Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Spam Google Technology

jQuery Dev Bemoans Overwhelming Spam On Google Groups 251

angryrice tips a blog post by John Resig, lead developer for jQuery, about the failure of Google Groups to manage spam, declaring attempts to use it as a public discussion system "completely futile." Quoting: "The final straw was placed upon my patience with the Google Groups system a few weeks ago. Spammers are now spoofing the email addresses of existing group participants to sneak their messages through. Previously you would've seen a delightful 'FREE MOVIE DOWNLOADS' spam from 'freemovies123@gmail.com' — but now you'll see it coming from existing group users — or even the group moderators themselves. This cheat completely bypasses the moderation system since the spammers are pretending to be pre-moderated users. The Google Groups system is completely fooled. The spam message comes in claiming to be from an existing group participant — and according to the Google Groups interface there is no difference. If you click the user's name you'll be taken to a full listing of that user's posts (with the spam messages delightfully interspersed)."
This discussion has been archived. No new comments can be posted.

jQuery Dev Bemoans Overwhelming Spam On Google Groups

Comments Filter:
  • Time to DIY (Score:2, Informative)

    Looks like a good time to learn to admin a mailing list.
    • by Anonymous Coward
      You get what you pay for.
    • Re: (Score:3, Funny)

      by John Hasler ( 414242 )

      And then have to deal with spam from Gmail accounts.

    • Looks like a good time to learn to admin a mailing list.

      I don't know. Google Groups was a great forum for discussing Stocks on Google's Finance page [google.com]... Until the spammers took over.

      It was really handy to get other's opinion about a stock from a street level perspective or just getting links to relevant sources about the stock you were researching without having to go to a forum and basically search until you found something related to the stock.

      People tried self policing by changing the subject to anyone wh

  • by Zarf ( 5735 )

    Maybe if we created a mail header with the pgp signature of the message in it we could train our spam filters to filter on that. Google could silently inject the header into its mail clients... no one would need training. Email would look the same. Clients unaware what to do with the header could ignore it. Inside systems like Groups you could see "verified" or not on the email.

    • Re: (Score:2, Interesting)

      sounds like a good idea, it seems. For this to work, can the correct signature be made only by the users private key, on the text in the email message, so someone couldnt just take the public key or whatever and spoof the signature?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Ummm, Google Groups [wikipedia.org] is an archive and Web interface for Usenet. [wikipedia.org] Email is irrelevant.

      • Re: (Score:3, Informative)

        by maxume ( 22995 )

        It's that, and also a collection of mailing lists that are not mirrored to Usenet. People interact with those mailing lists using email (the group discussed in the summary is a mailing list that is not mirrored to Usenet...).

    • by Straker Skunk ( 16970 ) on Wednesday October 28, 2009 @10:21AM (#29897841)

      PGP/GPG is overkill. Just drop messages that fail an SPF check. Spoofing is part of the problem here, and SPF was tailor-made to address spoofing.

      If you do use PGP/GPG, you don't need an extra header for the signature; it's usually added as a small attachment, and better mail clients already pick up on that for verification.

      • SPF would only work on the domain level, and has to be implemented by the ISPs, etc. Since google would have to allow many isps send mail as if it were coming from a google user, it would kinda defeat the purpose. Better would be to allow google groups to only get messages from gmail, and set gmail up to not allow alias addresses for gmail accounts that the user doesn't own.

        • I'm not sure I understand your point. SPF guarantees that email is coming from the correct domain. If an email is from a gmail account, then it should come from a server set up with an SPF record for gmail. It's then up to Google to ensure that it's sent by the correct user, which happens when you log in to the web interface (or via authenticated SMTP if they support that). The same goes for anyone else. ISPs often use originating IP address to enforce the envelope from in emails (i.e. the mail comes f
          • Re: (Score:3, Insightful)

            by i.r.id10t ( 595143 )

            But you can set your "from" address in your mail client, and send mail as if it were from your gmail account from your work place, your home ISP's smtp server, etc. In order for that all to work, google would have to allow smtp.yourisp.net to send mail as if it were from google in the SPF records - basically, if it were done, then nothing would have changed 'cause they'd have to allow a metric buttload of ISPs to send.

