon, 31 Jan 2005 14:44:44 -0800

"Captchas aren't algorithmic." Sorry, I'm thinking ahead too much. I can think of a few heuristics, specifically in the AI sector, which could do a reasonable job if they can get a significant sample to work with.

By: me & my monkey

me & my monkey — Mon, 31 Jan 2005 14:44:59 -0800

That might be better for the blind, but it also might be worse if you don't speak english. Well, that's pretty simple - use whatever language is used by the rest of the page/site!

By: walrus

walrus — Mon, 31 Jan 2005 14:46:55 -0800

(I'm presuming in my last comment that you have a limited set of images to serve)

By: JZig

JZig — Mon, 31 Jan 2005 14:47:24 -0800

Also, does the name Captcha bother anyone else as much as it bothers me?

By: Firas

Firas — Mon, 31 Jan 2005 14:48:44 -0800

WP-Gatekeeper does that math puzzle-type thing. The questions can also be like, "what is the weblog author's first name?" etc. I don't think the language barrier is a real problem--why would you comment if you don't understand the language the weblog is written in? It would just be gibberish... if I 'kinda' understand a post, I can 'kinda' understand a simple challenge question too. On the other hand, mental disabilities/other lack of certain skills *are* an issue.

By: JZig

JZig — Mon, 31 Jan 2005 14:49:55 -0800

walrus, it should be fairly easy to take any open source captcha generator program and wire it up to be part of a genetic algorithm until it manages to produce the exact same image that the same open source captcha software used on the actual website, and use that knowledge to answer it. It would be harder without source, but no harder reverse engineering than cracking your average game program.

By: seanyboy

seanyboy — Mon, 31 Jan 2005 14:50:33 -0800

I despise comment spam more than I despise spam. Before I hacked a spam comment blocker into wordpress I was getting literally 100's of comment spams advertising the usual. They got put into the moderation queue, but I'd still be deleting comments for 15 minutes every day. Now, thank god, I'm only getting 10 or 15 spammed links every week.

By: Freen

Freen — Mon, 31 Jan 2005 14:50:55 -0800

Yes but then it becomes computationally expensive for comment spammers. Perhaps not enough to make it unprofitable, but at least more expensive.

By: Freen

Freen — Mon, 31 Jan 2005 14:52:45 -0800

By: Freen

Freen — Mon, 31 Jan 2005 14:53:10 -0800

err. troubles.

By: walrus

walrus — Mon, 31 Jan 2005 14:57:20 -0800

But computation isn't very expensive any more. If there are a limited number of images, over the entire set of "captchas" (I hate that term too), then it becomes even cheaper once you've nailed them. Genetic algorithms are probably more expensive than heuristics (which sacrifice a certain amount of accuracy for speed). Addressing the point of random noise, there are also workable heuristics to extract it ...

By: Freen

Freen — Mon, 31 Jan 2005 14:57:23 -0800

If you want to check it out in action, walrus, the blog is linked in my userpage.

By: hattifattener

hattifattener — Mon, 31 Jan 2005 14:57:45 -0800

I worry about when they start using people trying to find porn to solve captchas. gonna happen any day now.

Supposedly it's been happening for a year or so already.

By: Freen

Freen — Mon, 31 Jan 2005 15:01:42 -0800

yeah. I need something better to generate the backgrounds and maybe add more characters.... but basically, i'm just not the low hanging fruit anymore. This isn't a permanent solution. This is more security through diversity.

By: exhilaration

exhilaration — Mon, 31 Jan 2005 15:03:02 -0800

I'm using browser-side hashes to defeat spam comments. This requires your browser to perform a small Javascript computation in order to post a comment. It's invisible to users of IE, Mozilla, or Opera, but blocks spam bots because they (currently) don't support Javascript. Wordpress users should install Hashcash. I'm sure there's an MT equivalent. I'm also using the wp-nofollow plugin. This feature will be built into the next version of WordPress.

