Slashdot Mirror
jQuery Dev Bemoans Overwhelming Spam On Google Groups
angryrice tips a blog post by John Resig, lead developer for jQuery, about the failure of Google Groups to manage spam, declaring attempts to use it as a public discussion system "completely futile." Quoting:
"The final straw was placed upon my patience with the Google Groups system a few weeks ago. Spammers are now spoofing the email addresses of existing group participants to sneak their messages through. Previously you would've seen a delightful 'FREE MOVIE DOWNLOADS' spam from 'freemovies123@gmail.com' — but now you'll see it coming from existing group users — or even the group moderators themselves. This cheat completely bypasses the moderation system since the spammers are pretending to be pre-moderated users. The Google Groups system is completely fooled. The spam message comes in claiming to be from an existing group participant — and according to the Google Groups interface there is no difference. If you click the user's name you'll be taken to a full listing of that user's posts (with the spam messages delightfully interspersed)."
You get what you pay for.
The spammers Behavior are really destructive in many ways, this is just one of them. It really should be seen as sabourtage against infrastructure and a bigger efford should be made to follow the trail of money and take down those people who makes the money.
Why the hell haven't they put the same spam filters that they use for Gmail on the discussion lists?
Is there anything better than clicking through Microsoft ads on Slashdot?
Time to move away from the antiquated system of mailing lists. Web based forums are much easier to control and a far, far better way of sharing information with users. I hate coming across an otherwise useful site and then having to go to a mailing list to see what other users are talking about.
Ummm, Google Groups is an archive and Web interface for Usenet. Email is irrelevant.
Google has some of the weakest around. And whats more is becaue Google uses domain keys it is a desired domain because that stuff gets through the spam filters better.
I wish Google had an automated honey pot system where you could drop a google address, and any google account would instantly get shut off for sending mail to it. The idea is you plant the email address in a place where automated spambots will harvest it and poof! no more spammer.
Of course it could be used for abuse and if passed off as a legit account, so there needs to be some registration and tying of spam honey pot accounts to their owners for accountability.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
I see a lot of Google's products needing the oh so familiar Beta label again.
Seriously, Google's offering is not without it's serious drawbacks, and I suspect that the good stuff is to be had from actual paid services. However, this kind of letting crap slip where people can spoof the name of a valid member is a serious Alpha quality flaw. What's the point of identifying anyone, if everyone can pretend to be everyone else? I mean that is the actually concept of identity, to uniquely label something as different as other things.
I think Google is trying to take on more than it can handle and it is beginning to really show now that they've removed the excuse of "Beta".
PGP/GPG is overkill. Just drop messages that fail an SPF check. Spoofing is part of the problem here, and SPF was tailor-made to address spoofing.
If you do use PGP/GPG, you don't need an extra header for the signature; it's usually added as a small attachment, and better mail clients already pick up on that for verification.
iSKUNK!
It won't help at all in this case. For instance, nothing stops a spammer from signing up for a GMail account that generates such a header, and sending out spam that your spam filter happily allows through.
Thats trivial to solve, just hold any message whose key is younger then a few days or which isn't trusted enough for moderation.
And it would be trivial for a spammer to spoof a legitimate user's signature.
Unless they hack into a users account it will be pretty much impossible to fake a signature.
The only way that'll happen is if people stop buying products advertised that way.
Good luck with that. Sending spam is virtually free and making a free thing unprofitable ain't gonna work.
The only way to solve the spam problem is to add accountability into the system and PGP signatures would be one way to do it.
1. Spam is theft of service.
2. Spam is theft of service.
3. The spam in Google Groups absolutely ruins many groups because the boards are inundated with spam to the point that a real message is like a needle in a haystack. The stock discussion boards have gone to hell in the last few months.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
That's why, while authentication is an excellent thing to do, it's only half of a solution. The other half is to have reputations tied to identities. Sign your spam, get known as a spammer, and now people know to ignore your messages just like they ignore unsigned messages.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
1. How can you steal a service that's provided to you for free?
2. How can you steal a service that's provided to you for free?
3. As many of these groups are simple mirrors from Usenet, how do you propose Google control servers that they have no control over?
There's a much simpler solution: start sending out "Free Penis Pills" ads, and mail everyone that buys them rat poison. Hopefully, after a couple hundred people die from being spam-buying fucktards, the rest will get the idea.
Alternatively, find the spammers (they have to have real addresses to sell stuff, right?) and shoot them in the face. This is WAY past the point of, "let's fine them" or "let's send them to prison". Time to put those expensive drones we've bought to a better use...
The reason, at least to me, seems abundantly clear: Google has the attention span of a three year old. They fixate heavily on something for a while... then their attention drifts and they are off to the next shiny thing. They've got a lot of products, but no clear vision or effective management.
But you can set your "from" address in your mail client, and send mail as if it were from your gmail account from your work place, your home ISP's smtp server, etc. In order for that all to work, google would have to allow smtp.yourisp.net to send mail as if it were from google in the SPF records - basically, if it were done, then nothing would have changed 'cause they'd have to allow a metric buttload of ISPs to send.
Changing to web only, or smtpauth, or similar (as we both point out) would do the job though.
Don't blame me, I voted for Kodos
Why don't you just sign your messages and verify based on signature, rather than something completely meaningless like email-address?
And once again: Why the hell does google not sign all messages which pass through gmail as "really did come from this address"?
(x) technical ( ) legislative ( ) market-based ( ) vigilante
(x) Requires immediate total cooperation from everybody at once
(x) Lack of centrally controlling authority for email
(x) Why should we have to trust you and your servers? (I'm using the short-form.)
What I mean to say is, you don't have to have a Gmail account to be a member of a Google Group. Your approach might keep people from spoofing Gmail addresses and be completely painless for Gmail users, but non-Gmail users would have to manually configure their mail clients to digitally sign their messages and some (web-based) e-mail clients might not even support this.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Ooh Ooh is spam theft the same way illegal copying of copyrighted materials is theft? I can't wait to see the argument on this one!
Why bother
Back in the day when Dejanews was a "cool web 2.0" like thing for Usenet and Usenet was still popular, they could manage the actual, pro spammer attacks with handful of people. Those were the days when CNET had "help.com" which allowed complete newbies to post questions to Usenet.
Now Google, with impossible to imagine computing resources lets the core Usenet _and_ their own private groups gets polluted by trivial spam. Yes, trivial since even my stupid mail filters can sort that kind of spam without even touching bayesian etc. filters.
It is almost like pyramid scheme. Spammer uses Google groups infrasacture to post pirate software download forums which are solely gathering income from Google adwords. That happens on a big5 one, not some alt.conspiracy low traffic thing.
In first days, I thought Google didn't care on purpose of promoting their own, closed, moderated fake groups but it was a total tinfoil hat theory. They simply didn't/doesn't have competency to carry that kind of job which 2-3 experienced admins did while Usenet was 10x-20x more popular.