jQuery Dev Bemoans Overwhelming Spam On Google Groups 251
angryrice tips a blog post by John Resig, lead developer for jQuery, about the failure of Google Groups to manage spam, declaring attempts to use it as a public discussion system "completely futile." Quoting:
"The final straw was placed upon my patience with the Google Groups system a few weeks ago. Spammers are now spoofing the email addresses of existing group participants to sneak their messages through. Previously you would've seen a delightful 'FREE MOVIE DOWNLOADS' spam from 'freemovies123@gmail.com' — but now you'll see it coming from existing group users — or even the group moderators themselves. This cheat completely bypasses the moderation system since the spammers are pretending to be pre-moderated users. The Google Groups system is completely fooled. The spam message comes in claiming to be from an existing group participant — and according to the Google Groups interface there is no difference. If you click the user's name you'll be taken to a full listing of that user's posts (with the spam messages delightfully interspersed)."
What do you expect? (Score:3, Insightful)
Do more about spam (Score:1, Insightful)
The spammers Behavior are really destructive in many ways, this is just one of them. It really should be seen as sabourtage against infrastructure and a bigger efford should be made to follow the trail of money and take down those people who makes the money.
Finally, someone important points out the obvious! (Score:5, Insightful)
Join the 21st Century (Score:4, Insightful)
Re:Perhaps a new mail header? (Score:2, Insightful)
Ummm, Google Groups [wikipedia.org] is an archive and Web interface for Usenet. [wikipedia.org] Email is irrelevant.
Upgrade the Captchas (Score:3, Insightful)
Google has some of the weakest around. And whats more is becaue Google uses domain keys it is a desired domain because that stuff gets through the spam filters better.
I wish Google had an automated honey pot system where you could drop a google address, and any google account would instantly get shut off for sending mail to it. The idea is you plant the email address in a place where automated spambots will harvest it and poof! no more spammer.
Of course it could be used for abuse and if passed off as a legit account, so there needs to be some registration and tying of spam honey pot accounts to their owners for accountability.
Google Beta (Score:5, Insightful)
Seriously, Google's offering is not without it's serious drawbacks, and I suspect that the good stuff is to be had from actual paid services. However, this kind of letting crap slip where people can spoof the name of a valid member is a serious Alpha quality flaw. What's the point of identifying anyone, if everyone can pretend to be everyone else? I mean that is the actually concept of identity, to uniquely label something as different as other things.
I think Google is trying to take on more than it can handle and it is beginning to really show now that they've removed the excuse of "Beta".
Re:Perhaps a new mail header? (Score:4, Insightful)
PGP/GPG is overkill. Just drop messages that fail an SPF check. Spoofing is part of the problem here, and SPF was tailor-made to address spoofing.
If you do use PGP/GPG, you don't need an extra header for the signature; it's usually added as a small attachment, and better mail clients already pick up on that for verification.
Re:Join the 21st Century (Score:5, Insightful)
> Time to move away from the antiquated system of mailing lists. Web based
> forums are much easier to control and a far, far better way of sharing
> information with users.
No local control over filtering and sorting, forced to use your weird UI and editor instead of my own? "Forums" suck. And "easier to control" is not a feature.
Re:Join the 21st Century (Score:5, Insightful)
This is an issue that really bugged me. The move to web based forums from Usenet and mailing list was a giant step backwards in functionally.
Advantages of Usenet and mailing lists over web based forums:
The user can control the interface
killfiles
threading
discussion on issues where centralized in one place rather then across multiple web forums
better searching
better archiving
less bandwidth
More advanced web forums, like Slashdot, do a better job of supporting these features, but most people still use very primitive forums.
Re:Do more about spam (Score:3, Insightful)
The problem is that the trail of money ends at a Western Union or Moneygram branch.
Re:Perhaps a new mail header? (Score:3, Insightful)
It won't help at all in this case. For instance, nothing stops a spammer from signing up for a GMail account that generates such a header, and sending out spam that your spam filter happily allows through.
Thats trivial to solve, just hold any message whose key is younger then a few days or which isn't trusted enough for moderation.
And it would be trivial for a spammer to spoof a legitimate user's signature.
Unless they hack into a users account it will be pretty much impossible to fake a signature.
The only way that'll happen is if people stop buying products advertised that way.
Good luck with that. Sending spam is virtually free and making a free thing unprofitable ain't gonna work.
