jQuery Dev Bemoans Overwhelming Spam On Google Groups

angryrice tips a blog post by John Resig, lead developer for jQuery, about the failure of Google Groups to manage spam, declaring attempts to use it as a public discussion system "completely futile." Quoting: "The final straw was placed upon my patience with the Google Groups system a few weeks ago. Spammers are now spoofing the email addresses of existing group participants to sneak their messages through. Previously you would've seen a delightful 'FREE MOVIE DOWNLOADS' spam from 'freemovies123@gmail.com' — but now you'll see it coming from existing group users — or even the group moderators themselves. This cheat completely bypasses the moderation system since the spammers are pretending to be pre-moderated users. The Google Groups system is completely fooled. The spam message comes in claiming to be from an existing group participant — and according to the Google Groups interface there is no difference. If you click the user's name you'll be taken to a full listing of that user's posts (with the spam messages delightfully interspersed)."

Time to DIY

[clang_jangle]

Looks like a good time to learn to admin a mailing list.

Re:Time to DIY

[John+Hasler]

And then have to deal with spam from Gmail accounts.

Re:Time to DIY

[commodore64_love]

So?

First off, I think the guy writing the article is exaggerating. I routinely visit rec.arts.tv on groups.google.com and there's maybe one spam message per two pages (100 messages). Not a big deal.

Second: I honestly don't know why people are so bothered by spam. Back in the day of 2 kbit/s modems, yes it was a pain because it would take a full minute to download a single message, but in today's 1000+ kbit/s world, these messages just ziiiiip right past. I mentally-filter out the spam same way I filter-out commercials on the TV, radio, or web ("Slashdot has advertising? I don't see it."). Maybe the author of the article should learn to apply his own neural network to filter out the crap he doesn't want to see.

Re:Time to DIY

[Jurily]

Back in the day of 2 kbit/s modems, yes it was a pain because it would take a full minute to download a single message, but in today's 1000+ kbit/s world, these messages just ziiiiip right past.

I use Vodafone UK, you insensitive clod!

Re:Time to DIY

[Rude+Turnip]

1. Spam is theft of service.
2. Spam is theft of service.
3. The spam in Google Groups absolutely ruins many groups because the boards are inundated with spam to the point that a real message is like a needle in a haystack. The stock discussion boards have gone to hell in the last few months.

Re:Time to DIY

Even better. The main JQuery site runs Drupal, so they can simple install and configure Organic Groups. Now they have a way to moderate and get rid of the spam a lot easier than on that messed up Google Groups.

Re:Time to DIY

[bberens]

Definitely. I used to spend a bit of time on the finance.google.com discussion boards. OMG it's just a complete mess now to the point that Google no longer displays the most recent conversations on each stock's main page. There is simply a link to the discussion. It's horrible. How Google can have one of the best e-mail spam filters out there but not be able to block this message spam is beyond me.

Re:Time to DIY

"Spam's fine just ignore it" got modded as insightful? WTF, Slashdot.

Re:Time to DIY

[kaizendojo]

1. How can you steal a service that's provided to you for free?

2. How can you steal a service that's provided to you for free?

3. As many of these groups are simple mirrors from Usenet, how do you propose Google control servers that they have no control over?

Re:Time to DIY

[ByOhTek]

When you have 10x more spam than relevant material in a topic, it's easy to miss the relevant material.

That, and some spam subjects are just painfully horrible, and nobody should be subjected to the horror of even glancing at them.

Then again, when I saw one suggesting I could own my own Bionic Turtle (I kid you not), spam did rise *a little bit* in my opinion. I still deleted it, but I loved that title.

Re:Time to DIY

[The+Ultimate+Fartkno]

1. How can you steal a service that's provided to you for free?

My internet service is not provided to me for free. I pay for it. I reserve the right to accept or reject advertising as I see fit. People who not only force advertising on me, but do it in a deceitful manner, deserve nothing more than forcible, unlubed sodomy during the half time show of the Super Bowl. Spammers are roaches and should be treated as such.

Re:Time to DIY

[vertinox]

Looks like a good time to learn to admin a mailing list.

I don't know. Google Groups was a great forum for discussing Stocks on Google's Finance page... Until the spammers took over.

It was really handy to get other's opinion about a stock from a street level perspective or just getting links to relevant sources about the stock you were researching without having to go to a forum and basically search until you found something related to the stock.

People tried self policing by changing the subject to anyone who spams to "SPAM" since it lets you do that to other people's posts, but even then it got tiring for everyone to keep fighting.

Reporting did nothing so the legitimate discussion died under the noise.

Re:Time to DIY

[nacturation]

People who not only force advertising on me, but do it in a deceitful manner, deserve nothing more than forcible, unlubed sodomy during the half time show of the Super Bowl.

So if your local library's cork board has individual citizens pinning up advertising deceitfully, will you unleash your gay sexual fantasies on the library staff since you pay for the library with your tax dollars?

Re:Time to DIY

[bpfinn]

They have the technology?

Re:Time to DIY

[The+Ultimate+Fartkno]

The day that I go to the library and every book that I check out has a flyer for the local Viagra dealer between every page, then you better be damned sure I'm going to start complaining.

And I never said that *I'd* be doing the sodomy. I'm always making nachos during the half time show anyway.

Re:Time to DIY

[commodore64_love]

>>>1. Spam is theft of service.

I don't know how you arrive at the idea. The spammer pays for his connection to send email, just the same you pay to send email. Nothing's been stolen, and your argument strikes me to be as flimsy as CW claiming I "stole" Sucky_Teen_Soap_#9 just because I happened to see it on the net.

Re:Time to DIY

[commodore64_love]

>>>I reserve the right to accept or reject advertising as I see fit.

You are right. It's the virtual equivalent of stuffing earplugs in your ears so you don't have to listen to some guy in the town square. HOWEVER in my opinion if you access a website that is advertising-supported, and you block the ads, then said website should be able to ban your IP from future access. Adblock == no shirt == no service.

And the solution of usenet is to use killfiles to block spammers, so you no longer have to see them.

Re:Time to DIY

[The+Archon+V2.0]

So?

First off, I think the guy writing the article is exaggerating. I routinely visit rec.arts.tv on groups.google.com and there's maybe one spam message per two pages (100 messages). Not a big deal.

Using the busiest nonbinary group in a feed (r.a.tv gets what, about 500-1500 messages every day?) is misleading. As a counterexample, alt.tv.(almost any show not currently on the air) is/are almost 100% spam.

Once there's a lot of noise and a weak signal, the group dies. I've seen smaller groups live fine with only one new thread a month... IF it's not spam, since most of us have things rigged to bring new posts or threads to our attention. But once spammers update their group lists, then one thread a month plus two spams (thus two spam threads) means most of the time a person is disappointed. That's when they start looking elsewhere.

Re:Time to DIY

Suggested moderation: -1, Missing the Point

Re:Time to DIY

[Red+Flayer]

And I never said that *I'd* be doing the sodomy

You don't know what you're missing!

Besides which, your fetish could be watching people do that, or listening, or just being the causative agent.

Re:Time to DIY

[jcoy42]

*sigh*

Now I know why my spam folder has so many bionic turtle subject lines..

Thanks.

Re:Time to DIY

[sbeckstead]

Ooh Ooh is spam theft the same way illegal copying of copyrighted materials is theft? I can't wait to see the argument on this one!

Re:Time to DIY

[Rude+Turnip]

In the case of Google's message boards, the users are not the customers. The advertisers are the customers and our eyeballs are the product. It just so happens in this arrangement that I want to get useful information from the message boards and it works out to be a beneficial relationship with the advertisers. The less useful the message boards become to the users, the less ad revenue Google generates from maintaining the boards.

In the case of email, I pay for the receipt and storage of email. No different than a junk fax although the results are less tangible. My company also pays a pretty penny for a spam filter service because our time is better spent working on projects than manually filtering through spam trying to find email. Spam already negatively impacts us in that way.

Re:Time to DIY

[bruce_the_loon]

Ha ha ha ha ha ha ha

You really truly honestly believe the spammers are paying for their own bandwidth? They're riding on bot-nets and open relays costing someone else their bandwidth. Most of the spam I see on the filters at work comes from residential networks.

Re:Time to DIY

Ooh Ooh is spam theft the same way illegal copying of copyrighted materials is theft?

On, theft of a finite resource (bandwidth and storage) is real, whereas copying something is not theft.

I can't wait to see the argument on this one!

Only because you're a fucking idiot.

Re:Time to DIY

[lmcgeoch]

I don't know about it being a theft of service but spam is a very rude and annoying way to make a buck. I don't know how much time is wasted on deleting spam, avoiding spam and dealing with spam filters, etc... but hey it's good to eat.

Re:Time to DIY

[Toonol]

Your internet service, sure. Google groups is a free service, and the spammers are taking advantage of it just like you are. Now, they're rude and obnoxious, and I'm sure mimicking user accounts surely breaks some terms of service, so I'm not defending them; but you don't have 'rights' on somebody else's forum.

Re:Time to DIY

Taking notes...

Re:Time to DIY

[pnot]

Then again, when I saw one suggesting I could own my own Bionic Turtle (I kid you not), spam did rise *a little bit* in my opinion. I still deleted it, but I loved that title.

My favourite spam offer ever: 75,000 live chickens, delivered to an airport of my choice. Yes, really.

Re:Time to DIY

[sbeckstead]

Coming from you a "moron" I take that as a compliment.

Re:Time to DIY

[The+Ultimate+Fartkno]

Just as long as I get my nachos...

Re:Time to DIY

[darkpixel2k]

The day that I go to the library and every book that I check out has a flyer for the local Viagra dealer between every page, then you better be damned sure I'm going to start complaining.

What did you just sa....ohcrap MODS, DESTROY THAT COMMENT, QUICKLY!!!

Damnit. Don't give the marketing droids any more ideas. You just *know* some drone is reading your comment and saying "You know...that's a pretty good idea..."

With any luck the mods will delete your comment before anyone else has a chance to read it or Google caches it.

Re:Time to DIY

[jipn4]

Don't encourage him; he's had that fantasy for a while, he is just looking for an excuse to unleash it.

Re:Time to DIY

You sodomize roaches? Yuck!

Re:Time to DIY

[commodore64_love]

If I could get my books for free, I'd be okay with Viagra ads in the cover. In fact most books already DO have advertising (in the back) so it's really not a big change.

