There ought to be a law...
Published Mon, May 21 2007 9:03 AM
Technorati Tags: Blogging, Annoyances
Trackback, pingback, and comment spam on web logs is not only annoying, it should be criminal. I say in the headline that "there ought to be a law", but I'm not serious. I don't really think that bigger government is even close to the solution to this problem.
CAN-SPAM Act of 2003
The CAN-SPAM Act of 2003 clearly doesn't work. For one thing, it only covers e-mail. For another, I still receive more SPAM e-mail than regular e-mail on several of my accounts.
Here's a rundown of the law's main provisions:
- It bans false or misleading header information. Your email's "From," "To," and routing information – including the originating domain name and email address – must be accurate and identify the person who initiated the email.
For some reason I still receive SPAM email with spoofed headers. This law hasn't really stopped that at all.
- It prohibits deceptive subject lines. The subject line cannot mislead the recipient about the contents or subject matter of the message.
How about this subject line? "Delivery Status Notification (Failure)"
That subject line implies that I sent an email message to someone, and that delivery failed. On examination of this particular piece of email, it the content looks like this...
This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
perri-goldmankperrigoldman@prurush.com
First of all, I don't know anyone with that e-mail address. The tipoff comes though when I examine the attachments. Mailer daemons that send "real" delivery status notifications, just about always include the original e-mail as an attachment.
The attachment actually turns out to be the SPAM. The subject line on the attachment is "Daily News 1869325833". Opening it (with antivirus software on) shows that the sender is... "Investor Rhoda [perri-goldmankperrigoldman@prurush.com]" and the recipient is "perri-goldmankperrigoldman@prurush.com". The entire content of the email is a down-loadable image.
I'd say that this particular piece of SPAM violates the "misleading subject line" clause of the CAN-SPAM act wouldn't you?
- It requires that your email give recipients an opt-out method. You must provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future email messages to that email address, and you must honor the requests. You may create a "menu" of choices to allow a recipient to opt out of certain types of messages, but you must include the option to end any commercial messages from the sender.
Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your commercial email. When you receive an opt-out request, the law gives you 10 business days to stop sending email to the requestor's email address. You cannot help another entity send email to that address, or have another entity send email on your behalf to that address. Finally, it's illegal for you to sell or transfer the email addresses of people who choose not to receive your email, even in the form of a mailing list, unless you transfer the addresses so another entity can comply with the law.
The previously described e-mail didn't provide an opt-out mechanism. Even if it did, how many of you really believe that it would have actually "opted-out" of future SPAMs, especially considering that the rest of the email violated the CAN-SPAM act?
In fact, it's usually recommended that if you receive unsolicited email that contains an opt-out option, that you don't even respond to that. Why? In a lot of cases it's simply a way to validate that the sender has a good e-mail address. Responding lets them know that their message found a target. People that are going to violate the CAN-SPAM act aren't going to honor this provision either.
- It requires that commercial email be identified as an advertisement and include the sender's valid physical postal address. Your message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial email from you. It also must include your valid physical postal address.
Most of the SPAM that I see doesn't bother to comply with this one either. In fact, even some otherwise legitimate commercial e-mail doesn't comply with this requirement.
The CAN-SPAM act didn't do much of anything to reduce the amount of SPAM that comes to my inbox every day. In fact, I receive more SPAM e-mail now than ever before.
If the government can't even stop the SPAM from coming to my inbox with a law, why should I expect yet another law to help with Trackback, Pingback, and Comment SPAM? Oh I know there are some teeth in the law, but not many. I've also heard of a few sensational, and successful prosecutions of spammers.
The SPAM continues in e-mail.
SPAM Blockers for Trackback and Comment SPAM
So what about Trackback and Comment SPAM? No law is going to eliminate that either. For one thing, most of it seems to be coming from China and Southeast Asia these days anyway. At least, based on the statistics I have gathered by doing I.P. address lookups. Citizens of those countries aren't subject to our laws, so another law isn't going to stop them.
As a side note, the Great Firewall of China reports that my site is blocked in China, yet somehow their SPAMMERS can get to my site. What's up with that? Anyway, back to our post...
About this point you might be bored enough to say "What's the problem with trackback SPAM anyway? Just use a blocker like AKismet and be done with it."
If you did, I suppose you might have a point, but just as with e-mail SPAM, AKismet and other SPAM blockers occasionally reject false positives. Every now and then I have to go through my junk e-mail folders to rescue legitimate messages that got trapped. SPAM blockers also miss the occasional bit of junk.
When the SPAM blockers miss a SPAM, it's usually not too much of a problem in e-mail. You can simply delete it and move on. When AKismet misses a SPAM ping or comment, it ends up on the blog. I know that my readers, (at least most of them) aren't interested in gay pornography, tramadol, phentermine, viagra, or even heroin mixed with hydrocodone.
Having a link to that sort of garbage on my website isn't a good thing. Fortunately, I, and most bloggers, have a mechanism that allows us to review and delete offensive trackbacks and comments. Even so, it gives the SPAMMERS yet another set of eyes viewing their garbage.
Simply deleting the offensive trackbacks and comments doesn't make AKismet any smarter either. Somehow AKismet has to be notified that it missed one or it will keep making mistakes in the future. You know the SPAMMERs are always working on ways to get their junk past the filters. It behooves us to work to improve the filters.
So what about the trapped pings and comments? AKismet does a pretty good job of trapping SPAM, but as I noted earlier, it occasionally traps legitimate pings and comments. What can we do about that?
One thing we can do is to simply ignore them. That's hardly fair to the legitimate commenters and bloggers that are pinging legitimately. After a while, they'll start ignoring our site. I don't know about you, but I hope that people read what I write. Ignoring their comments isn't going to facilitate that much.