The only way to solve the spam problem is to add accountability into the system and PGP signatures would be one way to do it.
Re:Time to DIY (Score:3, Insightful)
1. Spam is theft of service.
2. Spam is theft of service.
3. The spam in Google Groups absolutely ruins many groups because the boards are inundated with spam to the point that a real message is like a needle in a haystack. The stock discussion boards have gone to hell in the last few months.
Re:Perhaps a new mail header? (Score:3, Insightful)
That's why, while authentication is an excellent thing to do, it's only half of a solution. The other half is to have reputations tied to identities. Sign your spam, get known as a spammer, and now people know to ignore your messages just like they ignore unsigned messages.
Re:Time to DIY (Score:2, Insightful)
1. How can you steal a service that's provided to you for free?
2. How can you steal a service that's provided to you for free?
3. As many of these groups are simple mirrors from Usenet, how do you propose Google control servers that they have no control over?
Re:Perhaps a new mail header? (Score:1, Insightful)
There's a much simpler solution: start sending out "Free Penis Pills" ads, and mail everyone that buys them rat poison. Hopefully, after a couple hundred people die from being spam-buying fucktards, the rest will get the idea.
Alternatively, find the spammers (they have to have real addresses to sell stuff, right?) and shoot them in the face. This is WAY past the point of, "let's fine them" or "let's send them to prison". Time to put those expensive drones we've bought to a better use...
Re:Join the 21st Century (Score:4, Insightful)
USENET has always been far more than a "mailing list", and I could do things to control/filter/sort messages to my liking with Yarn and slrn that I can't even touch with the web-based forum software I've seen (and I've seen a lot of it).
I really wish web-based forum software would catch up. Even USENET in the early 90's far surpassed it in many respects. Most web forums are nice for posting pictures, but horrible in terms of threading and controlling what actually shows up in your reading list.
Re:Finally, someone important points out the obvio (Score:5, Insightful)
The reason, at least to me, seems abundantly clear: Google has the attention span of a three year old. They fixate heavily on something for a while... then their attention drifts and they are off to the next shiny thing. They've got a lot of products, but no clear vision or effective management.
Re:Do more about spam (Score:3, Insightful)
Re:Perhaps a new mail header? (Score:3, Insightful)
But you can set your "from" address in your mail client, and send mail as if it were from your gmail account from your work place, your home ISP's smtp server, etc. In order for that all to work, google would have to allow smtp.yourisp.net to send mail as if it were from google in the SPF records - basically, if it were done, then nothing would have changed 'cause they'd have to allow a metric buttload of ISPs to send.
Changing to web only, or smtpauth, or similar (as we both point out) would do the job though.
Re:What's the problem again? (Score:4, Insightful)
Why don't you just sign your messages and verify based on signature, rather than something completely meaningless like email-address?
And once again: Why the hell does google not sign all messages which pass through gmail as "really did come from this address"?
(x) technical ( ) legislative ( ) market-based ( ) vigilante
(x) Requires immediate total cooperation from everybody at once
(x) Lack of centrally controlling authority for email
(x) Why should we have to trust you and your servers? (I'm using the short-form.)
What I mean to say is, you don't have to have a Gmail account to be a member of a Google Group. Your approach might keep people from spoofing Gmail addresses and be completely painless for Gmail users, but non-Gmail users would have to manually configure their mail clients to digitally sign their messages and some (web-based) e-mail clients might not even support this.
Re:Time to DIY (Score:4, Insightful)
Google messed it up (Score:3, Insightful)
Back in the day when Dejanews was a "cool web 2.0" like thing for Usenet and Usenet was still popular, they could manage the actual, pro spammer attacks with handful of people. Those were the days when CNET had "help.com" which allowed complete newbies to post questions to Usenet.
Now Google, with impossible to imagine computing resources lets the core Usenet _and_ their own private groups gets polluted by trivial spam. Yes, trivial since even my stupid mail filters can sort that kind of spam without even touching bayesian etc. filters.
It is almost like pyramid scheme. Spammer uses Google groups infrasacture to post pirate software download forums which are solely gathering income from Google adwords. That happens on a big5 one, not some alt.conspiracy low traffic thing.
In first days, I thought Google didn't care on purpose of promoting their own, closed, moderated fake groups but it was a total tinfoil hat theory. They simply didn't/doesn't have competency to carry that kind of job which 2-3 experienced admins did while Usenet was 10x-20x more popular.