Re:Time to DIY

[darkpixel2k]

In fact most books already DO have advertising (in the back)

Readers Digest is not a book... ;)

What do you expect?

You get what you pay for.

Re:What do you expect?

Hmmm... Either the mods just freshened up their morning dose of heroin, or they really do think that Windows and MacOS are inifinitely better than Linux...

Am i still reading slashdot?

Re:What do you expect?

[Walter+Carver]

What you just said is something I hear from people who want to imply (or directly conclude) that just because you don't pay for something it doesn't have to been of good quality.

With which I disagree.

But even if it was true, you pay Google Groups with your eyeballs. I mean the ads, the ads of Google in general.

Re:What do you expect?

[UsenetUser]

Dude, you're absolutely right. You do get what you pay for... one of the reasons I troll for good usenet offers and switch providers like crazy. marcy@usenetadvantage.net www.usenetadvantage.net

Perhaps a new mail header?

[Zarf]

Maybe if we created a mail header with the pgp signature of the message in it we could train our spam filters to filter on that. Google could silently inject the header into its mail clients... no one would need training. Email would look the same. Clients unaware what to do with the header could ignore it. Inside systems like Groups you could see "verified" or not on the email.

Re:Perhaps a new mail header?

[Eravnrekaree]

sounds like a good idea, it seems. For this to work, can the correct signature be made only by the users private key, on the text in the email message, so someone couldnt just take the public key or whatever and spoof the signature?

Re:Perhaps a new mail header?

Ummm, Google Groups is an archive and Web interface for Usenet. Email is irrelevant.

Re:Perhaps a new mail header?

[simcop2387]

that's the whole point of public key cryptography so yes it would work.

Re:Perhaps a new mail header?

[Straker+Skunk]

PGP/GPG is overkill. Just drop messages that fail an SPF check. Spoofing is part of the problem here, and SPF was tailor-made to address spoofing.

If you do use PGP/GPG, you don't need an extra header for the signature; it's usually added as a small attachment, and better mail clients already pick up on that for verification.

Re:Perhaps a new mail header?

There is only one solution to spam, and that is to make it completely unprofitable to send. The only way that'll happen is if people stop buying products advertised that way.

An amazingly common misconception. People don't actually buy things advertised by spam. But enough gullible bidnessman believe this for spammers to keep making money off of them.

Re:Perhaps a new mail header?

[andymadigan]

In this case, the problem is people faking existing "trusted" users, so yes, it would work to require the mail to be signed before the user would be "trusted".

Re:Perhaps a new mail header?

[Volante3192]

An amazingly common misconception. People don't actually buy things advertised by spam. Err, [citation needed]?

Here's mine: http://arstechnica.com/web/news/2009/07/12-of-e-mail-users-try-to-buy-stuff-from-spam-e-mail.ars

Slightly less than half (48 percent) said that they have never clicked on a spam e-mail. That's the good news, but that means the other half have clicked on or responded to spam. But why? The answers will undoubtedly horrify you. A full 12 percent said that they were interested in the product or service being offered—those erection drug and mail order bride ads do reach a certain market, it appears.

Seventeen percent said that they made a mistake when they did so—understandable—but another 13 percent said they simply had no idea why they did it; they just did. Another six percent "wanted to see what would happen."

Re:Perhaps a new mail header?

[i.r.id10t]

SPF would only work on the domain level, and has to be implemented by the ISPs, etc. Since google would have to allow many isps send mail as if it were coming from a google user, it would kinda defeat the purpose. Better would be to allow google groups to only get messages from gmail, and set gmail up to not allow alias addresses for gmail accounts that the user doesn't own.

Re:Perhaps a new mail header?

The idea is that the key identifies with that particular e-mail. Signing up for "IRn0tFagg0t@gmail.com" would get you a key proving the identity of the author. Copying this key and trying to use it as "Emmanuel.Stewart@gmail.com", wouldnt fool the system at all (because it would look like it is coming from ES, but authenticating as IR).

Re:Perhaps a new mail header?

[grumbel]

It won't help at all in this case. For instance, nothing stops a spammer from signing up for a GMail account that generates such a header, and sending out spam that your spam filter happily allows through.

Thats trivial to solve, just hold any message whose key is younger then a few days or which isn't trusted enough for moderation.

And it would be trivial for a spammer to spoof a legitimate user's signature.

Unless they hack into a users account it will be pretty much impossible to fake a signature.

The only way that'll happen is if people stop buying products advertised that way.

Good luck with that. Sending spam is virtually free and making a free thing unprofitable ain't gonna work.

The only way to solve the spam problem is to add accountability into the system and PGP signatures would be one way to do it.

Re:Perhaps a new mail header?

[_Shad0w_]

If a spammer can easily spoof a legitimate user's cryptographic signature on a given block of text I would be very surprised. The only practical way that could happen would be if the user's private key was compromised - if that's the case you just issue a revocation certificate for the compromised key.

Requiring users to sign up using their public key and then requiring all posts to be signed isn't completely ridiculous. It may be a OTT for most groups and possibly beyond the ken of a lot of users, but it could be done. You would just have to parse the all incoming mail to make sure they had a valid signature and that the signature was made using a key that matched a register group member. Although I couldn't comment on how much processing overhead that would create.

Re:Perhaps a new mail header?

[maxume]

It's that, and also a collection of mailing lists that are not mirrored to Usenet. People interact with those mailing lists using email (the group discussed in the summary is a mailing list that is not mirrored to Usenet...).

Re:Perhaps a new mail header?

[Sloppy]

For instance, nothing stops a spammer from signing up for a GMail account that generates such a header, and sending out spam that your spam filter happily allows through.

That's why, while authentication is an excellent thing to do, it's only half of a solution. The other half is to have reputations tied to identities. Sign your spam, get known as a spammer, and now people know to ignore your messages just like they ignore unsigned messages.

Re:Perhaps a new mail header?

[metamatic]

Maybe if we created a mail header with the pgp signature of the message in it we could train our spam filters to filter on that.

If Google at least supported S/MIME, that would be a start.

Re:Perhaps a new mail header?

[OakDragon]

Another six percent "wanted to see what would happen."

That explains why you shouldn't store Drano in the baby's room, but for adults? *shudder*

Re:Perhaps a new mail header?

There's a much simpler solution: start sending out "Free Penis Pills" ads, and mail everyone that buys them rat poison. Hopefully, after a couple hundred people die from being spam-buying fucktards, the rest will get the idea.

Alternatively, find the spammers (they have to have real addresses to sell stuff, right?) and shoot them in the face. This is WAY past the point of, "let's fine them" or "let's send them to prison". Time to put those expensive drones we've bought to a better use...

Re:Perhaps a new mail header?

HEAR, HEAR!

Re:Perhaps a new mail header?

Your newsletter. I wish to subscribe.

Re:Perhaps a new mail header?

[TheRaven64]

I'm not sure I understand your point. SPF guarantees that email is coming from the correct domain. If an email is from a gmail account, then it should come from a server set up with an SPF record for gmail. It's then up to Google to ensure that it's sent by the correct user, which happens when you log in to the web interface (or via authenticated SMTP if they support that). The same goes for anyone else. ISPs often use originating IP address to enforce the envelope from in emails (i.e. the mail comes from the account configured for that user), or support authenticated SMTP.

Re:Perhaps a new mail header?

[i.r.id10t]

But you can set your "from" address in your mail client, and send mail as if it were from your gmail account from your work place, your home ISP's smtp server, etc. In order for that all to work, google would have to allow smtp.yourisp.net to send mail as if it were from google in the SPF records - basically, if it were done, then nothing would have changed 'cause they'd have to allow a metric buttload of ISPs to send.

Changing to web only, or smtpauth, or similar (as we both point out) would do the job though.

Re:Perhaps a new mail header?

[jcoy42]

You Personally advocate a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won’t work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we’ll be stuck with it
(x) Users of email will not put up with it
(x) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don’t care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else’s career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
(x) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Extreme stupidity on the part of people who do business with Microsoft
( ) Extreme stupidity on the part of people who do business with Yahoo
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don’t want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don’t think it would work.
( ) This is a stupid idea, and you’re a fascist for suggesting it.
( ) Nice try, assh0le! I’m going to find out where you live and burn your house down!

Re:Perhaps a new mail header?

[dzfoo]

I propose the following, RFC #1138:
          X-Im-A-Spammer: Yes|No|Uh?
Or
          X-I-Swear-Im-Not-A-Spammer: No|Maybe|RLY!

      -dZ.

Re:Perhaps a new mail header?

Please. If you use copy-pasta, at least read through the things you check. Half of those don't actually apply.

Re:Perhaps a new mail header?

PGP/GPG is overkill. Just drop messages that fail an SPF check. Spoofing is part of the problem here, and SPF was tailor-made to address spoofing.

SPF won't help you if the senders domain doesn't have any SPF records (unless Google decide to block any mail coming from domains missing the recods). It will help for those that do but if I was a spammer I'd just modify my scanning toolkit to test for the absense of SPF records before I spoofed an address.

Re:Perhaps a new mail header?

[Antique+Geekmeister]

Google email normally gets fed through 'smtp.google.com' with your 'user@gmail.com' account name, with SMTPAUTH authentication, doesn't it? I thought the problem for Google groups was the NNTP part, which is much more tolerant of forgery, and which they've completely failed to implement even basic controls on. (Understandably: spammers and abusers can waste millions of dollars of lawyer fees screaming about censorship, and have done so in the past.)

Re:Perhaps a new mail header?

[skeeto]

There is a Usenet-like system within Freenet called FMS (Freenet Message System). The FMS software exposes an NNTP interface so users can use whatever news reader they wish just like they were on Usenet. All identities are simply public keys, with a non-unique username to go along with it, and every post must be signed with a valid signature for that id. Underneath all of this is a web of trust moderation system for moderating identities. If an identity starts spamming, the first few people to see it will rate it down, which will cause the identity's visiblity for everyone (unless they choose not to accept anyone else's moderation) to drop off as the moderation propigates around the web.

Creating an identity isn't a cheap operation and involves solving a number of captchas and a bit a patience as the identity is "announced" by joining in on the web of trust. It's not possible to know of even the existance of an identity without it being in the web of trust. That way a spammer can't keep knocking out a lot of new id's for making spam. (But, unfortunately, this gives newbies a hard time too.)

The result has been a fantastic, completely spam-free network news system. It just needs more people right now. The downside, though, has been that the moderation system has been used to mod down identites simply for unpopular speech rather than outright spam.

