But if you concluded sincerely that, due to this persons obvious ignorance of Internet ethics that thier web server must also be badly tuned, it would be an act of charity to carry out careful and scientific stress testing. Once that was completed, it would be perfectly appropriate to communicate the results by email, phone or both, as often as necessary to make sure the message gets through.

All in a spirit of helpfulness, of course.

(He walks off muttering, "I'll go to confesssion . . . afterwards . . .")

1. The perpetrator is immured face-upward at the threshhold of the demons' break-room, so that every time one of the staff goes for a Twinkie and a double latte with cheap bourbon, he steps thereupon.

2. The perpetrator is placed at the bottom of a slope down which tumble an unending sheet of [insert nasty object, and be creative]. For defense he is given a very small fireplace shovel and a whiskbroom.

3. The perpetrator is constantly subjected to a constant flow of -- oh, come now, you can be meaner than that -- which can be paused for a few seconds by locating a particular line in a large message base and entering it (manually -- cutting and pasting are two circles upstairs). Naturally, there is, shall we say, other traffic on the system.

I know, not very imaginative, but this is only my part-time job.

For example...http://weblog.burningbird.net/fires/000638.htm.

(I've seen other methods too. There are a variety of ways to fool the bots.)

As far as I can tell, methods like this should work far better than the blacklists until the bots get considerably more sophisticated.

I haven't tried it on my blog yet, but then the need on my end has not been nearly so dire.

I've been advocating a visual authentication feature for comments, like the one used by PayPal for example. What do others think of this idea?

On a technical note, and this is not to temp anyone, what they are doing is similar to someone in the Windows world installing wGet ( http://www.gnu.org/software/wget/wget.html ) ... or even the GNU Utilities for Win32 ( http://unxutils.sourceforge.net/ ) which includes wGet ... then writing a simple MS-DOS/Batch routine that would run something like ...

top:
wget -r -nd --cache=on/off --cookies=off --proxy=on/off --delete-after --user-agent=SPAMNOMORE http://
goto top

And then everyone running multiple instances of this on the same day at the same time. Which has the sum effect of being a distributed denial of service attack ... something that is illegal, which is why I am tempted, but would never do this.

I think we're fighting a rear-guard action. I think we're going to lose.

It's been nice seeing you all.

... and I also noticed a coupla syntax errors in my example:

wget -r -nd --cache=off --cookies=off --proxy=off --delete-after --user-agent=BYTEME http://<SPAMURL>

As for me ... I'm resisting this tempation, and am instead implementing a solution based upon that suggested in an earlier comment at ... http://weblog.burningbird.net/fires/000638.htm

I'm adding a few tags and hacked my .../mt/lib/MT/Apps/comments.pm to keep a simple list of domains posting ... more than "x" amount in "n" minutes will block the post ... and I'm debating the automagic update of my .htaccess file.

All stuff I'll probably toss in favor of Jay Allen's eventual approach.

Though expect me to post an article on my own blog next week on the simple use of regular expressions to block blog posts that include 'certain words and key phrases.'

I think it's possible that a sufficiently-sophisticated bot could succeed in working almost any anonymous locking scheme we can come up with. But I think we can make 'sufficiently-sophisticated' a very high, almost-AI bar without too much difficulty. (Consider a comment form that requires the answer to a trivia question: "What is the title of Teresa's essay collection?" This could easily be different for every blog. It doesn't have to change per page load -- it only has to be different for different blogs.) And we can write better admin tools that allows one-click mass-delete-and-ban actions easily enough, too. The question then become one of motivation: how much is it really worth to a spammer to abuse MT comments? There are other ways to bomb google.

If it's still really worth it, we shift to comment systems that strip out any URLs and/or label the content "this is an anonymous comment" so google can ignore it. Or we go to non-anonymous comments.

Make that, "What is the title of Teresa's essay collection? The answer is on the main page."

Nice start. Remind me to be a much better boy if you get hired to create punishments full time . . .

James:

Don't give up yet. This kind of behavior largely killed off the USENET culture, which seems to have moved in part to blogs. But it did not kill of maillists, and has not killed email, though a lot of damage is being caused. The culture that built USENET (and I remember it well) did not choose to build safeguards into the technology for a variety of reasons -- most of them very good reasons. Safeguards that reduce the profitability of such activities are quite possible, if there is the will to create them, and the proper parties are willing to do something this time.

