Ideas

wel i see the list of spammers goin into zillions...and zillions comming up daily!

This kind of service exists. They're called real-time block lists. They suffer from two big problems: (1) spammers sue them out of existence, claiming being on the list is some kind of restraint of trade or something. I don't recall the details of the suits, but at least one of the big RBLs (Spamhaus?) was brought down by repeated suits from the people they were blocking. (2) they occasionally block legit people who have been hijacked or spoofed and it is very difficult to clear your name once on the list.

More info here, but Spamhaus is not the only RBL in service
http://en.wikipedia....The_Spamhaus_Project

Thanks for the link micco. I would hope that the "guilt" would be spread across many people so that legal strings can be sidestepped. A site reporting an offender would have to file some type of report (that may be automated) with the evidence of activity identified. The sites will be making the claims supported with evidence showing how their terms of use were violated. Though I still need to think some more about the legal aspects of it.

This service would not target the IP address, since scammers often have proxy servers at their disposal. Instead this would target the actual email address they use to register.

So say some one signs up for a site like Cambrian House. They enter an email address and are sent a confirmation email (to ensure that they are the owner of the account) The user then spams some members. CH then identifies the spam content of the user and their email, includes it in the incident and that email now has a point against them.

So when the user tries to sign up for another site, the site might check the email and find the user has more incidents than the site's limit (site admins can decide whether or not to let "risky" users onto their site) Spammers are not stopped, but they are hobbled. Now they have to go open a new email account. The next, which is outside of this idea, would be for the email providers to then limit access using something like the Spamhaus service you mentioned.

I think I understand better now. The RBL systems that already exist are used by mail server admins to automatically identify spam. What you're proposing is not a way to block spam email but a way to identify spammers, trolls, etc. that pollute forums.

It's both a noble and (I think) novel idea, but the logistics would seem very hard. There are already easy systems in place to create virtually unlimited email addresses fronting for a single user. A lot of people use these systems to create one-time email addresses for website registration so if they start to get spammed at an address used to register for a certain service, they know who sold their address to the spammers and they can turn it off without affecting other email addresses.

What would keep a person from using the same type of system to sidestep your service? That is, if I register at CH using the address micco@micco.com and start spamming, your service would block just that address, not all micco.com addresses. So I just use micco1@micco.com for one site, micco2@micco.com at another, and so on. Obviously it would be more trouble to do so, but spammers are nothing if not persistent.

That brings up a good point. I think to deal with serial spammers who use modifications of the same address, there would need to be some intelligence added to the incident processing. So if micco@micco.com and micco1@micco.com were submitted, the system have to have to do something like the following

1) Mark a point against micco@micco.com and micco1@micco.com because these would have documented incidents (that are backed by the content that of the incident report)
2) Flag the variant micco#@micco.com as a potential address that posts spam.
3) The more variants that have documented incidents, the higher the warning level goes for micco#@micco.com (For the above example the warning level would be 2... if micco1234@micco.com and micco345@micco.com had also been reported as incidents, then the warning level would be 4)

Sites can then decide what incident level and warning level they are willing to accept for membership to their site.

For users that have a flagged address but are well behaved, sites can report their good behavior and they can be added to an exception list. The exceptions might also be used to lower the warning level.

I also think that the stigma of having points against your address can be worked off for "good behavior" on sites that will accept you. For example, if user@abc.com gets a point for spamming a forum... well they suddenly realize folks on the net don't like spammers. They get kicked off of the site they were on and try their best to find a site that will accept someone with one point against them... they stumble on a forum called "second chances" that takes them in and they prove they can be a good net citizen and get 1/4 or 1/2 of a point taken off each month that they get a positive report. (Spammers can be reported at any time, positive reports would have to be scheduled or spread out....)

I myself have built a very large list for blocking specificially IPB forum spammers and hackers. Based on community reports of admins. We had a nice sided list of the to hundred most common hackers & spammers names, emails, ip, etc...

It actually worked quite well at quickly identifying attackers and stopping attacks. The intent was for the most part just adding a block until patches could be made and applied.

So were you preventing them at the firewall (IP based) AND at the site level (email blocking)?

I think the tools are out there to implement my idea, it is just a matter of assembling them.

One thing my service would bring is all the knowledge of the big sites (who can see more clearly patterns of spam users) into the hands of anyone running a site. Information is immensely more useful when it can be shared quickly and efficiently.

I have an open call out to the CH community for help with writing a grant request so I can try to get this funded. This idea might not stop the spammers, but hopefully it will slow them down a little.

interesting...very practical and as timely as today's headline =)

I think your plan to flag variants would lead to a lot of false positives. Given my example, it seems reasonable to flag all micco#@micco.com for any violation by any micco, but how many distinct users are bob#@gmail.com? Use of these numbered usernames is very common and typically not an attempt to bypass filters or even apply multiple addresses to one person.