And this isn't for lack of spam on Freenet. There's plenty of that where it's possible. The other threaded forum system on Freenet, Frost, doesn't have any useful spam protection and, because of this, it's currently unusable thanks to all the spam.

Re:Perhaps a new mail header?

And it would be trivial for a spammer to spoof a legitimate user's signature.

Wow, a complete misunderstanding of how PGP works. What a surprise!

Cue Spam

[shashark]

Cue Spam Comments in 3...2...1

Re:Cue Spam

Spam from TFS:

Spammers are now spoofing the email addresses of existing group participants

the spammers are pretending to be pre-moderated users

The spam message comes in claiming to be from an existing group participant

I think we got the point.

Tragedy of the Commons

[oldspewey]

I used to be an avid newsgroup participant way back in the day. The flamewars were legendary, and the amount of technical information exchanged on some of those groups was beyond description.

If there were a way to use spammers for fuel, I'd have no qualms solving our energy woes that way ...

Re:Tragedy of the Commons

[John+Hasler]

> I used to be an avid newsgroup participant way back in the day.

I still am. Competent news services such as Newsguy are able to remove enough of the spam to make it tolerable.

Re:Tragedy of the Commons

I, on the other hand, have also participated in many Usenet discussions, but always have welcomed spammers. People who are against spammers are in my opinion not better than Nazis. and while we're at it: Never forget that Hitler was a vegetarian and non-smoker! Is that really what you want to have in our society? Non-smokers, vegetarians, NAZIS?? I for one have chosen to stay on the side of the spammers.

Re:Tragedy of the Commons

[oldspewey]

I think your godwin generator needs to go in for calibration.

Re:Tragedy of the Commons

[Bigbutt]

If there were a way to use spammers for fuel, I'd have no qualms solving our energy woes that way ...

And people wonder why I refuse to hire sysadmins who used to work for well known spamming companies.

[John]

Re:Tragedy of the Commons

[Antique+Geekmeister]

I'm afraid that Google is unwilling to accept 'Cancel' messages, which most competent ISP's have accepted as a necessary price of carrying NNTP. Yes, many NNTP groups at Google have become utterly unusable due to the spam about shoes, Viagra, pirated software, and who knows what else.

Google groups was nice while it lasted, but unless they can accept that blocking spam is worth the risk of lawsuits due to people being unhappy about being blocked, it's useless.

Re:Tragedy of the Commons

There will be no end to spam until there are actual consequences. They have caught a couple of spammers, and what happened? They were given a little fine to pay and told not to do it again. Big deal. If these assholes were actually prosecuted for the all the damage they have done and all the laws they have broken they would all be spending multiple sequential life sentences in Leavenworth breaking rocks. Until that happens, there will be no end to spam.

Good opporunity for GPG / PGP?

[DoofusOfDeath]

Isn't GPG / PGP email signing perfectly suited to handle this?

All you need is a way to build a tree or chain of trusted signatures. The root of the tree could be the person who created the group.

Re:Good opporunity for GPG / PGP?

[Abcd1234]

Given it's a moderated group, you could easily create a web of trust between moderators, and then have the moderators add the keys of valid participants to their chain. From then on, anyone 'pre-moderated' (whatever that means) would only be able to send an email to the list if the mail was signed with a key a moderator had already accepted.

But, of course, you'd need people to actually use PGP/GPG, which seems like an uphill battle...

Re:Good opporunity for GPG / PGP?

[lee1]

Of course. It solves the general email spam problem as well. But can you imagine trying to get your local PTA membership to use this or even understand what it is?

Re:Good opporunity for GPG / PGP?

[Sloppy]

The root of the tree could be the person who created the group.

No, the root of the "tree" (and by that I mean, "not a tree") should be whoever is reading it.

Re:Good opporunity for GPG / PGP?

well, it's not a knitting group, they are supposed to be developers

Yahoo chats have had similar syndromes

[Eravnrekaree]

Yahoo chat as well seems to be overtaken by this spamfest. They have tried to address it with captchas, but the spammers simply go ahead and entire the captcha code and keep spamming. They could require credit card verification to make it harder to open massive numbers of accounts, i suppose. Maybe they could have some sort of scanner that would look for sequences that could identify common patterns in spam messages and flag these messages for moderation. Even moderation itself is ripe for abuse with moderators who abuse that power that they have. Perhaps another solution is a voting system on particular messages like that on slashdot, in this case, simply as to whether the message is spam or not, the messages which are voted to be spam are basically collapsed but could be opened with a click, or can be shown with a show "spam marked messages" feature. Could be useful both on chat and also on message boards.

Re:Yahoo chats have had similar syndromes

[weaponx71]

The Yahoo groups aren't all that bad. I belong to a few and over the past two weeks we got a few infected links from members that got infected. Straight spam has been like maybe one every three months or so. Now the Yahoo chat, well.. that is just unusable as I use to remember it. When I became wise and got rid of AOL, Yahoo chat was a great replacement. You could actually have conversations with real people. Then the script kiddies were flooding the rooms with their booters and such. The bots were easily spotted and ignored. Now... Take any given room, even with the captcha and you will have over 60% bots. As soon as you log into the chat room you get flooded by spam adds to your list and spam chat windows. It IS completly useless compared to what it was a bunch of years ago. Yahoo is the ONLY one to blame for this. Sure they use captcha, and sure there are admins in ever room. But they obviously do NOTHING. I now only pop into those chat rooms once a month, maybe. My wife just said she couldn't right click and it was due to Yahoo's new toolbar, even though she doesn't use the new toolbar. So all of that just spells out to me that is that only Yahoo email is worth anything. And even that hasn't been my main email for 5 some years. I figure it will very slow or maybe not even at all that Yahoo will try and make all of that better. I would go for a guess that now that Google has been called out on it, something will be tried to fix the problems very soon. But... that's just my opinion, I could be wrong.

Re:Yahoo chats have had similar syndromes

[Alioth]

Just pass all messages through SpamAssassin. Unfortunately, you lose the header checks with non-email, but the body will often fail in spammy URIs, plus match a number of other rules.

SpamAssassin is awesome. My personal email address gets around 1000 spam messages per day. All but two or three get blocked by SA.

Re:Yahoo chats have had similar syndromes

Yahoo Groups are pretty much an older-school way of swapping porn, really.

Re:Yahoo chats have had similar syndromes

[weaponx71]

This is just silly. All the groups I belong to are legitimate and have nothing to do with porn. To tell you the truth, using a Yahoo Group for porn never entered my mind. The Yahoo Chat on the other hand has nothing but that sort of thing being asked for or advertised by the bots.

Re:Yahoo chats have had similar syndromes

[weaponx71]

I think he is talking about the Groups hosted by Yahoo, sure you can get the posts emailed to you, but the SpamAssassin wouldn't do much with a spam sent directly to the group with false headers. Even the non-false header spam would pass through I think as the posting gets made after a bot creates an account in the group. I would guess every group would have to have new membership moderated before making any kind of post.

Re:Yahoo chats have had similar syndromes

[xiong.chiamiov]

tl;dr. You seem to be suffering from block-of-text syndrome.

Do more about spam

The spammers Behavior are really destructive in many ways, this is just one of them. It really should be seen as sabourtage against infrastructure and a bigger efford should be made to follow the trail of money and take down those people who makes the money.

Re:Do more about spam

[jonbryce]

The problem is that the trail of money ends at a Western Union or Moneygram branch.

Re:Do more about spam

[commodore64_love]

When I find scammers I like to have fun with them. I like to scam the scammers the way Robin Hood scammed the illegal usurper Sheriff of Nottingham

It's not entirely legal, so I'll shut up now.

Re:Do more about spam

[wampus]

Online vigilantes need to go into meatspace with a baseball bat. After two or three spammers get beaten to something resembling a fruit pie filling outside of Western Union, maybe they will get real jobs.

Re:Do more about spam

No, no... tell us your techniques so that we may do the same.

Re:Do more about spam

[cerberusss]

The problem is that the trail of money ends at a Western Union or Moneygram branch.

That's not a problem! We can safely assume that said spammer lives in a 10 KM range of said branch office. A small tactical nuke should take care of it. Sure, it'll cause some collateral damage, but we're talking about spammers here.

Re:Do more about spam

[dAzED1]

more than 2 or 3 have been killed for it. Want to re-think your plan?

Re:Do more about spam

No, it needs to be ramped up.

Re:Do more about spam

[MillionthMonkey]

Your post advocates a ( ) technical ( ) legislative ( ) market-based (x) vigilante approach to fighting spam. Your idea will not work... ...aah never mind.

Re:Do more about spam

[MollyB]

And if we assume a density greater than one spammer per 314.2 sq. km., we get more bang for the buck...

Re:Do more about spam

[LearningHard]

I say we take off and nuke the entire site from orbit. It's the only way to be sure.

Re:Do more about spam

[commodore64_love]

>>>No, no... tell us your techniques so that we may do the same.

Well okay. I bought a game from a scammer on ebay who claimed it was "like new" but of course it was all scratched up. I followed his instructions, returned the game, and he kept both my money and the game. He ignored my emails when I said, "Where's my refund?" --------- So I did some research and found hundreds of other buyers had similarly been scammed by this in-duh-vidual, so I went for the juggler. I bought about $1000 worth of "like new" games, they arrived all scratched up (naturally), and then I claimed I never received the games. My credit card returned all the money to me.

I reverse-scammed the scammer. He sent hate-filled emails, which of course made me laugh.
I then shared the games with his previous victims.

Re:Do more about spam

[clone53421]

Your ideas interest me and I wish to subscribe to your newsletter...

Also, I'm a juggler, you insensitive clod... the word you were looking for was "jugular".

Re:Do more about spam

[jonbryce]

The mule who responds to a "money processor" job ad lives near the said Western Union branch. You know who he is because you followed him there.

From there you only know which country the money went to. Russia and Nigeria are big places. Some tactical nukes in Nigeria might work, but I wouldn't risk trying it in Russia. In any case it could be WU'd to another mule who immidiately WUs it to another country.

If you knew which branch the money is picked up from, you could follow the spammer back home. I have 49 Western Union branches within a 10km radius of me, so you probably wouldn't have to follow them for anything like that sort of distance.

Re:Do more about spam

[u38cg]

When you collect from a Western Union branch, you have to bring ID and it is copied. As far as I can tell, no-one follows the money trail because the international nature of it makes life more hassle than it's worth for law enforcement: by the time you got to someone you could nail, the chances are any trial would fall apart in a nightmare of extradition laws and evidence rules. That said, though, the cash probably is laundered at some stage.

