This reminds me of one of my former ESPN co-workers - Mike Davidson[1] - who founded of one of the first community news sites (Newsvine[2]) back in 2006.
Newsvine had comments and upvotes and link submissions and posts - it was very reddit-esque except it was focused around the news. The team had to have a way to deal with spammers and trolls. They found the most effective way was to flag a user as a troll on the Newsvine backend. If the troll flag was set to true, Newsvine would add a random 10-60 second delay to every page load for the troll's account. IIRC it solved the problem pretty effectively.
How would this work for something like Twitter/X when accounting for individuals serving the US government? Someone could be flagged as a troll on the backend for unrelated reasons, but now their experience in communicating with someone in government is delayed. I understand that a delay is not the same thing as a block, but I wonder if the damage to the user’s experience is sufficiently similar for a federal judge.
Twitter has been doing things worse than that for years. They seem to even have different levels of shadow banning.
The practice is fundamentally malicious because innocent people get caught in it all the time. The two main problems both stem from the fact that they don't admit to doing it.
The first is that you're posting interesting things but nobody ever sees it because you're shadow banned, and then what you should really do is create a new account and start over, but you don't know why nobody ever sees it. "Maybe you just don't have much of a following yet." But you never will with that account. An innocent person is subjected to the penalty meant for a spammer -- and suffers longer for it because they have no reason to expect they're being punished when they haven't done anything wrong.
The second is that even if you figure it out, they still don't admit to doing it, the consequence of which is that there is no appeals process. So if you have an account with a significant following and then get shadow banned illegitimately, you're much more likely to notice this because your engagement falls off a cliff, but there is no process for undoing it other than to abandon your account and start over from scratch.
Don't use Twitter for government comms I guess? It's a private system with its own rules. They can degrade the experience as much as they like if the system flags one as a troll, regardless of their being part of an organization.
Spam and trolling even happens on a physical newspapers/radio/tv/books/magazines. Its just that you have to pay to do it.
The rich/ceremonial/leisure classes have through out history been constantly spamming everyone with whatever shit occurs to their 3 inch brains, because they can afford to buy the largest amount of attention.
To bad there is not enough attention for anything anymore cause production of content is happening at volumes that dwarf Consumption of content.
If 99% of comments and links on HN are not read by anyone, do you think the great geniuses who run HN will tell you that? Whats the use of such systems no one asks. They want to just keep it alive like some dumb engineers in the control room of Jurassic Park after the children are lost and the T Rex is loose.
The platforms, without knowing what the fuck they are building, have made it Free for everyone to Broadcast. So its now not just the rich who are spamming and trolling. Its everyone. For free. All you get is noise. Read the UN Report on the Attention Economy.
One dimensional software engineers now have capability to build and scale systems quickly. Thats the only reason we have these dumb fucking mindless systems wasting everyones time and energy.
What I want is a "content condensor" tool. Something OSS and mathematically pure that can just take all the signal, drop the noise, and run some NLP to "condense" the information for me to effectively wade through it. Yes, there's a lot of bullshit content now, but there's also a lot of valid content. To be proficient today, we need to be able to swim effectively through the sea.
What's screwed up right now is we are currently forced to rely on 3rd-parties to filter for us, and they do so often poorly by just dropping content that's not "popular" which results in biased sampling, or worse, they select based on some kind of profit motive. Why can't we own our own "social media algorithm" or something? Why do I have to spend so much time consuming? Give me the IV drip, and filter out the unhealthy portion, please. Ideally, I should be able to trust the filter, too.
Akismet is very good at detecting comment spam. If it were any good at detecting signup spam then wordpress.com would not have so many spam blogs.
I also would track down spam blogs there. Sometimes manually through search engines and a curated list of known terms and sometimes with tools that one of the devs created for me.
I suspended thousands of genuine spam blogs. Sometims mistakes were made but they were rare.
Then, although some automated tools were created to try and stem the tide, that hunting and suspending was deemed not to be a priority. It was important at the start that wordpress.com was seen to be clean so it could grow but once deemed big enough, it was stopped. While I know I was using a supersoaker to put out a burning car it didn't take long and I found it satisfying
This time of year I'd be hunting hunting Halloween spam blogs and would start to see Christmas spam blogs too.