            Changing to web only, or smtpauth, or similar (as we both point out) would do the job tho

    • Maybe if we created a mail header with the pgp signature of the message in it we could train our spam filters to filter on that.

      If Google at least supported S/MIME, that would be a start.

  • by oldspewey ( 1303305 ) on Wednesday October 28, 2009 @10:01AM (#29897539)

    I used to be an avid newsgroup participant way back in the day. The flamewars were legendary, and the amount of technical information exchanged on some of those groups was beyond description.

    If there were a way to use spammers for fuel, I'd have no qualms solving our energy woes that way ...

    • Re: (Score:3, Interesting)

      by John Hasler ( 414242 )

      > I used to be an avid newsgroup participant way back in the day.

      I still am. Competent news services such as Newsguy are able to remove enough of the spam to make it tolerable.

    • by Bigbutt ( 65939 )

      If there were a way to use spammers for fuel, I'd have no qualms solving our energy woes that way ...

      And people wonder why I refuse to hire sysadmins who used to work for well known spamming companies.

      [John]

    • by Ilgaz ( 86384 )

      Back in the day when Dejanews was a "cool web 2.0" like thing for Usenet and Usenet was still popular, they could manage the actual, pro spammer attacks with handful of people. Those were the days when CNET had "help.com" which allowed complete newbies to post questions to Usenet.

      Now Google, with impossible to imagine computing resources lets the core Usenet _and_ their own private groups gets polluted by trivial spam. Yes, trivial since even my stupid mail filters can sort that kind of spam without even to

  • Isn't GPG / PGP email signing perfectly suited to handle this?

    All you need is a way to build a tree or chain of trusted signatures. The root of the tree could be the person who created the group.

    • Given it's a moderated group, you could easily create a web of trust between moderators, and then have the moderators add the keys of valid participants to their chain. From then on, anyone 'pre-moderated' (whatever that means) would only be able to send an email to the list if the mail was signed with a key a moderator had already accepted.

      But, of course, you'd need people to actually use PGP/GPG, which seems like an uphill battle...

    • by lee1 ( 219161 )
      Of course. It solves the general email spam problem as well. But can you imagine trying to get your local PTA membership to use this or even understand what it is?
    • by Sloppy ( 14984 )

      The root of the tree could be the person who created the group.

      No, the root of the "tree" (and by that I mean, "not a tree") should be whoever is reading it.

  • by Eravnrekaree ( 467752 ) on Wednesday October 28, 2009 @10:02AM (#29897551)

    Yahoo chat as well seems to be overtaken by this spamfest. They have tried to address it with captchas, but the spammers simply go ahead and entire the captcha code and keep spamming. They could require credit card verification to make it harder to open massive numbers of accounts, i suppose. Maybe they could have some sort of scanner that would look for sequences that could identify common patterns in spam messages and flag these messages for moderation. Even moderation itself is ripe for abuse with moderators who abuse that power that they have. Perhaps another solution is a voting system on particular messages like that on slashdot, in this case, simply as to whether the message is spam or not, the messages which are voted to be spam are basically collapsed but could be opened with a click, or can be shown with a show "spam marked messages" feature. Could be useful both on chat and also on message boards.

    • Re: (Score:2, Interesting)

      by weaponx71 ( 524109 )
      The Yahoo groups aren't all that bad. I belong to a few and over the past two weeks we got a few infected links from members that got infected. Straight spam has been like maybe one every three months or so. Now the Yahoo chat, well.. that is just unusable as I use to remember it. When I became wise and got rid of AOL, Yahoo chat was a great replacement. You could actually have conversations with real people. Then the script kiddies were flooding the rooms with their booters and such. The bots were easily
    • by Alioth ( 221270 )

      Just pass all messages through SpamAssassin. Unfortunately, you lose the header checks with non-email, but the body will often fail in spammy URIs, plus match a number of other rules.

      SpamAssassin is awesome. My personal email address gets around 1000 spam messages per day. All but two or three get blocked by SA.

  • and Blogger too (Score:4, Interesting)

    by GameGod0 ( 680382 ) on Wednesday October 28, 2009 @10:06AM (#29897617)
    Google's really dropped the ball on spam blocking with Blogger too. I host a couple of random blogs on there, and they've all been hit with a ridiculous amount of spam in the last year. Blogger doesn't even give you something like Akismet... :(
    • Re: (Score:3, Interesting)

      by BitZtream ( 692029 )

      Blogs ARE spam 99 times out of 100, its hard to implement spam filtering when the content in and of itself might as well be spam.