Re:Do more about spam

Small-scale stuff. Try doing the same with the spammers we're talking about.

So I did some research and found hundreds of other buyers had similarly been scammed by this in-duh-vidual, so I went for the juggler. I bought about $1000 worth of "like new" games, they arrived all scratched up (naturally), and then I claimed I never received the games. My credit card returned all the money to me.

I reverse-scammed the scammer. He sent hate-filled emails, which of course made me laugh.

This just reeks of BS. Why would you distribute those "all scratched up" games to other scam victims? What use would they get out of them? And did you pay the shipping?

And you credit card returned the money to you? No scammer with "hundreds" of victims accepts credit cards... too many claims would get their merchant agreement revoked. Or were you seriously one of only a couple people who called their credit card company?

And if you did dispute with your credit card for nondelivery, they would have suspended the transaction while requesting POD from the scammer... and since he actually sent you the games, he'd likely have it... This is why they ship something, so they have POD in case someone like you comes along.

I'm really beginning to believe everything you write is full of shit, not just some of it.

Re:Do more about spam

[jonbryce]

Do you think they are as tight about these things in Nigeria as they are in the US or EU?

Re:Do more about spam

[u38cg]

Not for a second, but I also think it's a very, very easily solved problem. Dear Western Union: run a tight ship or all your US branches get shut down. Love, the govment. The fact that this hasn't happened says to me that these operations remaining as they are is convenient for someone at a fairly high level: draw your own conclusions.

and Blogger too

[GameGod0]

Google's really dropped the ball on spam blocking with Blogger too. I host a couple of random blogs on there, and they've all been hit with a ridiculous amount of spam in the last year. Blogger doesn't even give you something like Akismet... :(

Re:and Blogger too

[Rude+Turnip]

Are these spammers the same people that were duped into paying some fee to "learn how to make thousands of dollars" by posting ads on web sites?

Re:and Blogger too

[BitZtream]

Blogs ARE spam 99 times out of 100, its hard to implement spam filtering when the content in and of itself might as well be spam.

Time to bring back the cancelbots?

[argent]

If this is a Usenet group that Google Groups is just providing an interface to, I guess it's time to bring back the cancelbots. UDP against Google. It's come close before.

If this is one of the Google Groups that's a web forum, then they need to require that you actually log in before posting.

Re:Time to bring back the cancelbots?

Don't be silly. That logging in is easily automated, as is creating google accounts. I've long and happily used usenet and there was a huge difference between providers that ran usable feeds and others that did less well (*cough* google *cough*). Google appropriating usenet by adding lots of incompatible groups, indeed inviting the great unwashed to do it too, that can only be read through their web interface from their inferior, unfiltered, spammed and spam-generating feed, I see as a perverted sort of poetic justice.

Clueing up, learning how to use usenet properly (RFC1855 baby), and switching to an actually competent usenet provider, is the way out of this conundrum. As is hitting your friends over the head with a cluebat and taking them with you, of course. Vote with your feet, people. Walk to end september.

Put yourself at the mercy of The Cloud...

... and you can expect to get rained on.

Google Groups shouldn't act like Usenet

[MaraDNS]

The problems described in the article: Having it so it's not completely obvious a group is moderated, having a choice of either moderation of every post or no ability to control spammers, flamers, and trolls, and no protection against forged moderation sound like issues caused because Google groups tries too much to be like Usenet.

Usenet was a very good idea in the 1980s and early 1990s, before the internet became anonymous and spammers started moving in. My favorite thing about Usenet is that it's easy to read it offline (Google "Leafnode") for people who do not have a continuous connection to the internet--this was the norm in the UUCP-dominated 1980s, when just about nobody had a direct internet connection.

I recently posted a blog about the death of Usenet:

http://maradns.blogspot.com/2009/07/memories-of-usenet.html

Re:Google Groups shouldn't act like Usenet

[commodore64_love]

Usenet has always been anonymous. Back in 1988 when I first got my account I used my real name, but did not have to. I could have just as easily used the handle" I have now. Or spammed up a storm if I felt like it. (In fact some of my early posts about trading Star Trek TNG tapes were labeled "spam" by the members... I learned not to do that anymore.)

Re:Google Groups shouldn't act like Usenet

[Alioth]

Some of usenet is dead. But not all of it.

But please - keep spreading the meme that usenet is dead - thanks to that, many of the spammers have left, as well as many of those with no sense of netiquette, and the groups that are still active now have a good signal-to-noise ratio. It's almost like it was before The September that Never Ended.

It's also unfortunate that web boards have never learned the long lessons of discussion group user interface design. Even tin of 1993 has a better user interface for threading than any version of phpbb or vBulletin.

Re:Google Groups shouldn't act like Usenet

Name one active discussion group on Usenet right now.

Re:Google Groups shouldn't act like Usenet

[Red+Flayer]

Back in 1988 when I first got my account I used my real name, but did not have to. I could have just as easily used the handle" I have now. Or spammed up a storm if I felt like it. (In fact some of my early posts about trading Star Trek TNG tapes were labeled "spam" by the members... I learned not to do that anymore.)

Bullshit, bullshit, bullshit. The first time a post on usenet was referred to as spam was in 1993.

You are completely full of shit, assuming that "some of my early posts" refers to posts made within a few years of when you got your usenet account.

Stop pretending you're something you're not, and stop pretending you've done things you haven't.

Brilliant (NT)

Clever, too.

Finally, someone important points out the obvious!

[fsterman]

Why the hell haven't they put the same spam filters that they use for Gmail on the discussion lists?

Join the 21st Century

[Horn]

Time to move away from the antiquated system of mailing lists. Web based forums are much easier to control and a far, far better way of sharing information with users. I hate coming across an otherwise useful site and then having to go to a mailing list to see what other users are talking about.

Re:Join the 21st Century

Web-based forums are a decidedly 20th century invention. Don't get me wrong; they are the best way to go for online discussion, but let's not make them out to be newer than they really are. They only seem newer because they've matured along with our lovely "Web 2.0" buzzword progression, whereas mailing lists don't really have too much that they CAN improve on, so they've stagnated for the past decade.

Re:Join the 21st Century

Except forums are locked into the crappy UI of whatever forum package the admin happened to pick, whereas mailing lists let you use any email client you want.

Oh, and forums still get spam.

Re:Join the 21st Century

[John+Hasler]

> Time to move away from the antiquated system of mailing lists. Web based
> forums are much easier to control and a far, far better way of sharing
> information with users.

No local control over filtering and sorting, forced to use your weird UI and editor instead of my own? "Forums" suck. And "easier to control" is not a feature.

Re:Join the 21st Century

[doconnor]

This is an issue that really bugged me. The move to web based forums from Usenet and mailing list was a giant step backwards in functionally.

Advantages of Usenet and mailing lists over web based forums:

The user can control the interface
killfiles
threading
discussion on issues where centralized in one place rather then across multiple web forums
better searching
better archiving
less bandwidth

More advanced web forums, like Slashdot, do a better job of supporting these features, but most people still use very primitive forums.

Re:Join the 21st Century

Or time to move away from the broken Google Groups to a real mailing list that doesn't have these problems?

Don't throw out the baby with the bathwater.

Re:Join the 21st Century

This is why most mailing lists have archives you can easily read in your web browser. Mailman even automatically makes the web archives for you.

Re:Join the 21st Century

[doconnor]

Web based forums are much easier to control

One man's control is another man's tyranny.

Re:Join the 21st Century

[Xtravar]

I hate coming across an otherwise useful forum and then having to sign up and log in to view certain topics and download files from it.

Not that I use mailing lists or newsgroups...

Re:Join the 21st Century

No local control over filtering and sorting, forced to use your weird UI and editor instead of my own? "Forums" suck. And "easier to control" is not a feature.

Uhm - then why are you posting on Slashdot?

Re:Join the 21st Century

[commodore64_love]

Nope. I belong to the AVS (audio-visual science) forum for awhile, and stated matter-of-factly that digital TV has reception problems and the converter boxes from Dish are junk. I was banned.

You can't have free speech in a system where the Sysop is like a dictator - deciding what can or can not be said. Even a benevolent dictator can be bad. Usenet offers a place that is libertarian in nature - people police themselves - and nobody gets censored even if they are whackjob KKK members.

Re:Join the 21st Century

cry me a fucking river... spammer!!!!

Re:Join the 21st Century

[Dr_Barnowl]

I imagine they will ; this is Google, after all.

Re:Join the 21st Century

[SolarCanine]

Isn't a benevolent dictator, by definition, one who *isn't* bad?

Re:Join the 21st Century

[Richard+Steiner]

Killfiles and regex-controlled score files that can both sort and enhance/block messages based on reader-defined criteria. Very very powerful, something the DOS-based SOUP reader I used to use (Yarn) did back in the early 90's, and something which I've not yet seen even roughly approximated in a web-based forum.

Folks who say that USENET is "antiquated" have no idea of its potential, or how experienced users were able to utilize it in practice.

Re:Join the 21st Century

[Richard+Steiner]

USENET has always been far more than a "mailing list", and I could do things to control/filter/sort messages to my liking with Yarn and slrn that I can't even touch with the web-based forum software I've seen (and I've seen a lot of it).

I really wish web-based forum software would catch up. Even USENET in the early 90's far surpassed it in many respects. Most web forums are nice for posting pictures, but horrible in terms of threading and controlling what actually shows up in your reading list.

Re:Join the 21st Century

[Richard+Steiner]

I'm not the OP, but I use Slashdot's web UI because they haven't created an nntp gateway for me yet. :-)

Once that is done, you won't see me using this web-based interface, believe me. I'd be using Yarn here, or maybe slrn with slrnpull.

The content here is decent for the most part (STN ratio is often quite good). It's the interface that sucks.

Re:Join the 21st Century

[mordejai]

IMHO, this is one of the areas where technology like Google Wave can really shine.

Of course we're still a year away from it being usable, and another two for it being popular enough.

Re:Join the 21st Century

[ragethehotey]

Advantages of web based forums:

Any idiot can figure them out and navigate them pretty easily, whereas Usenet is more than a little intimidating to new users.

Re:Join the 21st Century

Advantages of web based forums:

Any idiot...

This is an advantage?

Re:Join the 21st Century

[EQ]

I imagine they will ; this is Google, after all.

cue Gerard Butler: THIS. IS. GOOGLE!