I came up with a simple way to eliminate spam in my email, without any third party filtering.
I have my own domain name for email. My email box accepts anything that goes the domain. I.e. a catchall email account.
However, I give a different email address to every site and service. I.e. sitea@mydomain.com, site2@mydomain.com
This lets my email reliably get auto sorted by who its from.
But I also use a consistent form to the names I hand out, so that random email that comes to my domain gets deleted instantly and I never see it.
I almost never get spam. But sometimes some service leaks my email somehow and I start getting some. So I change my email with that service (or cancel it) and add that email to a manual list of incoming addresses to block.
It's so dead simple, I feel like all email programs should have the option of working with a whole domain this way.
And even if you do have your own domain (I do), for one-offs these services are still useful, since they're not relatable to you, and motivated spammers can't just guess new addresses for you. For example, y'all can send me an email at 0yiulnql3@mozmail.com, but if I get lots of spam there, I'll disable it and you'll never know what other Firefox Relay masks I have.
That, and the UI for disabling masks is much easier than having to create a new filter.
Similar setup for me: separate addresses for external parties, which BTW, helps phishing recognition too, because e.g. a "note from my bank" to an address I did set up for some shop cannot be real. And those abused addresses can be deleted from /etc/aliases to render them void.
Besides that my postfix server is configured to reject connections, where the sending site does not have a reverse DNS mapping. Worked twenty years ago, is still useful today when I check my logs.
I have a similar system. My domain is catch-all, but I give everyone a unique email address with a bit at the end of the alias to indicate what my email rules should do.
For example, if I get an email at anything_s@mydomain.com, that will go directly to spam. I use this for everything from Google to every small website I sign up on. They usually only spam anyways. And I check my spam every now and then for if there's anything important - there has never been.
I consider whatever most normal businesses send me spam as well, as I don't care for most of it. Uber Eats, for example, sends a number of emails per each order. That is just spam in my eyes. If I'll use a service I care about, I'll give it an email with a different alias suffix that will never go to spam. But I almost never do.
This has keep out the phishing spam when websites leak my email address just as well as the regular "important information about a minor interaction you did with us" spam that comes from most websites.
I have a similar system. But I "register" the addresses in a .txt-File first. (sitename-random-number@mydomain) A catchall will flag every mail send to you as successfully delivered on the spammer site. So the spammer will send again and again, wasting your resources.
I've been doing the same for some years now, except auto deleting anything.
What I noticed is that the only spam I get goes to my mail address that's published on my blog and my github address. So it seems that nobody sold my address to spammers, they only scraped Publicly available addresses.
> So it seems that nobody sold my address to spammers, they only scraped Publicly available addresses.
I've been doing it for many years and have already went through quite a few leaked addresses (at least a dozen or two, out of many hundreds). Even a small hotel, not part of any hotel chain, in Portugal in the middle of nowhere has leaked my address.
That said, I believe almost all of those leaks were due to websites or databases having been hacked, not due to them actually selling my email addresses.
When they sell my data (which has also happened before) I tend to get spam from actual businesses, often related ones. When the email gets leaked, I tend to get huge amounts of generic spam/scams (e.g. "your device was hacked!!"). You also tend to find the latter addresses on haveibeenpwned.com.
I did this but a nerd sniped myself. I had out addresses like {name}-{hmac}@me.example. These addresses then bypass the spam filter and if they start spamming me I block them.
The problem is that I still need a general address for my website, resume, HN profile, Git author info... So I still accept mail to a handful of publicly available addresses. However it does let me play with the spam rules a bit more. Signed: auto-accept, known address: moderate spam filter, unknown address: heavy spam filter.
You can do something similar with Gmail - if your email is matt@gmail.com you can receive to Matt+1@gmail.com, matt+2 etc.
Although some websites reject this format.
Gmail does not see "." as contributing to uniqueness of the addressee name. So for instance a missing "." expected in "matt.smith@" is a reliable flag for rejection.
