Comments on: Spam score: Spammers 1, Akisment 68

By: Rob

Rob — Sun, 29 Jan 2006 03:11:41 +0000

Here’s a dilemma that applies broadly to security concerns, not just to spam: how do you balance the transparency required for trust with the need to conceal information from potential abusers?

Akismet’s FAQ asks, “What stops the system from being gamed?” and answers,

Well without giving too much of the secret sauce away, we can safely say that it would be pretty difficult to poison Akismet. We use dozens of factors to determine the spamminess of a submission, and we also have an identity attached to everyone using and contributing to the system, which allows us to do some interesting things with weighting and clustering activity.

The proof will have to be in the pudding (to swap food metaphors); you won’t get to read the recipe or assess the ingredients for yourself. That said, you get to see comments before they’re deleted, and have the chance to flag them as “not spam”. The worst that can happen, at least in theory, is that some spam will slip through — in which case human comment moderation comes into play.

Then again, with millions of dollars on the line, spammers are highly motivated to find a way around it (or, as you mention, to poison the well).

Either way, I wish Akismet could find a way to deliver a powerful electrical shock to whoever’s sending me the “Children love Floam!” e-mail. Spam is one area where some dark part of me wants the phrase “killer app” to take on a lethally literal meaning.

By: Ian King

Ian King — Sun, 29 Jan 2006 01:31:31 +0000

This is actually one of those applications where relying on the so-called wisdom of crowds is not a bad idea. The question “is this comment spam?” is one where there’s a widely-agreed upon and widely-understood answer, and one where legitimate users are almost certainly going to answer honestly as they do not appreciate spam.

This contrasts with some naive ideas, like asking people who they think will be elected in riding X, a question that most respondents will not be able to answer in an informed way, and where the likelihood that the question will not be answered honestly is rather high. (People will give bogus answers for malicious reasons, either to play up their party or muck with the system.) Yes, I thought that the election mashup was a poorly-conceived idea; the energy expended therein would be better spent helping Election Prediction Project, whose track record is far better thanks to the use of human-powered bullshit detection, to improve its appearace and add some features.

The big quesiton is whether Akismet itself has some defences against spam houses flooding its database with false negatives or other sorts of attacks and abuse. If they haven’t sufficiently prepared, and the spammers do poison their data (and past history suggests that they will), then Akismet will become far less useful. If it’s not bogus data, it’s DoS attacks; if it’s not that, it’s something else. Mark Pilgrim’s warnings from 2003 are still apropos.