Re:Join the 21st Century

[commodore64_love]

The road to hell is paved with good intentions. Like censorship of porn because "it's bad for my people"

Re:Join the 21st Century

Advantages of web based forums: Any idiot can figure them out and navigate them pretty easily, whereas Usenet is more than a little intimidating to new users.

No, I'm pretty sure that's an advantage of USENET too. I mean do you really want to be talking to any old idiot? It's fun to take trips out and observer them, but god help me I wouldn't want to actually interact with one.

Re:Join the 21st Century

[clone53421]

No, it's one who isn't *malevolent*.

Re:Join the 21st Century

[GasparGMSwordsman]

No local control over filtering and sorting, forced to use your weird UI and editor instead of my own? "Forums" suck. And "easier to control" is not a feature.

Uhm - then why are you posting on Slashdot?

Because he hates himself and wants to exact as much pain on himself as possible...

On a more serious note, I agree with the parents parent, I much prefer mailing lists to forums.

Re:Join the 21st Century

[koiransuklaa]

There is nothing that stops you from accessing mailing lists via web (see gmane et al), but please don't force the rest of us to do that.

Don't get me wrong, web forums can be ok for some things. Mailing lists are just so much more powerful in many situations that your suggestion is not even funny -- in other words, don't judge a technology because you don't know how to use it.

Re:Join the 21st Century

[Malohin]

This is not a new slogan. "Join the 21st century" seems somewhat orthogonal to "Those who cannot remember the past are condemned to repeat it." I wrote this a year ago, based on much older posts and e-mail:
Why I don't like forums

========

Tracking

1. Tracking all the user-ids and passwords for all the various forums is a pain.
2. Many folks use a separate e-mail alias for each forum, so they know when one starts spamming, adding Yet Another bit of bit of data to track.
3. Many forums require or encourage the collection and distribution of additional data: birth date, location, Instant Messaging handles, web sites, etc. Some of this may be required to authenticate when you try to recover a password or otherwise get the attention of the administrators. It's Yet Even More data to track and update, in addition to any privacy concerns.

Display

1. The layout of each forum is completely different. You have to figure out or recall Yet Another scheme before you can figure out what is going on.
2. Most forums are laid out badly. None of them offers much real customization for end-users. Were it up to me, I'd be able to make every damned one of them look exactly the same when I visited.
3. Many forums use a layout or style that is pretty much illegible:
   • Tiny type.
   • Low contrast text. I'm not sure which is worse, gray on black or lime green on black. No, the worst was deep green on burgundy.
   • Many forums give way too much emphasis to avatars, signatures, animations, etc. It can actually be hard to find the posts sometimes.
   • Rigid layouts that make it impossible to resize the screen or browser and see more of the actual posts.

Delivery, Attention

1. Posts to a mailing list sit on my machine waiting for me. I don't have to remember to visit a forum or find some way to track multiple forums.
2. Posts from e-mail lists arrive asynchronously and are already delivered, filtered, and sorted by the time I want to read them. With a forum, I have to go get each post or page of posts from each forum I might choose to visit, and they have to be loaded at that time.
3. Posts that arrive in e-mail can be filtered or organized according to my criteria. Forum posts are organized by the admins and posters into "boards," "sub-boards," and "threads" that are frequently named oddly or just make no sense.
4. Many forums use some sort of "newness" filter and try to keep track of what is "new" for you -- and do so badly. The user interface to control this feature (if the feature exists, if the user interface exists) range from bad to worse.
5. Forums show quite a bit of extraneous information. Showing the poster's handle makes sense, but each post also shows: their avatar, the date they joined, their location, title, "status," role, post count, IM handles, login status, and so on. It shows this for EVERY poster in the thread. Then there is the information for EVERY thread: number of views, number of replies, rating, activity level, various status flags, original poster, last poster, time stamp, number of pages of posts, a page list, and so on. Then the information about EVERY post: reply number, a reply-and-quote button, reply button, report button, site tools and links. At the bottom is also the actual time it took to create the page, standards compliance, etc., etc... Where was the content again?
6. Following discussions in forums requires much more attention than in e-mail.
   Let me state this again: Reading posts on forums is much, much more work than reading posts from mailing lists.

   I am on numerous high and low volume mailing lists. The incoming posts are tagged and filtered into various mailboxes as messages are delivered. At some point during the day, I'll decide to "glance over" these mailboxes. I may have already filtered and marked certain posts with tag

Re:Join the 21st Century

Uhm - then why are you posting on Slashdot?

He's using the FireFox Slashdot NewsGroup redirector. You should try it too.

Re:Join the 21st Century

Just look at any project that has both mailing lists and forums. The technical discussion will be on the mailing list while the forums only seem to exist as a honey trap for retards.

Re:Join the 21st Century

I'm not the OP, but I use Slashdot's web UI because they haven't created an nntp gateway for me yet. :-)

At least there was the possibility to read Slashdot like news:
http://www.gnu.org/software/emacs/manual/html_node/gnus/Slashdot.html

Re:Join the 21st Century

No local control over filtering and sorting, forced to use your weird UI and editor instead of my own? "Forums" suck. And "easier to control" is not a feature.

Uhm - then why are you posting on Slashdot?

Good point. As far as weird UI and editor go, Slashdot borders on a monopoly.

Re:Join the 21st Century

[martin-boundary]

Uhm - then why are you posting on Slashdot?

You're marked funny, but it's not actually necessary to use the slashdot UI for posting at all. I browse /. with a text browser (w3m), and whenever I want to enter a comment here, the browser opens an Emacs window. So I have proper editing and all the advantages from access to HTML modes, spell checking, unlimited undo and redo, etc. When I'm done editing, the browser automatically sends the contents of my message to the /. server.

Re:Join the 21st Century

[skeeto]

Obviously said by someone who hasn't had much experience with a good NNTP client. :-) Comparitively, web interfaces are so limiting and clunky, and conversation is usually non-threaded, which I really can't stand.

Upgrade the Captchas

[scorp1us]

Google has some of the weakest around. And whats more is becaue Google uses domain keys it is a desired domain because that stuff gets through the spam filters better.

I wish Google had an automated honey pot system where you could drop a google address, and any google account would instantly get shut off for sending mail to it. The idea is you plant the email address in a place where automated spambots will harvest it and poof! no more spammer.

Of course it could be used for abuse and if passed off as a legit account, so there needs to be some registration and tying of spam honey pot accounts to their owners for accountability.

Re:Upgrade the Captchas

[PaintyThePirate]

Google bought ReCAPTCHA recently. I hope its only a matter of time before they integrate it.

Re:Upgrade the Captchas

[psydeshow]

CAPTCHAs don't work. The technology implies an arms race (better obfuscation vs. better pattern recognition), but the whole thing is trivially easy to subvert through social engineering / outsourcing. You don't need to pay for better algorithms, just give a kid $20 and challenge him to create more Google accounts today than he did yesterday.

Meanwhile, they annoy the shit out of honest users.

Google knows how to detect and filter spam. Hell, any engineer could figure out that the same message cross-posted to more than 5 unrelated groups is a good candidate for automatic filtering. Others have mentioned honeypots. Others have mentioned SPF. Others have mentioned tracking known SMTP relay routes. All of those things make more sense than hoping that stronger captchas will fix anything.

Re:Upgrade the Captchas

[BitZtream]

Captchas are not a solution anymore.

Spammers are FAR better that resolving the letters in captchas than I am. It took me 3 tries to get a google captcha I could read just recently.

Ticketmaster.com is an example of extreme over kill. Not only are the they next to impossible to decipher, they require you to enter a new one for practically EVERYTHING YOU DO.

Its become easier for me to just drive to a box office than buy tickets online, and funny enough, cheaper too, even including gas involved.

If captcha's are the solution, the system is doomed.

This isn't the way to win the war. The way to win the war is to make it an economic loss to use spam. Right now there are too many older generations of people that spam still works on. Change nothing about the Internet now, and spam will die on its own in 20 years as the generations shift through and the mass of the Internet knows better than to buy from spammers.

Re:Upgrade the Captchas

[scorp1us]

Well you should just contract out to them to solve your captchas for you!

Google already has a solution in Labs

[Zocalo]

Google Mail has a feature in Labs whereby they identify social groups within your email contact so that if you exchange a lot of emails between a certain group of people and suddenly add a new recipient it will flag a possible problem. Surely it would be possible to apply a similar methodology to Google Groups only with the IP addresses messages originate from - send from a new IP assignment and the message gets moderated, no matter how many successful posts you've made from elsewhere.

Well, advertising _is_ Google's business...

[John+Hasler]

But maybe this will kill Google Groups and thus eliminate 99% of the spam on Usenet. We can hope, anyway.

Unusable indeed

[Ritz_Just_Ritz]

I've been wondering if/when Google would make some sort of effort to deal with the problem. You'd think that a company that's gone out of their way to hire brainiacs could come up with *some* sort of solution. I'm a little surprised they've let it spin this far off into the weeds.

Google Beta

[slack_justyb]

I see a lot of Google's products needing the oh so familiar Beta label again.
Seriously, Google's offering is not without it's serious drawbacks, and I suspect that the good stuff is to be had from actual paid services. However, this kind of letting crap slip where people can spoof the name of a valid member is a serious Alpha quality flaw. What's the point of identifying anyone, if everyone can pretend to be everyone else? I mean that is the actually concept of identity, to uniquely label something as different as other things.
I think Google is trying to take on more than it can handle and it is beginning to really show now that they've removed the excuse of "Beta".

Re:Google Beta

Advertising backed services are paid services.

Re:Finally, someone important points out the obvio

[Minwee]

Why the hell haven't they put the same spam filters that they use for Gmail on the discussion lists?

Maybe it's because they want to encourage you to use Gmail, which they control and can extract some income from, instead of Usenet, which they have only a passing acquaintance with and can't squeeze a penny out of.

Report spam

[nkh]

Google Groups was a good idea with a bad implementation. Last time I checked, there was no fast way to report a spammer, you have to click 3 or 4 times and be redirected to different pages before having just one message successfully reported.

Re:Report spam

[MWojcik]

Last time I checked, there was no fast way to report a spammer, you have to click 3 or 4 times and be redirected to different pages before having just one message successfully reported.

That must have been long time ago. Now you have "report spam" link right by the thread summary (you don't have to even open the thread) and at each message that doesn't result in opening new window/following the link.