Spam teams at social networks typically shadow-ban spammers. The goal of this is to make it as difficult as possible for the spammer to determine that they've been caught (which is why I think the frustration techniques, or simply account suspension aren't widely used).
The field of spam-prevention is fascinating because it's essentially an arms race between companies deploying tactics to detect spam and sophisticated spammers using increasingly complex methods to avoid detection.
So there's an advantage gained by companies if spammers believe they don't need to evolve their methods.
The problem is real humans getting snared. My TikTok account is shadowbanned (anything I post now gets zero views, and my LIVE gets zero viewers).
And my Instagram account got permabanned because they said I was impersonating myself. This was worse because I lost the entire account. They even had me send a selfie of myself and the instant I submitted the image was when they did the permaban lol.
There is a clip from The Grand Tour where James May explains what happened when he tried to create an Instagram account: He signed up, discovered that there was already an account on there impersonating him, reported the impersonator, and so Instagram took the report and shut down his real account instead.
The harsh truth is that the occasional false positive doesn't affect their bottom line even slightly. Unless a false positive is some social engineering genius that can stir up a shitstorm of bad PR, they can be silently ignored forever.
You're the sacrifice that they're willing to make to build their social media, and if you don't think it's fair... no one cares.
Even if this somehow offends people, those people will never notice that it actually happened.
Probably, this means that sane people should want the government to regulate at least those services considered essential to life to require appeals systems. Not TikTok, but I've heard of people losing access to Amazon forever. There are people for whom Amazon is essential, there are no local alternatives. And if the people wrongly permabanned from it ever overlap with those who can hardly live without it, then we have a big problem.
Depending on the context, account suspensions can be weaponized. By making someone you don't like /look/ like they are doing something dodgy, you can get them banned.
Like fail2ban. Nothing quite like the anxiety of almost locking yourself out of your own system because you mistyped a password one too many times. It's a delicate balance (although, for something like SSH, I wouldn't even bother, unless the traffic is measurable enough to cause issues. But then you're getting (D)DoS'd, and you probably have bigger problems).
Modern spam tools I've encountered accept a second account list to be used for verification purposes for this reason. They can automatically purge shadowbanned accounts by spot checking comments for visibility.
I wondered about that - it seems like an actual spammer would have an easy time checking from other accounts, so it adds at most a minor amount of extra work, while real users who are incorrectly flagged never even think to check.
Akismet has no working appeal mechanism. What seems like 1000 years ago I got banned by it for posting comments on my own blog. (haha!) If I comment any place using it my comment are silently filtered out.
I got banned by disquss too! for posting many useful links in comments on blogs by people I know. They resolved the issue in 2 days and were wonderfully polite about it.
Akismet should at least clear wordpress users banned countless years ago and wp should replace it with something less well... insane.
I don't mind not being able to reply on my own wp blog. It is fairly amusing actually. Ill just use some other blog engine. Its easy for me.
but it seems bad for wp to refer to their users as uhh lets kill some spam??? Im not impressed.
I'm an Akismet developer; the best thing to do would be to email us at support@akismet.com with your info and we can look into why your comments are getting caught.
What I usually do for situations like this is give up on the site altogether. It takes me one click to add a domain to my uBlock list and search Google for the title. No appeals process will ever be that easy or reliable.
I'm missing the part on how op determines valid users for the frustration loop.
> Enter Akismet... Blocking spam on signup worked somewhat, but was easily circumventable
> some spammers found ways to parade as legitimate blogs... which I would have to manually sniff out and flag.
> This lead me to an idea: The Frustration Loop... When spam is detected... Waste their time and make them give up.
> "Now hold up there Herman! Won't this be triggered by valid users?"... it's been running in production for the past 3 months and I've only had one user report this as an issue.
imo that would be the most interesting part of the article. It's cool that the action that's being taken is to frustrate the spammer but I wished there was more info on separating spammers from real users, figuring out false positives and false negatives and the like. I understand that giving details on detection is probably not a good idea and that the article is about The Frustration Loop, though.
They pay for Akismet and run the users signup info through it. You can see the kind of data they send to them in the GIF on the post. If Akismet says yes, this is spam, then engage the frustration loop. I thought it was clever.