The Balkanization of the Net will continue.

Before long friendly strangers will no longer be welcome at our campfires.

It never was. When the net was young, it wasn't an ungoverned anarchist paradise. It was ruled by oligarchs.

The rule was simple. Screw around, get caught, get banned. It worked when the net was young, because all the oligarchs -- the sysadmins and site admins -- knew each other. You pulled something like this on my site, I called your sysadmin, and you were off the net before I finshed the call.

It was that simple. It was the commericalization of the net -- and the consequent dilution of the near autocratic authority that the BOFHs had, that led to this. It worked when there were a hundred or so sysadmins, now that there are millions, it doesn't. The net eventually became an open commons -- and just like every other commons, it was trashed.

The early net seemed anarchistic -- but there were very clearly defined rules, and the punishment was swift and sure. Now, there may be rules, but there's no punishment for violating them.

And the litter only gets deeper, and the waters more dank. It will get worse. I doubt it'll get better afterwards.

It amuses me to imagine that they're given dim vision but acute hearing, and are isolated and tormented by a constant cacophony of meaningless noise poured into their ears.

On the other hand, there's Mike Ford's idea of having them immured face-up on the threshold of the demons' break room, so that all the back-and-forth traffic treads on their faces. I like that one.

Michael Heraghty, I like visual authentication, but aside from the focal-length problems of middle age, I have very good vision. I don't know how burdensome it is for people who don't have good vision. I know it's going to nail people who use text-based browsers.

Any authentication system's going to be hard on someone.

Wink, thanks for the suggestion. I've posted it up front.

Mean Dean, please don't apologize. This has been a spell of bad weather for everyone, especially for all the webloggers who aren't technically sophisticated, and patches, fixes, and suggestions are much appreciated.

Jim, I know we're fighting a rearguard action, but we're not dead yet, and they haven't won yet. This weekend has raised my appreciation of people like you, Erik, Jade, and all the other Rangers who help maintain the peaceful life of the Shire.

And I have to disagree with your perception that "Before long friendly strangers will no longer be welcome at our campfires." I have no trouble with friendly strangers. I know them by ear before I know them by name. It's not that they'll be unwelcome; it's that they'll be unable to get past the barriers we erect to keep out malfeasants.

Colin, there are people out there who feel a strong commitment to maintaining anonymous comments, as a mechanism for letting things get said without fear of retribution. They're a bit more idealistic about that than I am. I don't see microweenie freepers having any trouble getting themselves Hotmail or Yahoo nonce-accounts when they want to misbehave anonymously.

Mac Thomason, this morning I didn't have any new Lolita or Preteen or Underage spams. Neither did Patrick. Looks like our IP banning held this time. What address did they use to hit you with the Underage spams?

Jim: Original sin. Spam and viruses. Check.

Some years back I got to hear a Tappan King theory about how human fallibility (or whatever phrase he used in place of "original sin") can be seen whenever someone in an office brings in their own carton of milk for their coffee, and leaves it in the fridge. The milk goes away. People who might feel guilty about taking the whole carton of milk don't feel nearly as guilty about taking some of the milk for their coffee.

Erik, I wasn't on usenet back in the really strict days, but when I did get on there were still some remnants of the old order, and it was easy to infer how the earlier system had worked.

I doubt Jim ever thought it was an ungoverned open common. He may not be a BOFH, but he's been a sysop for a long time, and has seen this and that bit of the world.

I am as you know me, and I'd never believe in an ungoverned open common. If everyone on the planet miraculously decided to never again use force against their fellow beings, we'd all have a lovely week. The real trouble would start on the following Monday, when surveyors and a bulldozer showed up in a popular picnic area in your city park, and started building a large private home with walled and gated grounds.

Common sense, nonviolent resistance, and encouraging good community values are all very good things, but as everyday regulatory mechanisms they leave a lot to be desired. What I want are more powerful and discriminating tools for blocking out the bad guys, and faster and easier ways to delete their spam.