Re:Report spam

[maskedbishounen]

If we can define "long" as "couple months" if that. I gave up on the one Google Groups list I had been following due to all the spam it suddenly started receiving.

Ebarassing for group admins

[Morris+Thorpe]

I created and admin a Google group for my son's high school team. We have coaches about 120 parents in the group.

Even though it's a pain in the ass, I chose to moderate messages for new members. Still, spam gets through. As the group's admin, it's embarrassing to see graphic messages and know that all the parent's on my kid's team are seeing it. Also, moderation means that some messages may not get through in a timely manner.

I'm looking to migrate the group to an alternative now.

Re:Ebarassing for group admins

[harmonise]

Even though it's a pain in the ass, I chose to moderate messages for new members. Still, spam gets through.

How is spam getting through if you are moderating? Are you approving spam messages?

Re:Ebarassing for group admins

facebook group?

Re:Ebarassing for group admins

[twoshortplanks]

If you RTFA, or hell, read the summary, you'll note that spammers are posting using the addresses of existing members, meaning that new-user moderation is bypassed.

Re:Ebarassing for group admins

[BitZtream]

They are on the Internet, they've seen the stinger picture before unless they just got online for the first time this morning, in which case, they'll see it before the end of the day I'm sure.

You may be embarrassed, but they are probably viewing far worse out of choice. Do you get embarrassed when you see a car accident? Getting embarrassed because spam got through on the Internet is about the same as getting embarrassed when you see a car accident. Theres no reason for it.

Re:Ebarassing for group admins

[u38cg]

I've been on several mailing lists hosted on Yahoo Groups over the years, of various sizes, and they all work extremely well. You get the occasional spam invasion, but that's going to be true of any large mail list provider.

Re:Ebarassing for group admins

[harmonise]

If you RTFA, or hell, read the summary, you'll note that spammers are posting using the addresses of existing members, meaning that new-user moderation is bypassed.

Moderation is where every message must be approved before it's posted. So, again, if this person is moderating the mailing list, then I don't see how messages are getting through unless he is explicitly approving them. If someone can post to your list and the message doesn't need to be approved, you do not have a moderated list.

No shit !! WELCOME TO THE BRAVE NEW WORLD !!

Welcome to my nightmare
I think you're gonna like it
I think you're gonna feel... you belong
A nocturnal vacation
Unnecessary sedation
You want to feel at home 'cause you belong

Welcome to my nightmare
Welcome to my breakdown
I hope I didn't scare you
That's just the way we are when we come down
We sweat and laugh and scream here
'cuz life is just a dream here
You know inside you feel right at home here

Welcome to my breakdown
Whoa
You're welcome to my nightmare
Yeah

Welcome to my nightmare
I think you're gonna like it
I think you're gonna feel... you belong
We sweat laugh and scream here
'cuz life is just a dream here
You know inside you feel right at home here
Welcome to my nightmare
Welcome to my breakdown
Yeah

Well,

[pdxp]

As a concerned legitimate user of /. I must offer these words...

FREE V1AGRA!!
FREE MOVIE DOWNLOADS!
UNLIMITED P0RN FREE!!



(pdxp is no longer with you. the spambots are now infesting his brain, and you are all next)

No Tragedy

Usenet continues to be a wonderful source of binaries and technical info.

It is still the source for most of the releases I see on p2p networks.

It is no worse than the political pap and S/N ratio say on a site like Slashdot.

Usenet simply requires a thick skin and the willingness to self-manage your experience. Those unwilling to do so have been complaining of "tragedy" since the 2nd week of Usenet's existence.

And sadly they are bringing their puckered asses and regulatory sensibilities to the rest of the Internet, turning it into a suburban picket-fenced nowhere.

 

Spammers are spoofing Google Groups

[farnsaw]

I manage a moderated google group and I have received spam "from the group" from someone who is not a member. This makes me think that they sent it directly to me and just spoofed the headers to make it appear to come from google to get past my local spam filter. I wonder if this is what is really happening?

Re:Spammers are spoofing Google Groups

[Mike+Van+Pelt]

You should be able to tell by looking at the Received: headers whether it really came from Google Groups or not.

Re:Finally, someone important points out the obvio

[ChienAndalu]

Maybe they pool their resources in Google Wave and ditch Google Groups as soon as Wave is ready.

Re:Finally, someone important points out the obvio

[baxissimo]

Google Groups serves as a face to Usenet, yes, but it also advertises itself as a place to create new groups which are hosted by Google, as an alternative to setting up your own mailing list. I suspect the jQuery folks are using a Google hosted group. The spam situation is indeed ridiculous, and Google could indeed do something about it. They even have "report spam" buttons on all the messages, but so far as I can tell clicking on those buttons has no effect. At the very least it should hide the messages from me that I mark as spam. But no, it doesn't even remember which messages I've marked as spam from login to login. They've just dropped the ball for some reason.

my settings

[Deanalator]

We were having some problems with this on the wimax hacking google group.

About a month ago I set all posting options to members only (read is still public, the group is listed in the directory, and there is no moderation). I then set it so people need to request an invite to join. The signup page says "Sorry, about the inconvenience, but spam was starting to ramp up, so now users have to request membership manually. Anyone who is human is welcome, and encouraged to join."

There has been zero spam since the change.

It would be nice if there was an option to just let people solve a captcha to join the group, but until then this solution is working fine.

Re:my settings

[sl149q]

I admin a bunch of Google Groups as well. I do the same. Mail only from group members, you need to make a membership request to join, you have to answer a simple group related question before we allow the membership.

Any requests without an answer just get ignored. The occasional spammer who gets in we just ban after the first spam. I also use the appropriate buttons to report the spam and profile etc. Not sure if GoogleGroups actually does anything.

I get no spam on my lists. And only have to deal with membership requests.

It pretty much doesn't matter where you run your mailing list. You'll need to do pretty much the same or you'll get spam.

And even doing it properly on the mailing list side won't prevent spam from virus infected systems sending spam to peoples contact list :-)

Block posts to Usenet via Google

[Animats]

Maybe the answer is to block posts to USENET that come in via Google. That seems to be the source of the trouble.

Looking at the newsgroup "comp.lang.python", all the spam seems to be coming in via "posting.google.com" with GMail return addresses. Bulk-created phony gmail accounts are such a source of spam that they should be blocked until Google gets their act together. At this point, we have to view GMail like Hotmail, another free email account system made useless by spammers.

Hotmail is widely blocked. Next, Gmail?

Re:Block posts to Usenet via Google

[rudy_wayne]

At this point, we have to view GMail like Hotmail, another free email account system made useless by spammers.

Hotmail is widely blocked. Next, Gmail?

I have 2 Gmail accounts but access them via POP3. Gmail's spam filters work perfectly. I get zero spam. Although there are hundreds of spam messages in the spam folder none of them get through to me. Why can't they do the same thing to newsgroups?

Re:Block posts to Usenet via Google

[bipbop]

I blocked gmail a couple years ago for this reason. It's annoying though, because there are a lot of legitimate gmail users who I'm blocking, but I'm willing to miss their messages in exchange for blocking a much larger number of spam messages. It sucks, but it's the least effort solution as a reader.

Also, this isn't a new problem, and it's pretty unlikely that it'll go away AFAICT. Google Groups has always been a group that Google's least competent employees work in (again AFAICT; I have no personal knowledge of them, it's just consistently been their worst product) and I'd be pretty surprised if things turned around now.

Re:Block posts to Usenet via Google

[John+Hasler]

> Maybe the answer is to block posts to USENET that come in via Google.

I'm getting close to doing that. Unfortunately, there are many interesting and legitimate articles posted via Google Groups on many of the newsgroups I read, and many users cannot be convinced to use a real news server (in fact, many cannot be convinced that Usenet and Google Groups are not one and the same).

Re:Block posts to Usenet via Google

[clone53421]

No, the least-effort solution would be to create a Gmail account, set your existing account to forward there, and let Gmail's own spam filters take care of the problem.

I have two Gmail accounts (one plane jane Gmail, and another Google Labs hosted account) and neither one of them has a problem with spam.

Re:Block posts to Usenet via Google

[bipbop]

That's certainly least effort, but hardly a solution. I'm not talking about email spam, obviously, but Usenet spam, which Google contributes to rather than solves. Did you miss the topic of the discussion?

Re:Block posts to Usenet via Google

[clone53421]

I'm not sure where Usenet ever got into the discussion, actually. Neither TFS nor TFA ever mentions it. Maybe Animats thought of the solution to the wrong problem.

Re:Block posts to Usenet via Google

[bipbop]

Ah, perhaps I should apologize then, but I was considering the context of my reply to be the parent, and considering the context of your reply to be my post; I usually think that way, rather than thinking in an inherited context, so I didn't even realize it had diverged until you pointed it out.

Re:Block posts to Usenet via Google

[clone53421]

No, I'm the one who didn't notice it had diverged... I don't use Usenet, and didn't really think much of Animats' comment because I sort of assumed it was on-topic to TFS, which perhaps it wasn't if Usenet is something entirely different from Google Groups / e-mail. (Which I'd have known, if I stopped and thought about it, but didn't quite notice from within the inherited context.)

Re:Block posts to Usenet via Google

[Animats]

I'm not sure where Usenet ever got into the discussion, actually. Neither TFS nor TFA ever mentions it.

The original article was "Query Dev Bemoans Overwhelming Spam On Google Groups". Google Groups are mostly just a front-end to USENET. The Jquery group, though, isn't exported to USENET, having been created from the Google Groups side.

Re:Block posts to Usenet via Google

[clone53421]

I don't know if I'd say mostly... Google Groups allows Usenet access, yes, but it also has regular e-mail groups.

Digital Signature

Why don't they set up an option for the admin to require all posts to be validated by a digital signature?

guess he subscribes to the wrong groups...

[Nyder]

I use google groups, and maybe i'm lucky, but I don't get spam hardly ever in my groups.

I get more spam in my mail then I do in groups, and I probably get less emails then I do new group posts a day.

(i get maybe 10 new emails a day, and 100+ new messages in my fav groups)

All well and good, but I have to wonder

[vegiVamp]

...how exactly do the spammers know which users are pre-moderated on which groups ?

Just blasting all addresses, regardless of validity may be a good tactic for standard mailboxen, but it seems to me that the ratio of pre-moderated to not-even-subscribed on any given group would be pretty prohibitive. Coupled with the presumably already reasonably low positive feedback on spam (which is not to say that the roi is bad, mind you), and you *should* get only fragments of percents of successfully inserted mails - UNLESS you have prior knowledge of which addresses will work on which groups.

