The solution to comment spam
I think I have the solution for comment spam. You know, those annoying automated "comments" every moderately popular blog receives in bulk which advertise, well, all the usual things spam advertises.
I think most solutions today are severely lacking. Identifying number of links produces both false positives and false negatives, asking users to answer capchas is annoying, problematic for blind people, and sometimes machine readable anyways (and, when not, tends to be non-human readable either).
The solution I'm proposing isn't new, as such. It's just that I have never seen anyone apply it to comment spam, and I think it might work. It is, in a very abstract way, based on Merkel's puzzles. Here it is.
Introduce into every form that is meant for sending a comment to the blog a hidden field with a "seriousness proof number". This number will be different for each post in the blog, and will change once every few days (giving several hours of grace time for the old number to still be active). If a comment is posted with incorrect number, dump it without asking the moderator.
So far, I have not said anything really new. Spammers are already fairly adept at parsing the incoming HTML, identifying the authentication number, and making sure it appears in the spam they send. So far, we see, that this method is not very effective.
So, the next step in making this system more effective is to encrypt the authentication number. We'll send the authentication number AES encrypted, and send a small javascript program that decrypts the number and places it in the form.
Any and all of you who know anything about cryptography will twitch in pain at me calling this "encryption". After all, the thing that defines encryption is the (in)availability of the key, much more than the actual algorithm used. In order for the legitimate user to be able to post comment, the Javascript must provide the key for decryption. The spammers, after a couple of days, will simply teach their parsers to extract the key from the javascript, and use it to send their spams. We see that this twist can be effective for a single blogger protecting his own blog (security by anonymity), but not when implemented in standard platform, such as "blogger" or wordpress.
So we introduce a third modification to our plan. We now supply the authentication token encrypted, but we do not provide the key! Instead, we provide a javascript program that brute-forces the key. Of course, the encrypted text needs to contain a piece of known plain text, so that the program can tell when it successfully decrypted the key. Also, the key length must not be longer than the authentication token length, or it will be easier to brute force the token directly, rather than the key. Still, this method will surely keep the spammer out.
Wait, don't call me insane just yet. I'm not really serious. While it will keep the spammers out (who can afford to brute force 128 bit of key just to send spam?), it will also keep the legitimate commenters out (who can afford to brute force a 128 bit key just to send a comment?). However, we can now turn it into a competition over "who has more available resources in order to post a comment".
What I suggest is that we give each commenter all bits required to decrypt the authentication token BUT, say, 16. Brute forcing 216 isn't beyond the ability of any modern computer, and should not take too long either. However, for a spammer, this ups the cost of each comment sent, and thus reduces the number (and, therefor, economic interest) of spams sent.
Of course, the number "16" can be tweaked as necessary. However, I do believe that a number exists such that legitimate users will not find it onerous to post comments, while spammers will.
A few points to keep in mind:
Now, all that is missing is for someone who has the time to implement to do so....
Shachar
I think most solutions today are severely lacking. Identifying number of links produces both false positives and false negatives, asking users to answer capchas is annoying, problematic for blind people, and sometimes machine readable anyways (and, when not, tends to be non-human readable either).
The solution I'm proposing isn't new, as such. It's just that I have never seen anyone apply it to comment spam, and I think it might work. It is, in a very abstract way, based on Merkel's puzzles. Here it is.
Introduce into every form that is meant for sending a comment to the blog a hidden field with a "seriousness proof number". This number will be different for each post in the blog, and will change once every few days (giving several hours of grace time for the old number to still be active). If a comment is posted with incorrect number, dump it without asking the moderator.
So far, I have not said anything really new. Spammers are already fairly adept at parsing the incoming HTML, identifying the authentication number, and making sure it appears in the spam they send. So far, we see, that this method is not very effective.
So, the next step in making this system more effective is to encrypt the authentication number. We'll send the authentication number AES encrypted, and send a small javascript program that decrypts the number and places it in the form.