Yep, but op also mentioned spammers that get through signup without being flagged and having to go and manually flag them.
My thoughts on the loop overall are:
- maybe users are false flagged but not complaining because the "bugs" are rare enough
- spammers with automation may brute force through the "bugs"
- handles manual spammers well because they will encounter the "bugs" more often and just leave; or they'll report it as an issue that you may have to look into.
To draw a comparison with my own experiences, I have to jump through hoops when I visit sites with bot detection or other related security measures. I am the normal user being flagged as a spammer being frustration looped in this case.
My guess? Akismet is metered, and he submits only the first few posts to lower costs. Once you have some reputation, you can post anything.
So spammers noticed being blocked on account 1, created account 2 with legitimate content, and then started spamming.
New process is detecting spammers on first post but instead of immediately sending them away (or throwing their content into the void), go to some length to pretend the website irreparably broken in subtle ways.
The point is to waste their time before they realise they've been flagged, and have them give up.
> Enter Akismet. This is a spam detection tool by the Wordpress people and is pretty accurate and easy to use.
> Blocking spam on signup worked somewhat, but was easily circumventable by spammers who are well versed in dealing with these kinds of barriers.
But now that I look at Akismet's description, it sounds like Akismet does a lot more than block on signup. Perhaps they use it after signups but apply the frustration loop instead of blocks because it's less accurate there.
In the gif, the user already has a login and is attempting to make a post. I imagine either the user gets flagged as a spammer or each individual post might.
The best spam protection I ever had, was a bunch of hidden text input fields on my mail contact form, with names like “blindcopy”, “bcc”, “cc”, “additional address”, etc.
They all had default values.
If the submitting handler detected any values in these fields that were different from the default, the submission was rejected.
I don’t think I ever got a single bogus email from that form.
Spam scripts are much less smart than that. I added a hidden field with no text in it to a contact form, and a polite warning as the hint text for accessibility. If anything was filled into that field the submission was silently dropped. I was cc-ed on any entries, and I believe there were 0 spam emails in the 8 years or so that the form was up.
I've heard this concept described as a "honeypot field" before and it works pretty well as you've said. I'm curious how password managers/autofill avoid tripping up though; are they able to detect that the field is not visible?
Do you sample the content put into 'frustration' users and see if it's actually legit? Do you have a false positive / false negative rate? Have you seen your total legit signup count go down or up?
You're not the only one to do this, many pages do it whenever you do a vpn, they fail in silent and annoying ways not displaying any errors or otherwise. Turn off the vpn and everything magically starts working. Etsy for a long time would return blank pages if you were on VPNs. Extremely irritating.
Readit News
Newsvine had comments and upvotes and link submissions and posts - it was very reddit-esque except it was focused around the news. The team had to have a way to deal with spammers and trolls. They found the most effective way was to flag a user as a troll on the Newsvine backend. If the troll flag was set to true, Newsvine would add a random 10-60 second delay to every page load for the troll's account. IIRC it solved the problem pretty effectively.
1- http://mikeindustries.com/blog/
2- https://en.wikipedia.org/wiki/Newsvine
The practice is fundamentally malicious because innocent people get caught in it all the time. The two main problems both stem from the fact that they don't admit to doing it.
The first is that you're posting interesting things but nobody ever sees it because you're shadow banned, and then what you should really do is create a new account and start over, but you don't know why nobody ever sees it. "Maybe you just don't have much of a following yet." But you never will with that account. An innocent person is subjected to the penalty meant for a spammer -- and suffers longer for it because they have no reason to expect they're being punished when they haven't done anything wrong.
The second is that even if you figure it out, they still don't admit to doing it, the consequence of which is that there is no appeals process. So if you have an account with a significant following and then get shadow banned illegitimately, you're much more likely to notice this because your engagement falls off a cliff, but there is no process for undoing it other than to abandon your account and start over from scratch.
Deleted Comment
Dead Comment
The rich/ceremonial/leisure classes have through out history been constantly spamming everyone with whatever shit occurs to their 3 inch brains, because they can afford to buy the largest amount of attention.
To bad there is not enough attention for anything anymore cause production of content is happening at volumes that dwarf Consumption of content.