Another thing we can do is to rescue them. Just as we can tell AKismet when it's missed a SPAM ping or comment, we can tell it when it's falsely trapped a legitimate one, and we can restore it. The problem there is, we have to identify the false-positives in a sea of trash.
That means that to be fair to our readers, we have to review every single piece of SPAM that comes our way. That's a lot of SPAM and it takes a lot of time. I've talked to a few other bloggers about this, and it seems like I'm lucky. I only receive about 500 SPAM pings and comments a day. Some bloggers are receiving a few thousand an hour!
About one in a hundred trapped messages (on my site) turn out to be legitimate. Sadly, to find them I have to read the other 99 messages. That's ONE of the reasons I hate SPAM so much.
Bandwidth and SPAM
Another reason I hate SPAM has to do with bandwidth. Besides being a waste of my time, SPAM also consumes some of the bandwidth that I am paying for with my web hosting package. I find that particularly irritating.
Most of us don't get as much traffic as we'd like in the first place, so we're nowhere near the point of having our blogging host start throttling back our traffic. Even so, as our blogs become more popular eventually this can become an issue. Having SPAMMERs suck up our bandwidth is definitely an issue.
For bloggers on "free" platforms (like blogger.com for instance) this may not seem like that big of an issue. Google isn't throttling bandwidth on sites yet, but they do reserve the right to introduce limits on the service in the future. From their terms of service:
4. General Practices Regarding Use and Storage. You agree that Google has no responsibility or liability for the deletion of, or the failure to store or to transmit, any Content and other communications maintained by the Service. Google retains the right to create limits on use and storage at our sole discretion at any time with or without notice.
So for Blogger users at least it's not an issue now, but it could be in the future.
For people like me that pay for our web hosting though, it's an issue. My site isn't wildly popular. I have a few dedicated readers, and a lot of inbound links, but I know I'm not a major force in the blogosphere. I receive an average of about 75 unique visits a day. That amounts to about 160 page loads a day, at least according to SiteMeter and SiteTracker.
My web host keeps statistics too. Yesterday was a slow day according to the statistics kept by SiteMeter, with just under 100 page views. Brinkster recorded 3926 page views for the same time period. All of the pages that you can view on my site include a tracker. The only pages that don't are the API pages that are used with trackback pings, and pages that are not normally displayed to visitors.
That means that I am receiving nearly 40 times more traffic from SPAMMERS than I am from legitimate users of the site. I know that I said that I receive about 500 or so SPAM pings and comments a day. That's only the count of SPAM pings and comments trapped by AKismet.
Hack attempts
The rest are trapped by error handlers. There are an unbelievable number of protocol violations in the pings and SPAM comments that I receive. With comments alone, the malformed posts outnumber the well-formed posts something like four to one.
The most common error is an "invalid viewstate" error that crops up when someone tries to post a comment to a page without actually having retrieved that page, something you'd expect a BOT to do. Invariably someone with a little bit of an idea of what's going on tries to send a base-64 string in as viewstate, but they get the length of the string wrong, or they use invalid base-64 characters.
ASP.NET throws exceptions every time when they try that. When they do try it, it's obvious that they aren't interested in the content of the post at all, just at getting their trash through.
Another thing I see from time to time is obvious hack attempts. I've stopped counting the number of times someone has attempted a SQL injection attack on my login page. I guess for these clowns my site is practice.
There ought to be a law
SPAMMERS are taking up an increasing amount of my time, effort, and bandwidth on this site. I know that they're doing the same to other bloggers.
There ought to be a law against all of this. Sadly, the CAN-SPAM Act of 2003 only applies to e-mail, and as far as it's effect on SPAM goes it's a joke. Besides, government regulation of web site communications isn't something I want to even open the door on.
I have one final defense against all of this garbage pounding on my website. It won't deal with the bandwidth issues, but it will probably cut down on the time I spend dealing with SPAM. I'll implement that solution this evening.
What is it? Other bloggers already have a similar solution in place. It's my turn.
I'm going to start closing comments and trackbacks on posts that are over a week old. That'll be the first line of defense against SPAM on the site. If the post is over a week old, and I haven't marked it as being "open" to comments, trackbacks will fail with a notice saying the post is closed, the comment UI won't even be presented, and "hack" attempts to post comments will be ignored.
I HATE SPAM! I DO NOT LIKE IT SAM I AM!
Trackposted to Blog @ MoreWhat.com, Committees of Correspondence, Mark My Words, DeMediacratic Nation, DragonLady's World, The Bullwinkle Blog, The Amboy Times, Conservative Cat, Pursuing Holiness, third world county, Pirate's Cove, Blue Star Chronicles, The Pink Flamingo, Dumb Ox Daily News, High Desert Wanderer, Right Voices, and The Yankee Sailor, thanks to Linkfest Haven Deluxe.
Trackback URI for this post: http://perrinelson.com/track.aspx?postid=716
Permalink URI for this post: http://perrinelson.com/2007/5/21/716.aspx
Subscribe to this entry's
comment feed. (Atom)
bernie responded with:
 | I sometimes come upon an old article that still has a timely pertinence and find that comments are closed and it leaves me disappointed that I cannot add my pithy quote to the post.
Additionally when I look for articles to reference for a post I am writing I usually avoid those which I cannot ping or at least leave a notice that I referenced that article if I can find a substitute article that I can ping.
Just FYI. |
Perri Nelson responded with:
 | I'll have to consider that then. I certainly wouldn't want to drive you to a substitute for my site :-). I've never considered your comments or pings to be SPAM.
SPAM is so annoying though. Maybe when I start getting thousands of them a day I'll just stop rescuing the occasional false positive. |