Any and all of you who know anything about cryptography will twitch in pain at me calling this "encryption". After all, the thing that defines encryption is the (in)availability of the key, much more than the actual algorithm used. In order for the legitimate user to be able to post comment, the Javascript must provide the key for decryption. The spammers, after a couple of days, will simply teach their parsers to extract the key from the javascript, and use it to send their spams. We see that this twist can be effective for a single blogger protecting his own blog (security by anonymity), but not when implemented in standard platform, such as "blogger" or wordpress.
So we introduce a third modification to our plan. We now supply the authentication token encrypted, but we do not provide the key! Instead, we provide a javascript program that brute-forces the key. Of course, the encrypted text needs to contain a piece of known plain text, so that the program can tell when it successfully decrypted the key. Also, the key length must not be longer than the authentication token length, or it will be easier to brute force the token directly, rather than the key. Still, this method will surely keep the spammer out.
Wait, don't call me insane just yet. I'm not really serious. While it will keep the spammers out (who can afford to brute force 128 bit of key just to send spam?), it will also keep the legitimate commenters out (who can afford to brute force a 128 bit key just to send a comment?). However, we can now turn it into a competition over "who has more available resources in order to post a comment".
What I suggest is that we give each commenter all bits required to decrypt the authentication token BUT, say, 16. Brute forcing 216 isn't beyond the ability of any modern computer, and should not take too long either. However, for a spammer, this ups the cost of each comment sent, and thus reduces the number (and, therefor, economic interest) of spams sent.
Of course, the number "16" can be tweaked as necessary. However, I do believe that a number exists such that legitimate users will not find it onerous to post comments, while spammers will.
A few points to keep in mind:
- This solution does not require user registration in order to comment.
- There is no need for the actual user to do anything. Everything is done, automatically, by the computer.
- In particular, this solution doesn't have any problems with blind terminals and other handicaps.
Now, all that is missing is for someone who has the time to implement to do so....
Shachar
posted by Shachar Shemesh at 4:49 AM
50 Comments:
Interesting Idea. I'll see if I can implement it as a textpattern plugin/hack. Oh, and prepare to be dugg.
too bad this STILL won't keep anyone from using an automated firefox build for spamming.
Therefore, nice try, but forget it.
There's one thing you forget. Bruteforcing with javascript is much slower than bruteforcing with C program.
Schizoduckie,
I think I didn't make my intention clear enough. Assuming this becomes widespread enough, spammers will not bother with executing javascript. They will re-implement this in C, so that things will be faster (read anonymous after you).
Anonymous,
I forget no such thing. A regular user uses a slower language (javascript), but for one comment only. A spammer uses a more efficient C, but for thousands of comments. The difference more than adds up.
Shachar
Your ideas seems great.
Find time to read a post in my blog regarding FS.
http://roadlessthoughts.blogspot.com/
Thanks
RX Pharmacy Online. Order Generic Medication In own Pharmacy. Buy Pills Central.
[url=http://buypillscentral.com/buy-generic-brand-levitra-online.html]Order Best Viagra, Cialis, Levitra, Tamiflu[/url]. prescription generic pills. Cheapest drugs pharmacy
But placid, there are manifestly known companies which be worthy of good words and created an distinguished get Cialis now reputation.
any updates coming ?