Re:All well and good, but I have to wonder

[maxume]

Presumably they just subscribe to the group and send spam using every address that successfully sends a message to the group. Some of them will be pre-moderated.

(I can easily see 20,000 subscribers being enough of an incentive to do this)

So the problem is spam, then?

So, let me get this straight. The purpose of this article is to complain that there's a popular public service for communication, and ohnoes it gets spam!!1!1!!! HALP HALP HALP And what's more, *gasp* a developer of at least a semi-popular library of sorts doesn't like spam! This changes EVERYTHING! My entire perception of the internet itself has changed FOREVAR!

Re:Finally, someone important points out the obvio

[DerekLyons]

At the very least it should hide the messages from me that I mark as spam. But no, it doesn't even remember which messages I've marked as spam from login to login. They've just dropped the ball for some reason.

The reason, at least to me, seems abundantly clear: Google has the attention span of a three year old. They fixate heavily on something for a while... then their attention drifts and they are off to the next shiny thing. They've got a lot of products, but no clear vision or effective management.

access controls

[jDeepbeep]

then they need to require that you actually log in before posting.

That is really up to the group administrator.

To control who can post in your group, please follow these steps: 1. Click on the "Group settings" link on your group's homepage. 2. Select the "Access" tab. 3. Choose an option under "Who can post messages?" and click "Save Changes." If you choose "Managers only," owners and managers will be the only ones able to post messages to the whole group. If you choose "Members only," your members will be able to post, but non-members will not. The "Anyone can post" option allows all Google Groups users to post in your group.

Also, you may want to consider the option "All posts are held for moderation" if you wish to review messages before they're posted to your group. This option is located toward the bottom of the page, in the "Message moderation" section.

For the safety of your group, only members have the options of uploading files, and creating and editing pages. It's up to you whether you'd like to also restrict these actions to moderators only.

Not sure if that helps for the spoof aspect of the declared problem. May be. Maybe not. I've never ran a Google group.

Re:access controls

[argent]

Whether a group administrator selects that only members can post, or any google groups user can post, is completely unrelated to this situation. Whether I am a member of the "trainspotting" group or not, I shouldn't be able to post to "trainspotting" (or any other group) without logging in to Google Groups. If you have to log in to Google Groups before I can post, then I can't post as someone else who is a member of Google Groups.

The only way people would be able to post under someone else's address would be if you were able to post without logging in to Google Groups at all.

And if you can do that, access control is moot.

Re:access controls

[jDeepbeep]

And if you can do that, access control is moot.

Arg. I see. Thanks for clearing that up.

Re:Finally, someone important points out the obvio

When they spent money to buy Dejanews, there must have been some plan to make money. Oh wait, this was during the dotcom bubble, when having a plan to make money was seen as crusty old world thinking.

Trolling and flamewars are worse

I beg to differ, after having borne the brunt of sustained malicious trolling.

In the long run, you can fight spam but not trolling. Trolling is a deeper problem, which obviously cannot be fixed by technical means. Flamewars are a close second.

Already put all of Google in killfile

[Skapare]

Spam levels were above 96% in some groups I accessed. And more than 90% of the spam came from Google Groups. I guess they put it on autopilot without any spam checks and walked away. So I just blocked all of Google Groups in my killfile. At least for now, any legitimate posts from there I will see if someone from outside Google Groups posts a followup and includes it. But some of the groups are just dead, now. In a couple cases it's definitely due to the spam.

Is there a reason to keep archives private?

[tetranz]

This is more to do with Yahoo Groups than Google Groups but they seem similar. Recently I've joined several Yahoo Groups about specialized ham radio topics. Nearly all of them keep their archives private. I have apply to join (basically push a button and say who I am) and then wait for approval from the admin. Once approved I can read the archives and also post. Posting from members is usually unmoderated. It's painless enough but still very frustrating when I'm just searching around for information and a quick look at the archives is probably all I want.

I don't mind having to join if I want to post but do they achieve anything by keeping the archives private? Yahoo obscure the email addresses so spammers' 'bots are not going to get much from them. I've asked several admins "why do you keep the archives private?" and have not received a convincing answer. It usually goes something like "I understand your frustration but we have a lot of trouble with spam" and sometimes goes on to imply what a silly question I asked. Well ... I still don't see how keeping the archives private helps to reduce spam. I haven't been a group admin so maybe I'm missing something.

I can understand keeping archives private or non-existent for a group on a personal or private subject but that doesn't apply to these groups.

My guess is that this is Yahoo's default setting when a group is created and few admins really think about it. Of course Yahoo want as many people as possible to join.

Re:Is there a reason to keep archives private?

[sleeping+wolf]

It at least used to be that Yahoo Groups wouldn't automatically munge email addresses, meaning that non-private archives would reveal email address information to everyone that happened along.

Re:Is there a reason to keep archives private?

[rally2xs]

I have several yahoogroup lists, all archives are open, I have no spam problems. My yahoogroups are set to moderate all new users. If someone joins and then spams, I'm the only one that sees it. I delete the spam, then the new user. Simple.

Re:Is there a reason to keep archives private?

They want you to join. They want more members. If you join, you're more likely to participate.
It's to tempt to in.

Re:Is there a reason to keep archives private?

[tetranz]

That's probably a reason for many groups but I don't think that these admins are doing it for that reason. They'll say things like "even with the archives private I still have to deal with a lot of spam". They honestly think they're fighting spam by keeping the archives private.

I think they get lots of attempted posts from non-members and that is because the posting address is in plain text on the group's home page. I don't know if they have an option to remove that.

Re:Finally, someone important points out the obvio

[psydeshow]

Bingo. They need a moratorium on new products for 3 years while they chain the engineers to big, burly product managers and get all of their offerings on the same page.

Of course, that's (more or less) what happened at Yahoo!, and Google took the opportunity to fly right past them.

What's the problem again?

[Lord+Bitman]

You're a group of technologically literate people. Why don't you just sign your messages and verify based on signature, rather than something completely meaningless like email-address?

And once again: Why the hell does google not sign all messages which pass through gmail as "really did come from this address"?

Re:What's the problem again?

[clone53421]

Why don't you just sign your messages and verify based on signature, rather than something completely meaningless like email-address?

And once again: Why the hell does google not sign all messages which pass through gmail as "really did come from this address"?

(x) technical ( ) legislative ( ) market-based ( ) vigilante
(x) Requires immediate total cooperation from everybody at once
(x) Lack of centrally controlling authority for email
(x) Why should we have to trust you and your servers? (I'm using the short-form.)

What I mean to say is, you don't have to have a Gmail account to be a member of a Google Group. Your approach might keep people from spoofing Gmail addresses and be completely painless for Gmail users, but non-Gmail users would have to manually configure their mail clients to digitally sign their messages and some (web-based) e-mail clients might not even support this.

Re:What's the problem again?

[John+Hasler]

> And once again: Why the hell does google not sign all messages which pass
> through gmail as "really did come from this address"?

A large fraction of the spam I receive comes from valid Gmail accounts. The spammers have no difficulty getting them. Besides, you don't need any kind of account at all to post to Usenet via Google Groups.

Re:What's the problem again?

[Lord+Bitman]

Hi! You ignored the majority of my post, drew wild and random conclusions about what I was implying, and responded with a lame copy&paste! Perhaps I can highlight a few key points:

  - These are technical people. All of them should be able to configure their mail clients to send signed e-mails.
  - The example from TFS highlights an important fact: Google Itself doesn't check against gmail address spoofing
  - Google _is_ a central authority over google groups. It would be completely painless for all subscribers of google groups, not just gmail users, since google groups could easily reject all unsigned emails which claim to be from google.
  - I never mentioned that this would solve all spam problems for all people everywhere, but wouldn't it be oh-so-useful if a huge and supposedly-tech-savvy company started automatically signing all its mail? This wouldn't do anything to end spam, but it would end spoofing of gmail accounts among gmail services (with absolutely no pain on the part of the users themselves). As a bonus, it would end spoofing of gmail accounts among literate e-mail users.

So, point-by-point:
I propose a technical solution to some spam. It requires no cooperation from anyone involved, , though the people in question who would want side-benefits are all literate enough that cooperation would not be a problem, it involves a real-life central authority on the email addresses involved for the services involved, and you should trust google's servers to identify google's users because they are google's servers and google's users- I really wouldn't trust anyone else (note that I'm not saying it establishes identity, only that it establishes "yes, this e-mail went through google") furthermore, if you have a question of "why should I trust server X?" I would suggest you shouldn't be using server X for your group management (ie: you already _DO_ trust the server, no further trust is necessary. In fact, you already trust the server more than you should, because it /doesn't/ already sign its own messages)

Re:What's the problem again?

[Lord+Bitman]

The example in the summary was of a group of people which tried only allowing known users, but that didn't work because of spoofing. Whitelisting doesn't work because google doesn't sign its own messages.

No, you don't _need_ a gmail account to post, yes you can easily get a gmail account, but the example was of a spoofed gmail account. Google should be smart enough to detect such things on its own servers, and nice enough to provide an easy way for others to detect it. (the simple addition of signing emails to validate their origin would at least somewhat legitimize a presently completely-broken system)

Re:What's the problem again?

[clone53421]

- These are technical people. All of them should be able to configure their mail clients to send signed e-mails.

Solves the problem for them; what about everyone else?

- The example from TFS highlights an important fact: Google Itself doesn't check against gmail address spoofing

Due to the way SMTP works, the only way to verify that the messages really came from Gmail would be to check the IP of the SMTP server which connected to deliver the message. They could whitelist Gmail's SMTP server, but as I said, non-Gmail users can still participate in a Google Group. Their e-mail addresses could still be spoofed by a spammer. Even if you did a reverse-DNS lookup, you have no guarantee that their e-mail service wouldn't allow someone else to register an account and then spoof their username. Gmail won't, but they can't control other e-mail service providers.

- Google _is_ a central authority over google groups. It would be completely painless for all subscribers of google groups, not just gmail users, since google groups could easily reject all unsigned emails which claim to be from google.

And what about unsigned e-mails which claim to be from non-Gmail users who are members of the group?

I'm not saying your solution wouldn't help, but it wouldn't solve the problem. It seems that spammers could trivially shift gears and bypass your security as long as there were non-Gmail users in the Google Group.

Re:What's the problem again?

