Magnolia is going to be restricting their signups to only OpenID users:
Why? Because 75% of new accounts being created there lately have been created by spammers using automated tools. Spammers took over Ma.gnolia. Now, the company is using OpenID as a system of 3rd party verified identity and using the superior spam blocking skills of services like Yahoo! and AIM to clean up the Ma.gnolia ranks. Spamfighting could be the incentive that puts many other vendors over the edge to leverage OpenID.
At best this is a Club solution, meaning it’ll be effective as long as Magnolia is not a worthwhile enough target or not enough people use the technique.
Anyone advocating that a Yahoo, Google, or AOL account is going to stop spam signups, sploggers, or anything of the sort is out of touch with the dark side of the internet. The going rate for a valid Google account is about a penny each. For $100 get a text file with 10,000 valid logins and passwords, and go to town. We used to require email verification to signup for WordPress.com, and the vast majority of splogs were coming from Gmail or Yahoo email addresses, hundreds of thousands of them. Myspace and ICQ are both good examples of completely closed identity systems with registration barriers but still overrun with spam.
Each of the big guys probably has an anti-abuse team larger than all of Magnolia fighting these spam signups, but it obviously hasn’t been effective. In theory you could blacklist OpenID providers but who’s going to block Google and Yahoo and even if they did they’re just pushing the problem outward, to the point where spammers eventually run their own identity providers, and if you think they won’t come from millions of unique registered domains look at your comment spam queue.
OpenID has a ton of promise for the web — let’s not hurt it by setting people up for disappointment by telling them it’s a spam blocker when it’s not. Regardless of registration, identity verification, or CAPTCHA, you still need something working at the content level to block spam.
Mike Arrington on TechCrunch did an interesting thing a few days ago, he asked their readers if they should accept advertising from PayPerPost/Izea. Their readers made the right decision and voted that it would be disingenuous to accept advertising from a company that, in Michael’s words, pollutes the blogosphere. He also notes that TechCrunch is being held to a higher standard than most mainstream media would:
The comments that are most interesting to me are the ones that say we’re selling out if we take their advertising. I understand that we are held to a certain standard (and we hold ourselves to that standard), but it’s interesting that we supposed to do things that would never be asked of MSM.
While I’m sure there’s mainstream media which turn away advertisers because of social reasons, the point that we should hold flagship blogs to high standards is a good one.
On that point, I would encourage the crew at TechCrunch to re-examine their advertising and implicit endorsement of Text Link Ads, which pollutes the blogosphere in the same way PayPerPost does, by selling links with the intention of gaming Google. Just as PayPerPost “posties” were recently penalized by Google and Pagerank was one of the criteria that advertisers looked for when choosing which bloggers to give money to, Text Link Ads has been doing the same thing for years, they’ve just been more explicit about it. (And their corporate site has been penalized in Google for a long time.)
I should also note that if TechCrunch decides that the same reasons it decided to not accept advertising from Izea also apply to Text Link Ads, it’ll be operating at a higher standard than Google itself, who even though its business is directly impacted by the search engine spamming both of these companies practice allows both TLA and PPP to advertise via Adwords and Adsense.
One of my favorite funny graphics from the on-hiatus Creating Passionate Users was this one from the entry Be brave or go home. Because on this entry on my blog a few days ago the part of the blogosphere that makes money from ad-embedded themes has been viciously attacking me personally. Attempted assassinations are never fun, at least for the person on the receiving end, but overall I’m happy for a few reasons:
- Some of the paid links in themes are to the same URLs I see in Akismet, so I know that there is at least some overlap between the people financing these themes and attacking our blogs, and any way we can fight them is good.
- I know that this is something the majority of the WordPress community has voted for.
- I am hopeful we’ll stop seeing threads like this in the support forum. “I installed the ecologici theme found here [link to wordpress.net] I customized it, no problems. I went to add my scripts to the footer and found this code…”
- The attacks sting less when it’s from people who have significant financial interests in seeing sponsored themes continue. They’re just trying to protect their money.
- That they’re making so much noise is an indication we’re doing something meaningful.
- The attacks sting less when they’re from people with questionable personal practices. 
Still, there is a lot of hard work ahead.
 For example one attack post from “Franky” on a blog called Wisdump (didn’t that used to be run by the awesome Paul Scrivens?) I noticed it was loading a little slow, then I saw pingomatic.com in my address bar. I looked at his source and saw he had embedded a 1×1 pixel iframe loading the ping page for Ping-O-Matic on every one of his pages. I must admit this is clever, it utilizes the distributed network of everyone who visits your site to attack Ping-O-Matic and spam the ping servers, and of course IP blocking is useless because it’s coming from the regular folks on your site. But it is also extremely skeevy. (And I believe a little bit of JS on the ping page should fix that right up.)
Blog spammers have sunk to new lows.
Nivi, a blog I’m subscribed to, was showing dozens and dozens of entries being updated even though there was no discernible difference. However as I started looking closer, I noticed if you view the source, for example on this post, there is are ton of spam links there. You can click the screenshot to the left.
The implications of this are disturbing. His blog was hacked (which isn’t unusual and could have been for a thousand reasons like another account on his server being hacked, and old version of phpBB or other software) but instead of doing anything obvious to disturb the content of the site they invisibly modified his posts using CSS-hidden text. He has probably had hundreds of posts modified. I can’t imagine cleaning it up will be pleasant.
Sometimes I’m amazed at how much manual labor the Wikipedia uses. For example, how long can this type of spam protection go on before it becomes overwhelming?
This is an example of a MySpace spam profile, it’s very convincing—see if you can spot the ad. I think this phenomenon is under-reported. They are using data from your profile—location, age, romantic preferences—to highly target messages and “adds.” Seventeen hundred friends. It would be interesting to know the growth of spam on social networks like MySpace is as high as email or comments. The incentives are there.
Some days don't you want to just blacklist all of .info? More spam there than anything else except maybe .com or .be, and certainly a higher percentage than any other top-level domain.
Got enough testers for now. Thanks!
I’m looking for a few people who do (or used to) get a lot of comment spam who are willing to turn off all of their other spam prevention methods and try a new plugin I’m testing out. Drop me a note on my contact page with details about your blog and how much spam you get. I’ve been dogfooding it for the past few weeks and it’s been working great.