Geben Sie wir werden zu diesem Thema reden. viagra kaufen ohne rezept levitra kaufen [url=http//t7-isis.org]cialis generika[/url]
[url=http://sopriventontes.net/][img]http://sopriventontes.net/img-add/euro2.jpg[/img][/url]
[b]Pro 11 Mac StuffIt, [url=http://tonoviergates.net/]shop adobe photoshop cs4[/url]
[url=http://tonoviergates.net/]microsoft software management[/url] sales and service software windows vista business
download nero 9 ultra edition [url=http://tonoviergates.net/]winzip 12 serial number[/url] free adobe photoshop cs3 serial number
[url=http://tonoviergates.net/]free adobe photoshop cs3[/url] office enterprise 2007 win32 english
[url=http://tonoviergates.net/]adobe creative suite 4 design premium upgrade[/url] autocad viewer
Office 2004 Mac [url=http://tonoviergates.net/]coreldraw cd cover template[/url][/b]
implications undervalued buying disclosed luciano indistries calibrib extracts environment hurts charity
lolikneri havaqatsu
eMJjAkCGx Auto Insurance Quotes 08Bf52xve Personal Insurance WmS1NUcj5 Cheap California Auto Insurance bYMvPaNi3Q Health Insurance Companies X2Six6o3lK Insurance Policies w4DbFBetr best health insurance eQJdpKTUiw insurance wiki KwYypOWXi1 cobra insurance
Bravo, seems remarkable idea to me is
You could easily be making money online in the underground world of [URL=http://www.www.blackhatmoneymaker.com]blackhat download[/URL], It's not a big surprise if you haven’t heard of it before. Blackhat marketing uses alternative or little-understood methods to generate an income online.
[url=http://www.officialflo.com/profiles/blogs/headache-back-of-head]Headache back of head[/url]
woman has headache knife in head head on headache treatment headache medicine head on
http://www.officialflo.com/profiles/blogs/headache-back-of-head
[url=http://community.gazzetta.gr/profiles/blogs/consolidate-credit-cards ]unsecured loan to consolidate credit cards [/url]gas cards consolidate credit card debt credit cards to consolidate other debt consolidate higher interest rate credit cards
[url=http://www.officialflo.com/profiles/blogs/consolidate-credit-cards ]credit cards consolidate loan [/url]consolidate your credit cards law consolidate credit cards consolidate credit cards and student loans
[url=http://community.bonniehunt.com/profiles/blogs/consolidate-credit-cards ]consolidate credit cards [/url]non profit consolidate credit cards consolidate credit cards and personal loans consolidate my credit cards debt
buy tramadol buy tramadol india - buy tramadol from canada
clomid nolva | how to order clomid online - buy clomid online without prescription, when do you ovulate on clomid 3 7
Вкусненькое онлайн [url=http://aftertube.net.ua/tags/Pickup/]Pickup[/url] Русское порно про то как [url=http://aftertube.net.ua/tags/%F3%EC%ED%FB%E9/]умный[/url]
Слабонервным не смотреть!
With no weight or size restrictions and customs clearance services we excel to transport logistics services worldwide for global freight management and assured transportation of goods within the specified time limits. Beneficiaries inheriting annuities, which have not begun distribution, can choose a lump sum payment., cheapest on the net. The managers may be canceling and postponing the performance appraisal. vpn service provider for mac
This comes from a variety of factors ranging from the short time that they are used for and the costs that a typical dentist would have to deal with., vpn windows 7 home premium 64 bit. With poor earthing there is little or no powder accumulation around the hanging point of the object being coated. This can be capitalized by organizational management because it motivates members of the team to increase their output. vpn software mac os x. Following a unique color scheme will also help. setting up vpn on window server
The results might take some time to show, though. You help your friend to deal with something beyond your capacity. vpn passthrough nat traversal. Sytropin poses none of these or other side effects, allowing you to use it with ease. Show your users and customers that you are working on the problems and that you are aiming to make the web site even better for them to use., vpn app osx. Or only you can have the satisfaction of knowing you’re the best you can be at that skill. windows vpn manager
Even if you have limited financial resources, you should be able to find a number of exercise equipment pieces that are within your budget. setup a vpn windows 7. Quality facial moisturizer to protect skin from environmental damage to provide nutrients for the skin and prevents dehydration, which slows the aging process. movianvpn com
You will be added in the directory which is beneficial without any doubt. Motor nerves control the muscular actions like walking and talking. mvpnc com. So those are the different strategies and layers of distribution that you can try out for your fundraising calendars. If you want marketing training, join carbon copy pro., vpn ip address password. Make sure that once you have made an agreement with them that you abide by this agreement and pay duly on the terms agreed on. funciona vpn