  • If this is a Usenet group that Google Groups is just providing an interface to, I guess it's time to bring back the cancelbots. UDP against Google. It's come close before.

    If this is one of the Google Groups that's a web forum, then they need to require that you actually log in before posting.

    • then they need to require that you actually log in before posting.

      That is really up to the group administrator [google.com].

      To control who can post in your group, please follow these steps: 1. Click on the "Group settings" link on your group's homepage. 2. Select the "Access" tab. 3. Choose an option under "Who can post messages?" and click "Save Changes." If you choose "Managers only," owners and managers will be the only ones able to post messages to the whole group. If you choose "Members only," your members will be able to post, but non-members will not. The "Anyone can post" option allows all Google Groups users to post in your group.

      Also, you may want to consider the option "All posts are held for moderation" if you wish to review messages before they're posted to your group. This option is located toward the bottom of the page, in the "Message moderation" section.

      For the safety of your group, only members have the options of uploading files, and creating and editing pages. It's up to you whether you'd like to also restrict these actions to moderators only.

      Not sure if that helps for the spoof aspect of the declared problem. May be. Maybe not. I've never ran a Google group.

  • by fsterman ( 519061 ) on Wednesday October 28, 2009 @10:11AM (#29897685) Homepage
    Why the hell haven't they put the same spam filters that they use for Gmail on the discussion lists?
    • by Minwee ( 522556 ) <dcr@neverwhen.org> on Wednesday October 28, 2009 @10:26AM (#29897937) Homepage

      Why the hell haven't they put the same spam filters that they use for Gmail on the discussion lists?

      Maybe it's because they want to encourage you to use Gmail, which they control and can extract some income from, instead of Usenet, which they have only a passing acquaintance with and can't squeeze a penny out of.

      • by baxissimo ( 135512 ) on Wednesday October 28, 2009 @10:58AM (#29898389)
        Google Groups serves as a face to Usenet, yes, but it also advertises itself as a place to create new groups [google.com] which are hosted by Google, as an alternative to setting up your own mailing list. I suspect the jQuery folks are using a Google hosted group. The spam situation is indeed ridiculous, and Google could indeed do something about it. They even have "report spam" buttons on all the messages, but so far as I can tell clicking on those buttons has no effect. At the very least it should hide the messages from me that I mark as spam. But no, it doesn't even remember which messages I've marked as spam from login to login. They've just dropped the ball for some reason.
        • by DerekLyons ( 302214 ) <fairwater.gmail@com> on Wednesday October 28, 2009 @11:27AM (#29898759) Homepage

          At the very least it should hide the messages from me that I mark as spam. But no, it doesn't even remember which messages I've marked as spam from login to login. They've just dropped the ball for some reason.

          The reason, at least to me, seems abundantly clear: Google has the attention span of a three year old. They fixate heavily on something for a while... then their attention drifts and they are off to the next shiny thing. They've got a lot of products, but no clear vision or effective management.

          • Re: (Score:3, Interesting)

            by psydeshow ( 154300 )

            Bingo. They need a moratorium on new products for 3 years while they chain the engineers to big, burly product managers and get all of their offerings on the same page.

            Of course, that's (more or less) what happened at Yahoo!, and Google took the opportunity to fly right past them.

    • Maybe they pool their resources in Google Wave and ditch Google Groups as soon as Wave is ready.

  • by Horn ( 517263 ) on Wednesday October 28, 2009 @10:11AM (#29897689)
    Time to move away from the antiquated system of mailing lists. Web based forums are much easier to control and a far, far better way of sharing information with users. I hate coming across an otherwise useful site and then having to go to a mailing list to see what other users are talking about.
    • by John Hasler ( 414242 ) on Wednesday October 28, 2009 @10:23AM (#29897879) Homepage

      > Time to move away from the antiquated system of mailing lists. Web based
      > forums are much easier to control and a far, far better way of sharing
      > information with users.

      No local control over filtering and sorting, forced to use your weird UI and editor instead of my own? "Forums" suck. And "easier to control" is not a feature.

