October 9, 2012

an open letter to google’s gmail team

Filed under:, , , — cwage @ 2:26 pm

Dear Google,

I love gmail. It helped me regain control of my inbox at a time when I thought it was a lost cause. Labels, starring, priority inbox -- tools that helped revolutionized the way I filter information.

It's 2012, now, and I'm sad to say that I'm losing control of my inbox. The problem is spam. Every day, it fills to the brim with messages from vendors -- some of which I've used, and some of which I haven't, who think they have a legitimate reason to be emailing me. It's not your fault -- it's theirs, and mine. It's theirs, for operating under the assumption that my doing business with them is implicitly giving them permission to e-mail me every fucking day. It's my fault for doing business with companies that operate like this, but such is the world we live in. I know you have the "Spam" button, and while perhaps those messages do wind up in some deep, dark basement of Google somewhere where they actually analyze them, most people are hip to the fact that it basically does nothing. It's a placebo. Pushing it will make you feel better for a short while, but eventually you realize that it's doing nothing. I've been trying to unsubscribe from the AFA's newsletter for around 5 years now.

Sure, I could take some time, every day, to go and "change my e-mail preferences" or "opt out" -- most of which only serves to confirm for the spammer in question that you're getting their e-mail. I could painstakingly create filters for each of these vendors/messages in the klunky filters interface.

What I want is a "spam" button that actually does something. Give me a button to push that says "you will never see mail from this company ever again". I ran a spam-filtering service for years -- I know how hard it is to filter junk from mail without false positives. What's not hard is filtering out mail based on a certain sender or keywords. The functionality is already there, but the interface is useless. I realize that attempting to manually filter out unsolicited messages one by one is a futile gesture, but at least give me a futile gesture that works. It's like being caught in a zombie apocalypse and being armed with a pistol full of blanks. Sure, I'm gonna die anyway, but at least give me the satisfaction of taking down a few zombies before I go. The "Spam" button is a joke.

Give me control of my inbox! I'm a big boy. I can handle it.

Sincerely, cwage.

PS: to anyone else reading this, if you know of a google marketplace app or chrome extension or anything, really, that makes this process easier, please let me know!

December 4, 2006

comment verification

Filed under:, , , , , — cwage @ 5:25 pm

Some interesting discussion on NiT on the topic of comment verification, in which my wordverify plugin is mentioned -- specifically, on the annoyance of the image-based obfuscated letters as verification. I'll just post what I've got on the wordverify page again, for starters as far as what Wordverify aims to accomplish:

The idea is that a lot of commentspam is driven by automation, naturally, and the introduction of a human element in submitting an extra bit of verification can help kill a lot of this spam. SecureImage is an example of a great plugin that uses ImageMagick to display an image with random letters that the commenter must verify. WordVerify provides a simpler alternative to this method, by just requiring the entry of a single word. This provides a healthy compromise for smaller blogs that don’t necessarily need the security of a dynamic image. The chances of any comment spammer bothering to screen-scrape my blog just to comment-spam it, much less OCR an image, are pretty low. For smaller blogs, the simple addition of a codeword is probably more than enough.

Even this description is lacking, however, but I'll get to that. Mack asks:

I hate word verification. Most of the time, I have trouble distinguishing the letters, i's and l's, for example, so inevitably I get it wrong, and have to start all over. So, I started wondering, how many people just don't bother to get into the "settings" of their blogger account to turn this decidedly inconvenient feature off? Surely most bloggers don't get enough traffic to warrant having this extra security feature, do they?

No. but that's not the issue. The issue is that they're all using blogger. Or wordpress. Let me explain:

It's not really an issue of "big" or "small", so much, as it is an issue of whether or not you're a target. You're a target if spam to your blog can be automated -- if the mechanism to comment on your blog is predictable. This means you're a target if you use a popular blogging service like blogspot or you're using popular blogging software like WordPress.

You don't have to be a high-profile blogger to get comment spam. You just have to have a blog. Spamming is easy. The Save Claudia website (running wordpress) was getting comment-spam and trackback spam within a few days of going live.