This is reminding me of the graffiti discussion. I'll applaud when someone comes in and creates lively, original, appealing art in a formerly dull space -- say, the truly weird series of reviews of a "Family Circle" collection that got posted to Amazon some years back. But these guys that're mindlessly scrawling tags all over everything have got to go.

Ascii art visual authentication. You render an image to ascii art using aalib, with a slight random offset.

When friendly strangers from IP addresses 209.210.176.64-255 come by, they won't be able to post.

This is because we shoot at noises in the dark beyond the campfire on the grounds that the noises could be a dumptruck backing up to slide thirty cubic yards of turds onto us. We do this because the last ninty-nine times it _was_ a dumptruck.

The walls go up, we huddle closer.

I think you're serious about this, and I think you're right.

What REALLY makes me angry about spam in general, and blog-comments spam in particular, is that it's so PETTY.

I mean, I accept I live in a world where genocide and famine exist, where our leaders are corruptible, where we have to lock our doors and women and children can't walk the streets at night safely. I hate it, but I accept it.

But spam is a new low. I mean, can't we even be allowed to set up a web page and post our thoughts to it, and have a few of our friends respond? Does EVERYTHING have to turn to piss?

A year or two ago, I thought it would be neat to distribute my individual weblog entries by e-mail. There wasn't much interest in it, and it was more work than I cared to invest, so I stopped the mailings -- but I kept the list live, and kept the three or four subscribers signed up, in case I thought of some way to make it work. (Yes, three or four subscribers - I told you there wasn't much interest.)

But I couldn't keep the list alive for long; the spammers started sending spam out to this harmless little list, so I eventually just shut it down.

May their testicles be covered with boils.

I'm not sure whether the point I was trying to make got across or not. In case it wasn't clear, I also think anonymous comments are a valuable thing that it would be unfortunate to lose. But if it came to a trade-off, there is big anti-spam artillery available when we start talking about poster authentication. It could go a lot farther than the mere "prove you have a working email address" authentication most commercial sites are satisfied with. The site admin can personally approve registrations, if he or she wants, or systems like LiveJournal can be set up where an existing member would have to vouch for a new one. There are many options -- the point is, we have much much more control over the rules of how and when we accept comment submissions than a mail transport agent has for e-mail.

Though the real solution may be in fact to enlist the aid of Google to take away the comment-spammer's incentive. It would be trivial to add anonymous-comment markers to a blog template, which Google could easily parse and make use of. And hey, if commment-spamming won't change your Google rank, why bother?

"Lolita's" website is down. A dozen noxious toadstools have erupted, I'm sure, in the time it took to type this up--but at least this particular toadstool was ground into an icky paste.

I was thinking about this a few weeks back, idly knocking around story ideas for office meetings in Minos's Hall of Judgment, considering an argument the administrators of the various circles could have over who gets spammers.

I figured they might be grafters (Cirlce 8, Bolgia 5), or thieves for stealing bandwidth (Cir. 8, Bol. 7), or counterfeiters for forging headers (Cir. 8, Bol. 10), or they could wind up among the prodigal in Circle 4.

Does anyone know anyone who works there? I suppose I can volunteer.

After seeing the site before it went down, the verdict was "they look legal to me." I'm waiting to hear where the line between "annoying but legal" and "should be investigated" is for public advertising.

http://www.gungeralv.org/notes/archives/000561.php

If anybody knows anybody at Google, please feel free to pass the letter along and/or let me know, so I can.

That's two hundred out of six billion, many of whom have sufficient knowledge to be spammers and more of whom are broke. It's a very bad thing that we even have two hundred such, but it's not a reflection on people generally.

The Internet is an escaped networking experiment/testbed. TCP/IP was an interesting experiment, those protocols were never designed for "robust" "endurant" "secure" etc. etc. etc. infrastructure communications. And everything built ontop of that structure, inherits the shortcomings of its underpinnings. I worked with networks what -were- designed to provide secure messaging with checking for message validity and error deterction and correction and security built in from the lowest level of the protocol stack. But that's not what spawned the Internet, it's rather like amoeboid scunge, and sometimes it turns into slime molds.... it wasn't designed with any provisions for -commercial- applications or dealing with capitalist greed, fraud, spoofing, and intentional malice.