Ulalas always have a priority to satisfy their customers. vpn pfs
Benefits of call centers can vary from company to company. cnwarez esx server v252 vmware. The online booking form is available on the main page of the website and you need to define the destination city and your source city along with your travel dates. access microsoft msys
One of the support systems involves installing information technology. fedora core 4 dhcp
Now, why would some try to improvise his smile? incorrecto test udp no. Once all these aspects in the woman's life are checked and the cause of the infertility is identified, women infertility treatment can finally begin. linksys file server
Online users posting is another unnoticed means which ties back into the user created content model above. It will help you succeed in the long run., remote control circuit design. No restrictions as to the maximum number of partners365companies is one of that provides you with the features like:1. caribbean private
The impact kaolinite crusher employs selfweigh security device in its back frame. counter strike 1 5 server. There are lots of researches’ conclusions that biking (or cycling) is most suitable for improving health of the population. ati could not load file
The best way to cure your acne is not any type of medication, cream, or any of that stuff, but is a completely natural method. network components wiki. Another excellent approach to build links is to maximize the usefulness of social bookmarking sites. windows file access denied
He is extremely active in researching investment trends and integrating them so they can work for you. video camera remote. This 'handson' high retention approach utilizes streaming audio, video, and interactive activities to stimulate students in ways a simple lecture can't. modem usb ethernet adsl
They work to prevent hair loss in your head and can be used as many times as you want. Do these masquerade ideas sound too dark? load displacment. This helps promote the client’s website identity and presence in relation to that of the competition. The offence must be such as the members of the unlawful assembly knew it to be likely to be committed in prosecution of the common object., server vs sql. The wonderful thing is that you need no watering, pruning or maintenance. high speed ethernet
top [url=http://www.xgambling.org/]free casino games[/url] check the latest [url=http://www.realcazinoz.com/]online casinos[/url] unshackled no deposit hand-out at the best [url=http://www.baywatchcasino.com/]baywatchcasino.com
[/url].
clomid 150 mg success stories | clomid no prescription - clomid price walmart, clomid ovulation
clomid and hcg | [url=http://ordergenericclomid.webs.com/#75845]clomid prescription[/url] - buy clomid online no prescription usa, hioi how effective is clomid for pregnancy
Usually, the best time to expect free time on Xbox Live is when there is a gaming
event taking place (such as the launching of a new game).
This isn't anything new to the "Silver" accounts, though. This method is a one time registration to our General Gaming Forum.
Here is my webpage free microsoft points
my website :: free xbox live
HGH supplements have been shown
to help increase ones metabolism, therefore decreasing one.
When we are free from pressure and anxiety, our blood pressure normalizes, thus reducing
common health problems related to stress. If
enough people recommend the product you can be fairly sure that
it is worthwhile and safe to use.
[url=http://www.formspring.me/HeikkiBarry]buy claritine online[/url] [url=http://www.formspring.me/SuomalTyler]buy telfast 180 mg in uk[/url] [url=http://www.formspring.me/PontusRojas]buy clarinase singapore[/url] [url=http://www.formspring.me/TiihonenBallard]buy cetirizine hydrochloride uk[/url] [url=http://www.formspring.me/TimonenDoyle]buy tavegil[/url] [url=http://www.formspring.me/VeliHarrell]can you buy zyrtec in canada[/url] [url=http://www.formspring.me/TenoiWoodward]purchase anafranil online[/url] [url=http://www.formspring.me/ViiniRasmussen]order amitriptyline online no prescription[/url] [url=http://www.formspring.me/ViljakainDavid]can i buy prozac in thailand[/url] [url=http://www.formspring.me/SulanderMercer]buy zoloft generic[/url]
vusyaltesty xaikalitag TheovaTah [url=http://uillumaror.com]iziananatt[/url] Cigneebug http://gusannghor.com Melioppoltase
Take a look at my webpage ... web page
Some offers by hotels include packages that are a combination of admission tickets to the park as well as hotel accommodations and perhaps breakfast
Visit my weblog - visit website
Twitter, in this way lets you to brand your product and service, design amazing business offers and also work on the comments that posted on
it with regard to your business and service. But, at the same time, there are drawbacks as well.