      • by Anonymous Coward on Wednesday October 28, 2009 @10:40AM (#29898135)

        No local control over filtering and sorting, forced to use your weird UI and editor instead of my own? "Forums" suck. And "easier to control" is not a feature.

        Uhm - then why are you posting on Slashdot?

        • Re: (Score:3, Interesting)

          I'm not the OP, but I use Slashdot's web UI because they haven't created an nntp gateway for me yet. :-)

          Once that is done, you won't see me using this web-based interface, believe me. I'd be using Yarn here, or maybe slrn with slrnpull.

          The content here is decent for the most part (STN ratio is often quite good). It's the interface that sucks.

      • Re: (Score:3, Interesting)

        Nope. I belong to the AVS (audio-visual science) forum for awhile, and stated matter-of-factly that digital TV has reception problems and the converter boxes from Dish are junk. I was banned.

        You can't have free speech in a system where the Sysop is like a dictator - deciding what can or can not be said. Even a benevolent dictator can be bad. Usenet offers a place that is libertarian in nature - people police themselves - and nobody gets censored even if they are whackjob KKK members.

    • by doconnor ( 134648 ) on Wednesday October 28, 2009 @10:25AM (#29897903) Homepage

      This is an issue that really bugged me. The move to web based forums from Usenet and mailing list was a giant step backwards in functionally.

      Advantages of Usenet and mailing lists over web based forums:

      The user can control the interface
      killfiles
      threading
      discussion on issues where centralized in one place rather then across multiple web forums
      better searching
      better archiving
      less bandwidth

      More advanced web forums, like Slashdot, do a better job of supporting these features, but most people still use very primitive forums.

      • by Richard Steiner ( 1585 ) <rsteiner@visi.com> on Wednesday October 28, 2009 @11:18AM (#29898643) Homepage Journal

        Killfiles and regex-controlled score files that can both sort and enhance/block messages based on reader-defined criteria. Very very powerful, something the DOS-based SOUP reader I used to use (Yarn) did back in the early 90's, and something which I've not yet seen even roughly approximated in a web-based forum.

        Folks who say that USENET is "antiquated" have no idea of its potential, or how experienced users were able to utilize it in practice.

      • Advantages of web based forums:

        Any idiot can figure them out and navigate them pretty easily, whereas Usenet is more than a little intimidating to new users.
    • Web based forums are much easier to control

      One man's control is another man's tyranny.

    • by Xtravar ( 725372 )

      I hate coming across an otherwise useful forum and then having to sign up and log in to view certain topics and download files from it.

      Not that I use mailing lists or newsgroups...

    • I imagine they will ; this is Google [google.com], after all.

      • by EQ ( 28372 )

        I imagine they will ; this is Google [google.com], after all.

        cue Gerard Butler: THIS. IS. GOOGLE!

    • by Richard Steiner ( 1585 ) <rsteiner@visi.com> on Wednesday October 28, 2009 @11:24AM (#29898711) Homepage Journal

      USENET has always been far more than a "mailing list", and I could do things to control/filter/sort messages to my liking with Yarn and slrn that I can't even touch with the web-based forum software I've seen (and I've seen a lot of it).

      I really wish web-based forum software would catch up. Even USENET in the early 90's far surpassed it in many respects. Most web forums are nice for posting pictures, but horrible in terms of threading and controlling what actually shows up in your reading list.

  • by scorp1us ( 235526 ) on Wednesday October 28, 2009 @10:12AM (#29897707) Journal

    Google has some of the weakest around. And whats more is becaue Google uses domain keys it is a desired domain because that stuff gets through the spam filters better.

    I wish Google had an automated honey pot system where you could drop a google address, and any google account would instantly get shut off for sending mail to it. The idea is you plant the email address in a place where automated spambots will harvest it and poof! no more spammer.

    Of course it could be used for abuse and if passed off as a legit account, so there needs to be some registration and tying of spam honey pot accounts to their owners for accountability.

