A couple of weeks ago there was an extremely interesting short discussion over at OnFac mailing list. It dealt with techniques to avoid external spamming, especially in online bulletin board systems (forums). Nancy White attempted to capture it, but as yet it’s not been done.
Besides sharing experiences on the effectivenes of email verification (to make sure the person registering at least has a working email and checks it) and CAPTCHA (a non-computer-readable image with a piece of text that must be copied in a form, and thus prevents automated bots from sending messages), the co-listers also talked about the merits of first-message filtering (the first message of any new member goes to a special category, and until approved, the user does not get full rights). I also mentioned the efficacy of message lag (a minimum period between posting messages) in limiting the flooding effect of such bots once inside.
All those techniques are all very well, and indeed heartily reccomended to ward off automated, mass spammers. But they can’t keep human spammers out, nor avoid bots once a human opens the door. The only policy that works, I insisted, is diligent moderator and administrator work to identify and cut off the spam, and to ban the spammers and their servers: active moderation, active use of the software’s pulls and levers.
Well, nothing is perfect all the time (goes a Spanish saying) but today I saw just an example of that, which happened on May 6th while I was looking the other way. At Macuarium CoP system, of course.
7.05 PM. A spammers starts flooding several forums in a bulletin board system with get-rich-quick messages.
7.08 PM. A moderator from a particular forum in the system sees them, tracks them, puts up a warning at a coordination forum (together with links).
7.13 PM. The spamming user is cautionarily suspended by a senior moderator (who can edit any forum), and all messages are moved to the “evidence” forum (pruned from the innocent threads where needed), who reports it in the same coordination thread by him and other mods.
9.32 PM. An administrator bans the user (this procedure keeps the email and IP addresses for security reasons but in every aspect inhabilitates the user profile). And reports it. Starts investigating the spammer. Finds that he’s been using a fixed IP address for his registration and messages.
9.35 PM. The administrator bans the user’s IP. And reports it. This procedure prevents the spammer from ever registering again from the same connection (if it was his home, or his company’s network, it can eliminate the danger of small-fry spammers).
Peace thereafter. And very little work time in total to avoid users having to wade in that trash. Which in turn makes sure trash is so rare that users themselves report in almost as fast as it appears, so reinforcing the vigilance system.
The key is not just a number of clear procedures and effective tools, but a great team of motivated, agile people acting on the spot. This is scarce defense against massive systematic attacks, but it can do away with the main scourge of lists and forums (among other venues): the host of small-time spammers.
No amount of gadgetry can substitute for that, nor guard a community in the web against spammers in the long term. It’s plain (and hopefully smart) housework.