If 99% of comments and links on HN are not read by anyone, do you think the great geniuses who run HN will tell you that? Whats the use of such systems no one asks. They want to just keep it alive like some dumb engineers in the control room of Jurassic Park after the children are lost and the T Rex is loose.
The platforms, without knowing what the fuck they are building, have made it Free for everyone to Broadcast. So its now not just the rich who are spamming and trolling. Its everyone. For free. All you get is noise. Read the UN Report on the Attention Economy.
One dimensional software engineers now have capability to build and scale systems quickly. Thats the only reason we have these dumb fucking mindless systems wasting everyones time and energy.
What's screwed up right now is we are currently forced to rely on 3rd-parties to filter for us, and they do so often poorly by just dropping content that's not "popular" which results in biased sampling, or worse, they select based on some kind of profit motive. Why can't we own our own "social media algorithm" or something? Why do I have to spend so much time consuming? Give me the IV drip, and filter out the unhealthy portion, please. Ideally, I should be able to trust the filter, too.
Akismet is very good at detecting comment spam. If it were any good at detecting signup spam then wordpress.com would not have so many spam blogs.
I also would track down spam blogs there. Sometimes manually through search engines and a curated list of known terms and sometimes with tools that one of the devs created for me.
I suspended thousands of genuine spam blogs. Sometims mistakes were made but they were rare.
Then, although some automated tools were created to try and stem the tide, that hunting and suspending was deemed not to be a priority. It was important at the start that wordpress.com was seen to be clean so it could grow but once deemed big enough, it was stopped. While I know I was using a supersoaker to put out a burning car it didn't take long and I found it satisfying
This time of year I'd be hunting hunting Halloween spam blogs and would start to see Christmas spam blogs too.
I have my own domain name for email. My email box accepts anything that goes the domain. I.e. a catchall email account.
However, I give a different email address to every site and service. I.e. sitea@mydomain.com, site2@mydomain.com
This lets my email reliably get auto sorted by who its from.
But I also use a consistent form to the names I hand out, so that random email that comes to my domain gets deleted instantly and I never see it.
I almost never get spam. But sometimes some service leaks my email somehow and I start getting some. So I change my email with that service (or cancel it) and add that email to a manual list of incoming addresses to block.
It's so dead simple, I feel like all email programs should have the option of working with a whole domain this way.
- Fastmail masked emails (https://app.fastmail.com) - Firefox relay (https://relay.firefox.com/) - SimpleLogin (https://simplelogin.io/)
There's many more.
That, and the UI for disabling masks is much easier than having to create a new filter.
Besides that my postfix server is configured to reject connections, where the sending site does not have a reverse DNS mapping. Worked twenty years ago, is still useful today when I check my logs.
For example, if I get an email at anything_s@mydomain.com, that will go directly to spam. I use this for everything from Google to every small website I sign up on. They usually only spam anyways. And I check my spam every now and then for if there's anything important - there has never been.
I consider whatever most normal businesses send me spam as well, as I don't care for most of it. Uber Eats, for example, sends a number of emails per each order. That is just spam in my eyes. If I'll use a service I care about, I'll give it an email with a different alias suffix that will never go to spam. But I almost never do.
This has keep out the phishing spam when websites leak my email address just as well as the regular "important information about a minor interaction you did with us" spam that comes from most websites.
What I noticed is that the only spam I get goes to my mail address that's published on my blog and my github address. So it seems that nobody sold my address to spammers, they only scraped Publicly available addresses.
I've been doing it for many years and have already went through quite a few leaked addresses (at least a dozen or two, out of many hundreds). Even a small hotel, not part of any hotel chain, in Portugal in the middle of nowhere has leaked my address.
That said, I believe almost all of those leaks were due to websites or databases having been hacked, not due to them actually selling my email addresses.
When they sell my data (which has also happened before) I tend to get spam from actual businesses, often related ones. When the email gets leaked, I tend to get huge amounts of generic spam/scams (e.g. "your device was hacked!!"). You also tend to find the latter addresses on haveibeenpwned.com.