  • by Zocalo ( 252965 ) on Wednesday October 28, 2009 @10:14AM (#29897729) Homepage
    Google Mail has a feature in Labs whereby they identify social groups within your email contact so that if you exchange a lot of emails between a certain group of people and suddenly add a new recipient it will flag a possible problem. Surely it would be possible to apply a similar methodology to Google Groups only with the IP addresses messages originate from - send from a new IP assignment and the message gets moderated, no matter how many successful posts you've made from elsewhere.
  • Unusable indeed (Score:2, Interesting)

    I've been wondering if/when Google would make some sort of effort to deal with the problem. You'd think that a company that's gone out of their way to hire brainiacs could come up with *some* sort of solution. I'm a little surprised they've let it spin this far off into the weeds.

  • Google Beta (Score:5, Insightful)

    by slack_justyb ( 862874 ) on Wednesday October 28, 2009 @10:20AM (#29897833)
    I see a lot of Google's products needing the oh so familiar Beta label again.
    Seriously, Google's offering is not without it's serious drawbacks, and I suspect that the good stuff is to be had from actual paid services. However, this kind of letting crap slip where people can spoof the name of a valid member is a serious Alpha quality flaw. What's the point of identifying anyone, if everyone can pretend to be everyone else? I mean that is the actually concept of identity, to uniquely label something as different as other things.
    I think Google is trying to take on more than it can handle and it is beginning to really show now that they've removed the excuse of "Beta".
  • Report spam (Score:3, Informative)

    by nkh ( 750837 ) on Wednesday October 28, 2009 @10:28AM (#29897965) Journal
    Google Groups was a good idea with a bad implementation. Last time I checked, there was no fast way to report a spammer, you have to click 3 or 4 times and be redirected to different pages before having just one message successfully reported.
    • Re: (Score:2, Informative)

      by MWojcik ( 859959 )

      Last time I checked, there was no fast way to report a spammer, you have to click 3 or 4 times and be redirected to different pages before having just one message successfully reported.

      That must have been long time ago. Now you have "report spam" link right by the thread summary (you don't have to even open the thread) and at each message that doesn't result in opening new window/following the link.

  • by Morris Thorpe ( 762715 ) on Wednesday October 28, 2009 @10:29AM (#29897967)

    I created and admin a Google group for my son's high school team. We have coaches about 120 parents in the group.

    Even though it's a pain in the ass, I chose to moderate messages for new members. Still, spam gets through. As the group's admin, it's embarrassing to see graphic messages and know that all the parent's on my kid's team are seeing it. Also, moderation means that some messages may not get through in a timely manner.

    I'm looking to migrate the group to an alternative now.

    • Even though it's a pain in the ass, I chose to moderate messages for new members. Still, spam gets through.

      How is spam getting through if you are moderating? Are you approving spam messages?

      • Re: (Score:3, Informative)

        If you RTFA, or hell, read the summary, you'll note that spammers are posting using the addresses of existing members, meaning that new-user moderation is bypassed.
  • by farnsaw ( 252018 ) on Wednesday October 28, 2009 @10:45AM (#29898205) Homepage
    I manage a moderated google group and I have received spam "from the group" from someone who is not a member. This makes me think that they sent it directly to me and just spoofed the headers to make it appear to come from google to get past my local spam filter. I wonder if this is what is really happening?
    • You should be able to tell by looking at the Received: headers whether it really came from Google Groups or not.
  • my settings (Score:5, Informative)

    by Deanalator ( 806515 ) <pierce403@gmail.com> on Wednesday October 28, 2009 @11:04AM (#29898467) Homepage

    We were having some problems with this on the wimax hacking google group.

    About a month ago I set all posting options to members only (read is still public, the group is listed in the directory, and there is no moderation). I then set it so people need to request an invite to join. The signup page says "Sorry, about the inconvenience, but spam was starting to ramp up, so now users have to request membership manually. Anyone who is human is welcome, and encouraged to join."

    There has been zero spam since the change.

    It would be nice if there was an option to just let people solve a captcha to join the group, but until then this solution is working fine.

  • by Animats ( 122034 ) on Wednesday October 28, 2009 @11:09AM (#29898543) Homepage

    Maybe the answer is to block posts to USENET that come in via Google. That seems to be the source of the trouble.

    Looking at the newsgroup "comp.lang.python", all the spam seems to be coming in via "posting.google.com" with GMail return addresses. Bulk-created phony gmail accounts [gmailaccountcreator.com] are such a source of spam that they should be blocked until Google gets their act together. At this point, we have to view GMail like Hotmail, another free email account system made useless by spammers.