You can normally obtain a 125 X 125, a 728 X 90, or 300 X 250 spot from $20 +.
my web page ... purchase facebook likes
This paste will be applied directly to the skin tag 3 times
a day until the skin tag falls off. Once your mole is dry,
cut a piece of duct tape three times the size of the mole.
Those with sensitive skin should not use it as it can irritate.
Also visit my website ... How to get rid of skin tags
This site truly has all the info I wanted concerning this subject and didn't know who to ask.
Also visit my page ... Biotechnology News
An impressive share! I have just forwarded this onto a colleague who has been conducting a
little research on this. And he actually bought me dinner simply because I found
it for him... lol. So let me reword this.
... Thanks for the meal!! But yeah, thanks for spending some time to discuss this subject
here on your web site.
Also visit my website :: latest celebrity news and pictures
New China daily: Who forces " Zhang Jike people " take part in the match
14 days of countrywide ping-pong tounament that ring down the curtain in Home Zhang harbor attracted many eyeball, the CCTV also undertakes direct seeding 5 sets, because the Zhang Jike, Wang Hao, Ma Long, well-known player such as Marlene attends,this basically is. Giving what the person expects is, enter male single, female odd final do not have main force of group of a nation unexpectedly.
Have reporter gouge therein cause: Although expensive for countrywide tounament, but to big shop sign, without pressure, also do not have index, more do not concern national group qualification, so " Zhang Jike people " value level very low; Conversely, to young general people will tell a meaning to differ, match opportunity this not much, on behalf of home Gao Shuiping's match is hit well only, just enter likely 8 strong, can enter national group covey directly thereby, because of this young general people go all out particularly fiercely.
Consider sth as it stands also not strange, be worth us thoughtful is, since star of big shop sign was not,get the better of cannot competitive desire and passion, be who is forcing " Zhang Jike people " risking the body gets hurt and " fame " does the risk of damage attend this kind of match chickening ribs?
Be national group coach forces famous generals to appear? They know the motion curve of the ping-pong most, know to force " Zhang Jike people " it is harmful and profitless to play domestic game, and the arrangement that they also have no right to interfere local team game; Does the trainer of each place set out from local interest? Also unlike, because this result is right group of each province city is not quite main, otherwise skill of meeting exert whole body comes to the trainer of local team the enthusiasm that arouses famous generals; Is that " Zhang Jike people " is him awareness very tall? Not be for certain, otherwise, they won't quit the race ahead of schedule with a variety of reason.
Be what creates afore-mentioned results after all? Probably the reason is not a kind, national group trainer is met with " match of first whole nation after the Olympic Games, if you do not attend,can let the outside produce misunderstanding " for ask they note an effect; Local team also is met with " the education that Olympic Games champion did not forget local team " for hope they take part in the match; Sponsor Fang Gengxi to hope big shop sign can help booking office and viewing rate. In a few invisible hands drive below, "Zhang Jike people " must attend, but carry really do not have interest, "Have on there is the way to deal with a situation below policy " , "Zhang Jike people " find out all sorts of reason to hit a your home ahead of [url=http://www.palmexpo.in/jordansforsale.aspx]jordans shoes for sale[/url] schedule only.
Olympic Games champion is in the awkward current situation on countrywide tounament, whether to also remind concerned branch, when setting the competition, whether more scientific and a bit more effective?
Related news
Hі i am kavіn, its my first tіme to сommentіng anyωheгe, ωhen i гeаd this post і thοught
i сould also create comment ԁue to thіs ѕеnѕible рiece of wгiting.
Here іs my wеb page; Lloyd Irvin
Look into my web page; webpage
Marνelous, what а web site іt іs!
This web ѕіte provides useful facts tο us,
keep іt up.
Αlѕo vіsіt my homepage
reputation management
Post a Comment
<< Home