The problem is that I still need a general address for my website, resume, HN profile, Git author info... So I still accept mail to a handful of publicly available addresses. However it does let me play with the spam rules a bit more. Signed: auto-accept, known address: moderate spam filter, unknown address: heavy spam filter.
It's better than Gmail in filtering Spam.
The field of spam-prevention is fascinating because it's essentially an arms race between companies deploying tactics to detect spam and sophisticated spammers using increasingly complex methods to avoid detection.
So there's an advantage gained by companies if spammers believe they don't need to evolve their methods.
And my Instagram account got permabanned because they said I was impersonating myself. This was worse because I lost the entire account. They even had me send a selfie of myself and the instant I submitted the image was when they did the permaban lol.
You're the sacrifice that they're willing to make to build their social media, and if you don't think it's fair... no one cares.
Even if this somehow offends people, those people will never notice that it actually happened.
Probably, this means that sane people should want the government to regulate at least those services considered essential to life to require appeals systems. Not TikTok, but I've heard of people losing access to Amazon forever. There are people for whom Amazon is essential, there are no local alternatives. And if the people wrongly permabanned from it ever overlap with those who can hardly live without it, then we have a big problem.
So they could compare it with what, the content posted?
Dead Comment
I got banned by disquss too! for posting many useful links in comments on blogs by people I know. They resolved the issue in 2 days and were wonderfully polite about it.
Akismet should at least clear wordpress users banned countless years ago and wp should replace it with something less well... insane.
I don't mind not being able to reply on my own wp blog. It is fairly amusing actually. Ill just use some other blog engine. Its easy for me.
but it seems bad for wp to refer to their users as uhh lets kill some spam??? Im not impressed.
> Enter Akismet... Blocking spam on signup worked somewhat, but was easily circumventable
> some spammers found ways to parade as legitimate blogs... which I would have to manually sniff out and flag.
> This lead me to an idea: The Frustration Loop... When spam is detected... Waste their time and make them give up.
> "Now hold up there Herman! Won't this be triggered by valid users?"... it's been running in production for the past 3 months and I've only had one user report this as an issue.
imo that would be the most interesting part of the article. It's cool that the action that's being taken is to frustrate the spammer but I wished there was more info on separating spammers from real users, figuring out false positives and false negatives and the like. I understand that giving details on detection is probably not a good idea and that the article is about The Frustration Loop, though.
My thoughts on the loop overall are:
- maybe users are false flagged but not complaining because the "bugs" are rare enough
- spammers with automation may brute force through the "bugs"
- handles manual spammers well because they will encounter the "bugs" more often and just leave; or they'll report it as an issue that you may have to look into.
To draw a comparison with my own experiences, I have to jump through hoops when I visit sites with bot detection or other related security measures. I am the normal user being flagged as a spammer being frustration looped in this case.
afaik its main feature is an API to detect whether a given comment is spam: https://akismet.com/developers/comment-check/
So spammers noticed being blocked on account 1, created account 2 with legitimate content, and then started spamming.
New process is detecting spammers on first post but instead of immediately sending them away (or throwing their content into the void), go to some length to pretend the website irreparably broken in subtle ways.
The point is to waste their time before they realise they've been flagged, and have them give up.
> Enter Akismet. This is a spam detection tool by the Wordpress people and is pretty accurate and easy to use.
> Blocking spam on signup worked somewhat, but was easily circumventable by spammers who are well versed in dealing with these kinds of barriers.
But now that I look at Akismet's description, it sounds like Akismet does a lot more than block on signup. Perhaps they use it after signups but apply the frustration loop instead of blocks because it's less accurate there.
That's the thing. It feels like no one wants to solve the problem; it will only hurt metrics and profits, I've already figured at this point /shrug
They all had default values.
If the submitting handler detected any values in these fields that were different from the default, the submission was rejected.
I don’t think I ever got a single bogus email from that form.
There are hidden input fields on the login page..
You're not the only one to do this, many pages do it whenever you do a vpn, they fail in silent and annoying ways not displaying any errors or otherwise. Turn off the vpn and everything magically starts working. Etsy for a long time would return blank pages if you were on VPNs. Extremely irritating.