[Lord+Bitman]

- These are technical people. All of them should be able to configure their mail clients to send signed e-mails.

Solves the problem for them; what about everyone else?

Who cares about everyone else? It solves the problem for them. That is who matters to them.

- The example from TFS highlights an important fact: Google Itself doesn't check against gmail address spoofing

Due to the way SMTP works, the only way to verify that the messages really came from Gmail would be to check the IP of the SMTP server which connected to deliver the message. They could whitelist Gmail's SMTP server, but as I said, non-Gmail users can still participate in a Google Group. Their e-mail addresses could still be spoofed by a spammer. Even if you did a reverse-DNS lookup, you have no guarantee that their e-mail service wouldn't allow someone else to register an account and then spoof their username. Gmail won't, but they can't control other e-mail service providers.

completely false. If google signed their own messages, they could very well verify that they came from their own servers. Though, technically, they could just determine when a mail was being sent from a google server to a google server, and work out any number of secure message transfer mechanisms, rejecting anything from "outside" which claims to be a gmail message. You are just completely and utterly wrong here.

- Google _is_ a central authority over google groups. It would be completely painless for all subscribers of google groups, not just gmail users, since google groups could easily reject all unsigned emails which claim to be from google.

And what about unsigned e-mails which claim to be from non-Gmail users who are members of the group?

I'm not saying your solution wouldn't help, but it wouldn't solve the problem. It seems that spammers could trivially shift gears and bypass your security as long as there were non-Gmail users in the Google Group.

If they are members of the group in question, they are technical people, so they should be able to configure their e-mail client to behave properly.

The real problem is we're talking about two different things:
  1) A group of technical people should all be able to sign their e-mails, so why don't they do that instead of complaining about spam?

  2) Google should sign all emails which originate from its servers, since SMTP by itself has no way of verifying that "account foo" really sent "message from account foo". This wouldn't verify identity itself, but it would sure-as-hell verify "this particular google account sent this message", which among other things, solves the specific problem mentioned in the summary.

Re:What's the problem again?

[clone53421]

they could just determine when a mail was being sent from a google server to a google server, and work out any number of secure message transfer mechanisms, rejecting anything from "outside" which claims to be a gmail message. You are just completely and utterly wrong here.

Look, I know all that. My point is that a non-Gmail user can join a Google Group. Groups has no way of making sure that the e-mails from that user are actually from that user, because Google has no control over the external mail server that this user is using.

Re:What's the problem again?

[Lord+Bitman]

The example in the article would not have happened.
Various other things would be much better.
It completely, 100%, solves the problem for this situation.
Even if a group of technically-minded people couldn't be bothered to configure their mail clients to sign their own messages, I bet they could be convinced to send google-groups messages through google.

And finally, there are many, many side-benefits.

Gmail fails

[Sparr0]

Google's web apps are notorious for poorly handling email headers.

Case in point:

sparr@domain.com is subscribed to the group@googlegroups.com
sparr@gmail.com checks sparr@domain.com via POP, and can send as sparr@domain.com
using the gmail interface to send email From:sparr@domain.com To:group@googlegroups.com (Sender:sparr@gmail.com) fails, resulting in a bounceback message *TO SPARR@GMAIL.COM* stating that sparr@gmail.com is not a member of the group.

I could understand some concern over spoofing and authentication if this was coming from a third party, but I am sending from a google application to a google application. Gmail has already verified that I have permission to send From:sparr@domain.com, why doesn't ggroups trust that?

Re:Gmail fails

[clone53421]

That's not a failure of Gmail, it's a failure of Groups.

Groups sees the e-mail "From" domain.com but actually coming from gmail.com. Since they don't match, it rejects it. Probably the reason it sends it to sparr@gmail.com instead of sparr@domain.com is because you have the reply-to set to be sparr@gmail.com regardless of which From: address you use (it's in the Gmail settings, look for it and see if I'm right).

Because, of course, if you're u@a.com and can send messages that appear to be from u@b.com, Groups should not generally assume that you are, in fact, u@b.com.

Of course, Gmail doesn't let you send messages that appear to be from a different address until you've verified that you own it, so they could integrate the two better by having Groups assume that the From address on messages from Gmail's server is legit, but apparently they didn't think of that. (Not to mention, it would be a whitelist solution: other webmail providers would still not be trusted to send mail with legitimate From addresses which differed from the actual sender's address.)

Re:Gmail fails

[Sparr0]

The point of the article here is that Groups DOES trust random strangers on the internet who claim to be u@b.com. What I'm saying is that it then doesn't trust gmail's mail servers when they claim the same thing.

I am not setting a reply-to. The only instance of sparr@gmail.com in the email I sent is the Sender: header.

Re:Gmail fails

[clone53421]

What I'm saying is that it then doesn't trust gmail's mail servers when they claim the same thing.

Gmail's mail servers don't. The headers indicate who really sent it, and that's why Groups rejects it. The sender and From addresses don't match up.

I am not setting a reply-to. The only instance of sparr@gmail.com in the email I sent is the Sender: header.

I take it you checked the headers, then? Apparently Groups is validating the sender in addition to the from (or maybe instead of it).

All in all, a SMTP server that will send a message with a spoofed sender header will be able to trick Groups.

Re:Finally, someone important points out the obvio

[DerekLyons]

Google flew right past them in what sense? Google is bigger by some measures, and rakes in a ton of revenue from serving advertising across the web, but... Other than search, where Google and Yahoo! compete head to head - Google's offering is almost always second best.

Re:Finally, someone important points out the obvio

[Threni]

are you getting all this, google? priceless business advice from slashdot comments. it's not too late to change now and save your business.

MOD PARENT DOWN

[BenEnglishAtHome]

Why do people want to move away from that which is "antiquated"? Many technologies are antiquated but they're still the best way to do things for most people. In vitro fertilization may be easier to control but I kinda like the old way of doing things. The CZ75 is a fine pistol but the 1911 is still at least as good. And while web forums have their uses, mailing lists and usenet groups are still the best way to simply move information without visual decoration. They also have many wonderful advanced features noted by other respondents.

Re:Finally, someone important points out the obvio

[dickens]

That was the obvious question to me too. A buck a user a month for Postini has been without a doubt the biggest bang for a buck that I've spent at my current job. And you get the MX servers in the bargain.

Usenet flaws

[Improv]

If this is essentially the same thing as Usenet, it's no wonder. NNTP was designed in the days when we were generally able to trust people not to be malign - it's a very trusting, open protocol, and when people or servers broke the rules, sensible people would stop peering with them. Sophisticated, malign groups of people are a problem in any system, but particularly for systems where there's a lot of built-in trust.

Re:Usenet flaws

[John+Hasler]

Yet Newsguy is able to filter most of the non-Google spam.

Re:Finally, someone important points out the obvio

[Jay+L]

In general, Google wants to solve every problem with an algorithm - and if it can't be solved with an algorithm, then by definition, it can't be a problem.

Spam can't be solved with an algorithm.

Just Google Groups?

[insane_coder]

This isn't just Google Groups, Blogger is collapsing under spam too.
I myself just wrote about this the other day.

Google Wave is the future Google Groups

[sharonlives]

Google doesn't work backwards. If you've been on Wave yet, you can tell that this is the way they want to go with group discussions.

Re:Google Wave is the future Google Groups

[John+Hasler]

I couldn't care less which way Google wants to go with Group discussions. I just want them to stop trashing Usenet. Killing Google Groups would be fine with me.

Google messed it up

[Ilgaz]

Back in the day when Dejanews was a "cool web 2.0" like thing for Usenet and Usenet was still popular, they could manage the actual, pro spammer attacks with handful of people. Those were the days when CNET had "help.com" which allowed complete newbies to post questions to Usenet.

Now Google, with impossible to imagine computing resources lets the core Usenet _and_ their own private groups gets polluted by trivial spam. Yes, trivial since even my stupid mail filters can sort that kind of spam without even touching bayesian etc. filters.

It is almost like pyramid scheme. Spammer uses Google groups infrasacture to post pirate software download forums which are solely gathering income from Google adwords. That happens on a big5 one, not some alt.conspiracy low traffic thing.

In first days, I thought Google didn't care on purpose of promoting their own, closed, moderated fake groups but it was a total tinfoil hat theory. They simply didn't/doesn't have competency to carry that kind of job which 2-3 experienced admins did while Usenet was 10x-20x more popular.

Question to JQuery developer, why use it?

[Ilgaz]

Why on earth such an advanced developer, especially in that area would require "Google Groups"? Why not run a private NNTP/web Hybrid which is also perfectly available to index/use?

I bet there are solutions using JQuery itself, not my area so I just shut up at this point.

Re:Question to JQuery developer, why use it?

[laffer1]

I can answer this one, time. The more time developers spend administering yet another system, the less they get actually working on their open source project.

They don't care even for abuse@ report

[Ilgaz]

Ask any experienced Admin, Google News would be "delinked" long time ago if it wasn't carrying "Google" name.

I have seen amazing things and they weren't some "123movies" spam, they were coming from real World criminals, UN wide accepted terrorist organizations and some real huge pyramid scheme running guys.

When you confuse it with a real "managed" server and you spend your time reporting it with headers taking your own time to Google, they send back a freaking template saying they are using your report for statistics etc. I wonder if any law organizations spare their time to watch public messages instead of wondering after teenagers downloading some movies.

moderate new members seems to work for me

I've not seen the spoofing from existing members, but I've enabled "moderate new members" and spam to my group has dropped to zero. I've moderated a few legit new members but I've also caught 100% of the spammers (who need to be manually identified and deleted). Albeit this has risen to almost 1-2/wk fairly consistently.

did it occur to you...

[toby]

That 90% of the problem is that alternative jobs don't exist? (On that note - only have to wait, First World lifestyle is inexorably converging on the average Nigerian's.)

Usenet is alive and well

[toby]

Perhaps you haven't visited lately. Although many groups are harmed by spam, there are thousands of active (non-spam) newsgroups.

Re:Usenet is alive and well

I didn't ask for vague assertions of there being thousands of there being "thousands" of active Usenet newsgroups. I asked for one active Usenet newsgroup to be named. So, cut the bullshit. Name at least one Usenet newsgroup.

Slashdot posters can be real bullshit artists at times.

Alternative filter?

[Itkovian]

Maybe they could use a decent spam filter, such as mollom (http://mollom.com), which is pretty adept at classifying content.

Do it

They should block the entire IP address block of the village / town it came from. Then let vigilante justice take its natural course.