The idea behind the image-based comment verification is that it introduces a human element into the process -- something that is not easily (or at least cheaply) automated. But this approach is still defeatable. The problem is not the method of verification itself -- the problem is that it's the same for every blog on blogspot, or the same for every installation of WordPress. It doesn't really matter how complicated you make the verification process -- barring implementing a turing test, it's probably always going to be defeatable. If it's the same on every blog, it can be automated. So, we have two choices: resort to ever-increasingly complicated human-verification methods that we standardize on each blogging platform in a neverending arms-race with comment spammers. That's the decision driving the image-verification approach. It's complicated enough and expensive (resource-wise) enough to defeat that it works. For now.

Alternatively, we can perhaps do something smarter: we give the individual blog owner the control to mix up the verification process and make it harder to predict what's being asked, rather than making the question harder. That's the philosophy behind Wordverify, and it's a barebones simple approach to accomplishing that: it allows you to change not just the codeword you need to enter, but also the phrase that asks or demands that you enter it.

This means that the only defeat of my implementation of wordverify requires a human element to go to my blog, see the phrase Please enter 'confront' without the quotes. and realize that they need to send codeword=confront in the POST. This can be automated, yes, but if so, it's a simple matter for me of changing the codeword and the phrase so that it again requires a human element to tweak the automated script. This of course is unlikely to happen, since no one spammer cares that much about specifically spamming quietlife.net. I'd probably be retired on ad revenue alone if that were the case.

It's for this reason that I beg to differ with Jeffraham P who says that it's "cool, but easily defeated by spammers with skillz." It's not. It's easily defeated by spammers with more free time than me, intent on specifically spamming my blog. This is almost guaranteed to never happen. It's been almost a year since I wrote and installed Wordverify, and in that time I've gotten approximately 0 automated comment spam. I don't think MQL has even had a human spammer (the Centresource blog has, however, but that's another story).

The point is: comment-spamming happens because comment forms are all the same. Normal verification processes are circumventable, because they're all the same. Even obfuscated image-based verification processes are defeatable, because you simply add OCR into the mix, and, yep, they're all the same. Until there are more options in the mix, spammers are going to continue to target what gets the most bang for the buck.

So, do I think wordverify is the end-all/be-all solution to comment spam? No -- but I think it's more elegant and more to-the-point than the more irritating and convoluted obfuscated-letters-in-an-image techniques. Rather than making the test for a human more complicated, blogging software and services should work on making the process more variable and harder to automate.

May 18, 2006


Filed under:, — cwage @ 1:31 am

I've noticed a large spike in botnet comment-spam. I've gotten hit both here, and at the Centresource Blog, and I've noticed an increase in spam on Nashville's Metblog as well.

I wanted to see how it compared to past levels of comment-spam attempts. I wrote a quick little script to scratch an itch in this regard to help me visualize the data.

Behold, comment spam attempts since February 2005 by day. It's a rather wide image, so that you can get a more refined feel for it. That's a lot of spam attempts.

February 15, 2006


Filed under:, , , , , , , , — cwage @ 1:40 am

I have written a new WordPress plugin called DNSBLCheck. As you might expect from the name, it's a plugin that allows you to .. check DNSBLs before allowing comments/trackbacks.

I haven't really had much of a problem with trackback spam since I installed this trackback validator plugin. However, as their plugin is written, even though it stops the spam, it still e-mails you about it, which is quite annoying (I gave up wading through the wordpress plugin architecture to figure out why it was still e-mailing).

Making things worse was that I was getting hit by trackback spam by a large botnet (over 100 IPs and counting), most of which were listed on cbl.abuseat.org. It wasn't getting through, but I was getting 1-2 email notifications an hour, nonetheless.

So, at Chris's prodding, I went ahead and hacked up this little plugin to check DNSBLs. I am currently checking cbl.abuseat.org and list.dsbl.org for now. If any of you experience any problems leaving comments, let me know.