By: walrus

walrus — Mon, 31 Jan 2005 15:04:35 -0800

"This is more security through diversity." That's why I spoke about it being a short-term solution. No doubt in the longer term there will be other measures for keeping ahead of the curve. It's the old evolution story, and there will always be winners and losers. Think I might try using what you're using myself for now though.

By: Freen

Freen — Mon, 31 Jan 2005 15:10:06 -0800

Right on. Well best of luck. Email me if you have any questions, and i'll try to help you out.

By: JZig

JZig — Mon, 31 Jan 2005 15:15:59 -0800

Security through diversity can work well here, especially if you do a custom solution. If someone WERE to attack the creation software instead of trying OCR, writing a system from scratch would totally protect you, at least until it became popular. Anything unusual is better than nothing.

By: login

>> does the name Captcha bother anyone else as much as it bothers me? I've always called them turing tests...

By: Hildago

Hildago — Mon, 31 Jan 2005 15:56:17 -0800

Nah, the only way to beat brute-force computer counter-security is by using things that only a human being would know. I'm gonna develop a captcha type system that asks users questions like "what does it feel like to fall in love?" or "describe friendship." No computer could ever answer that.

By: neustile

neustile — Mon, 31 Jan 2005 16:11:54 -0800

Yeah, you could say: "Describe in single words, only the good things that come in to your mind about your mother."

By: odinsdream

odinsdream — Mon, 31 Jan 2005 16:12:53 -0800

Some more thoughts on Turing tests and reasons for their failure or success. (from my webhost's forums, they're good people)

By: walrus

walrus — Mon, 31 Jan 2005 16:19:29 -0800

Nice bladerunner reference.

By: freebird

freebird — Mon, 31 Jan 2005 17:43:13 -0800

I don't think calling them Turing tests is quite accurate - my understanding is that the Turing Test is about fooling a human into thinking it's talking to a human. Fooling a computer is different. Yes, I'm being a bit pedantic, but if the two were equivalent we wouldn't have this problem. Or maybe it'd be worse, whatever...

By: odinsdream

odinsdream — Mon, 31 Jan 2005 18:10:12 -0800

ok, reverse-turing-test. RTT.

By: dhartung

dhartung — Mon, 31 Jan 2005 18:19:48 -0800

>> does the name Captcha bother anyone else as much as it bothers me? I've always called them turing tests... The word is an acronym for completely automated public Turing test to tell computers and humans apart. (Yes, technically it is a reverse Turing test; see the article.) It is, in fact, a trademark.

By: DyRE

DyRE — Mon, 31 Jan 2005 21:09:26 -0800

"Let me tell you about my mother." Interesting article, though I'm disappointing there wasn't more relating to the spammer's justification, although I guess if the Reg pressed the issue, the interviewee could have just said "well if you want to be all high and mighty about it, goodbye." Then again, maybe there really isn't much more to it.

By: DyRE

DyRE — Mon, 31 Jan 2005 21:09:59 -0800

Ack! "disappointed" not "disappointing"

By: delmoi

delmoi — Mon, 31 Jan 2005 21:19:13 -0800

No, images are created on the spot by a random number generator, and with random noise in the background. Enough noise so that a person with fairly good eyesight can read it, but a computer doing OCR might have some torubles. *might* is the operative word there. And by the way a feed-forward multilayer neural network would probably do a much better job then a genetic algorithm.

By: hattifattener

hattifattener — Mon, 31 Jan 2005 22:53:06 -0800

IIRC, (well-written) captchas are designed to insert exactly the kind of noise that experience has shown real-world OCR software to have trouble with.

By: i_am_joe's_spleen

i_am_joe's_spleen — Mon, 31 Jan 2005 23:49:32 -0800

Re accessibility problems with captchas, my bank is now offering an alternative "click here to have this read out to you". It's not going to work well with Lynx but least it's an option for the blind. TeamBilly, open proxies may be a sysadmin's problem, but they're everyone else's as well. Also, many proxies are actually trojanned windows boxes - no sysadmin in charge there.