Also, I don't think the plan to provide for good behavior marks would work. Website administrators might be convinced to put something in place that checked your blacklist and added new violators to the list, but they're never going to take the time to identify blacklisted people who are behaving well and give them good marks. Most admins are simply too busy to spend time on that kind of activity that has no useful return.

I think your service is a really good idea, but it would have limited utility. As Kevin_Cox points out, it works really well in a small scale deployment, but as soon as it got popular and widely used, it would just be a matter of routine for the spammers to defeat it.

I see that you're considering funding this via grants. I don't want to be too pessimistic, but I just don't see this being too grant-worthy, at least from most of the grant organizations I know. I don't think they'd see it as really promoting social goals, etc. compared to other efforts. Given that most other ventures in this area are either commercial services or volunteer efforts, grants might be hard to come by. But if you can find an organization that really promotes online ideals, they might at least front you some hosting.

However, I don't see why you'd really need grants to get started. The technology infrastructure you'd need to build is really really simple. It's just a web-service front end on a database that provides two functions: query on an email address and return incident report, and insert new incident for an address. This is pretty much the sample code from any web services tutorial. I don't mean to trivialize the development; there are always more complications than are immediately evident, but you're not talking about a massive development effort.

Your bigger problem is marketing. Maybe you'd need grant money for that, but it's a very targeted audience. I don't see general ads doing much good and you really need to try to address (spam!) the user groups for various web forum products and similar services.

Have you considered a business model? Obviously you would get the best participation on a free service, but if you can't get grants to support hosting and admin, you may need revenue. This might work with a two-tier system where members who contributed substantially to building your list (reported a certain number of spammers or some other measure) got free service and others paid a small subscription. If the problem is as bad as you think it is and your service works as well as you think it can, most admins would easily pay a small subscription fee.

The main issue is I didn't want to have a single entry and exit point. A web service was the first thing that came to mind but a single point would be too easily defeated by a DoS attack.

So I would want it to work like a simple call to a web service, but be distributed like the DNS system.

I run websites for my paying clients right now on my servers and they expect a certain quality of service. So if I hosted this venture, it might have adverse consequences on the sites if a DoS attack was launched against the spam ID service.

I wanted to raise funds for a physically separate server and the required bandwidth.

I see your point, it may not be helping the public enough to get publicly funded. Nothing a good grant writer can't help me with :) But seriously, if it is not grant worthy, then it will have to be done on a subscription basis.

i see the value in a subscription product for webmasters, assuming that the product could be easily woven into their existing website. instead of worry about a complicated set of tools to keep their sites spamfree, they could simply visit the website, plug in the email address of those who slip through the service, and essentially crowdsource the security of their site.

Nice objective..but am concern on the viability as a business. Care to enlighten me?

Right now I am just looking to cover costs. First and foremost I am looking to solve a problem that annoys myself and many web users (spam posters). Then hopefully the revenue will come in.

Might not sound like much of a business model, but in my IMHO, too many people think about all the money they are going to make instead of thinking more about the product. So I am adopting the "Field of Dreams" business model, "If you build it they will come". That's probably going to raz some folks. Please share your thoughts.

--------------------

Micco and Kevin_Cox have raised some very valid points that I am going to incorporate into the design.

Postini's got you covered. ;]

Postini still doesn't fit the bill, unless they are expanding their services. They provide encryption services and email blocking at the email server. (If I understand their services correctly)

This idea is not about stopping the transmission of spam emails over the internet. This idea is about preventing users from registering for sites if they have been identified as users who post spam on forums etc.

WIshyou could do a beta try for CH.com!

hmmm now this really sounds interesting. I like the concept, but as I'm not a programmer I'd have no idea how to go about doing it.

It would be awesome if there were a way to prevent people who are spammers who try to register for forums.

Thanks Selise. There are a lot of parallels to other systems in life to prevent bad behavior, so no programing knowledge needed :) (Though I did add in the word web service... but I tried to make the rest for everyone)

Getting the word out about spammers and trolls helps people see the early warning signs better and take action. Spammers are like a cancer... early diagnosis is key to beating the enemy.

Something about this reminds me of the 2000 US Presidential elections. I just imagine many names being blacklisted just b/c they are similar to major offenders. Or maybe this will only be a problem in Florida ;)

JustMe: similar names are a problem on some real-world lists that use names, but email addresses are unique. There simply cannot be two people with identical email addresses at the same time unless they're sharing one account, so the types of confusion you mention aren't an issue here. However, you're exactly right about similar email addresses, which is a point I tried to make in earlier comments. If you only match on exact email address, your match is accurate but spammers can easily create an endless supply of new ones; if you match on similar addresses, you blacklist innocent bystanders.

Yes, that is the major concern black listing innocent people. The warning system I proposed above might help prevent some of it.