    Hotmail is widely blocked. Next, Gmail?

    • Re: (Score:3, Interesting)

      by rudy_wayne ( 414635 )

      At this point, we have to view GMail like Hotmail, another free email account system made useless by spammers.

      Hotmail is widely blocked. Next, Gmail?

      I have 2 Gmail accounts but access them via POP3. Gmail's spam filters work perfectly. I get zero spam. Although there are hundreds of spam messages in the spam folder none of them get through to me. Why can't they do the same thing to newsgroups?

    • Re: (Score:3, Informative)

      by bipbop ( 1144919 )

      I blocked gmail a couple years ago for this reason. It's annoying though, because there are a lot of legitimate gmail users who I'm blocking, but I'm willing to miss their messages in exchange for blocking a much larger number of spam messages. It sucks, but it's the least effort solution as a reader.

      Also, this isn't a new problem, and it's pretty unlikely that it'll go away AFAICT. Google Groups has always been a group that Google's least competent employees work in (again AFAICT; I have no personal kno

  • ...how exactly do the spammers know which users are pre-moderated on which groups ?

    Just blasting all addresses, regardless of validity may be a good tactic for standard mailboxen, but it seems to me that the ratio of pre-moderated to not-even-subscribed on any given group would be pretty prohibitive. Coupled with the presumably already reasonably low positive feedback on spam (which is not to say that the roi is bad, mind you), and you *should* get only fragments of percents of successfully inserted mails -
  • Spam levels were above 96% in some groups I accessed. And more than 90% of the spam came from Google Groups. I guess they put it on autopilot without any spam checks and walked away. So I just blocked all of Google Groups in my killfile. At least for now, any legitimate posts from there I will see if someone from outside Google Groups posts a followup and includes it. But some of the groups are just dead, now. In a couple cases it's definitely due to the spam.

  • by tetranz ( 446973 ) on Wednesday October 28, 2009 @12:07PM (#29899299)

    This is more to do with Yahoo Groups than Google Groups but they seem similar. Recently I've joined several Yahoo Groups about specialized ham radio topics. Nearly all of them keep their archives private. I have apply to join (basically push a button and say who I am) and then wait for approval from the admin. Once approved I can read the archives and also post. Posting from members is usually unmoderated. It's painless enough but still very frustrating when I'm just searching around for information and a quick look at the archives is probably all I want.

    I don't mind having to join if I want to post but do they achieve anything by keeping the archives private? Yahoo obscure the email addresses so spammers' 'bots are not going to get much from them. I've asked several admins "why do you keep the archives private?" and have not received a convincing answer. It usually goes something like "I understand your frustration but we have a lot of trouble with spam" and sometimes goes on to imply what a silly question I asked. Well ... I still don't see how keeping the archives private helps to reduce spam. I haven't been a group admin so maybe I'm missing something.

    I can understand keeping archives private or non-existent for a group on a personal or private subject but that doesn't apply to these groups.

    My guess is that this is Yahoo's default setting when a group is created and few admins really think about it. Of course Yahoo want as many people as possible to join.

    • It at least used to be that Yahoo Groups wouldn't automatically munge email addresses, meaning that non-private archives would reveal email address information to everyone that happened along.

  • You're a group of technologically literate people. Why don't you just sign your messages and verify based on signature, rather than something completely meaningless like email-address?

    And once again: Why the hell does google not sign all messages which pass through gmail as "really did come from this address"?

    • by clone53421 ( 1310749 ) on Wednesday October 28, 2009 @12:42PM (#29899871) Journal

      Why don't you just sign your messages and verify based on signature, rather than something completely meaningless like email-address?

      And once again: Why the hell does google not sign all messages which pass through gmail as "really did come from this address"?

      (x) technical ( ) legislative ( ) market-based ( ) vigilante
      (x) Requires immediate total cooperation from everybody at once
      (x) Lack of centrally controlling authority for email
      (x) Why should we have to trust you and your servers?
      (I'm using the short-form.)

      What I mean to say is, you don't have to have a Gmail account to be a member of a Google Group. Your approach might keep people from spoofing Gmail addresses and be completely painless for Gmail users, but non-Gmail users would have to manually configure their mail clients to digitally sign their messages and some (web-based) e-mail clients might not even support this.

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...