jQuery Dev Bemoans Overwhelming Spam On Google Groups

angryrice tips a blog post by John Resig, lead developer for jQuery, about the failure of Google Groups to manage spam, declaring attempts to use it as a public discussion system "completely futile." Quoting: "The final straw was placed upon my patience with the Google Groups system a few weeks ago. Spammers are now spoofing the email addresses of existing group participants to sneak their messages through. Previously you would've seen a delightful 'FREE MOVIE DOWNLOADS' spam from 'freemovies123@gmail.com' — but now you'll see it coming from existing group users — or even the group moderators themselves. This cheat completely bypasses the moderation system since the spammers are pretending to be pre-moderated users. The Google Groups system is completely fooled. The spam message comes in claiming to be from an existing group participant — and according to the Google Groups interface there is no difference. If you click the user's name you'll be taken to a full listing of that user's posts (with the spam messages delightfully interspersed)."

What do you expect?

You get what you pay for.

Tragedy of the Commons

[oldspewey]

I used to be an avid newsgroup participant way back in the day. The flamewars were legendary, and the amount of technical information exchanged on some of those groups was beyond description.

If there were a way to use spammers for fuel, I'd have no qualms solving our energy woes that way ...

Re:Tragedy of the Commons

[oldspewey]

I think your godwin generator needs to go in for calibration.

and Blogger too

[GameGod0]

Google's really dropped the ball on spam blocking with Blogger too. I host a couple of random blogs on there, and they've all been hit with a ridiculous amount of spam in the last year. Blogger doesn't even give you something like Akismet... :(

Time to bring back the cancelbots?

[argent]

If this is a Usenet group that Google Groups is just providing an interface to, I guess it's time to bring back the cancelbots. UDP against Google. It's come close before.

If this is one of the Google Groups that's a web forum, then they need to require that you actually log in before posting.

Finally, someone important points out the obvious!

[fsterman]

Why the hell haven't they put the same spam filters that they use for Gmail on the discussion lists?

Join the 21st Century

[Horn]

Time to move away from the antiquated system of mailing lists. Web based forums are much easier to control and a far, far better way of sharing information with users. I hate coming across an otherwise useful site and then having to go to a mailing list to see what other users are talking about.

Re:Join the 21st Century

[John+Hasler]

> Time to move away from the antiquated system of mailing lists. Web based
> forums are much easier to control and a far, far better way of sharing
> information with users.

No local control over filtering and sorting, forced to use your weird UI and editor instead of my own? "Forums" suck. And "easier to control" is not a feature.

Re:Join the 21st Century

[doconnor]

This is an issue that really bugged me. The move to web based forums from Usenet and mailing list was a giant step backwards in functionally.

Advantages of Usenet and mailing lists over web based forums:

The user can control the interface
killfiles
threading
discussion on issues where centralized in one place rather then across multiple web forums
better searching
better archiving
less bandwidth

More advanced web forums, like Slashdot, do a better job of supporting these features, but most people still use very primitive forums.

Re:Join the 21st Century

No local control over filtering and sorting, forced to use your weird UI and editor instead of my own? "Forums" suck. And "easier to control" is not a feature.

Uhm - then why are you posting on Slashdot?

Re:Join the 21st Century

[Richard+Steiner]

Killfiles and regex-controlled score files that can both sort and enhance/block messages based on reader-defined criteria. Very very powerful, something the DOS-based SOUP reader I used to use (Yarn) did back in the early 90's, and something which I've not yet seen even roughly approximated in a web-based forum.

Folks who say that USENET is "antiquated" have no idea of its potential, or how experienced users were able to utilize it in practice.

Re:Join the 21st Century

[Richard+Steiner]

USENET has always been far more than a "mailing list", and I could do things to control/filter/sort messages to my liking with Yarn and slrn that I can't even touch with the web-based forum software I've seen (and I've seen a lot of it).

I really wish web-based forum software would catch up. Even USENET in the early 90's far surpassed it in many respects. Most web forums are nice for posting pictures, but horrible in terms of threading and controlling what actually shows up in your reading list.

Google Beta

[slack_justyb]

I see a lot of Google's products needing the oh so familiar Beta label again.
Seriously, Google's offering is not without it's serious drawbacks, and I suspect that the good stuff is to be had from actual paid services. However, this kind of letting crap slip where people can spoof the name of a valid member is a serious Alpha quality flaw. What's the point of identifying anyone, if everyone can pretend to be everyone else? I mean that is the actually concept of identity, to uniquely label something as different as other things.
I think Google is trying to take on more than it can handle and it is beginning to really show now that they've removed the excuse of "Beta".

Re:Perhaps a new mail header?

[Straker+Skunk]

PGP/GPG is overkill. Just drop messages that fail an SPF check. Spoofing is part of the problem here, and SPF was tailor-made to address spoofing.

If you do use PGP/GPG, you don't need an extra header for the signature; it's usually added as a small attachment, and better mail clients already pick up on that for verification.

Re:Finally, someone important points out the obvio

[Minwee]

Why the hell haven't they put the same spam filters that they use for Gmail on the discussion lists?

Maybe it's because they want to encourage you to use Gmail, which they control and can extract some income from, instead of Usenet, which they have only a passing acquaintance with and can't squeeze a penny out of.

Ebarassing for group admins

[Morris+Thorpe]

I created and admin a Google group for my son's high school team. We have coaches about 120 parents in the group.

Even though it's a pain in the ass, I chose to moderate messages for new members. Still, spam gets through. As the group's admin, it's embarrassing to see graphic messages and know that all the parent's on my kid's team are seeing it. Also, moderation means that some messages may not get through in a timely manner.

I'm looking to migrate the group to an alternative now.

Re:Perhaps a new mail header?

[Volante3192]

An amazingly common misconception. People don't actually buy things advertised by spam. Err, [citation needed]?

Here's mine: http://arstechnica.com/web/news/2009/07/12-of-e-mail-users-try-to-buy-stuff-from-spam-e-mail.ars

Slightly less than half (48 percent) said that they have never clicked on a spam e-mail. That's the good news, but that means the other half have clicked on or responded to spam. But why? The answers will undoubtedly horrify you. A full 12 percent said that they were interested in the product or service being offered—those erection drug and mail order bride ads do reach a certain market, it appears.

Seventeen percent said that they made a mistake when they did so—understandable—but another 13 percent said they simply had no idea why they did it; they just did. Another six percent "wanted to see what would happen."

Re:Time to DIY

[Jurily]

Back in the day of 2 kbit/s modems, yes it was a pain because it would take a full minute to download a single message, but in today's 1000+ kbit/s world, these messages just ziiiiip right past.

I use Vodafone UK, you insensitive clod!

Re:Perhaps a new mail header?

[_Shad0w_]

If a spammer can easily spoof a legitimate user's cryptographic signature on a given block of text I would be very surprised. The only practical way that could happen would be if the user's private key was compromised - if that's the case you just issue a revocation certificate for the compromised key.

Requiring users to sign up using their public key and then requiring all posts to be signed isn't completely ridiculous. It may be a OTT for most groups and possibly beyond the ken of a lot of users, but it could be done. You would just have to parse the all incoming mail to make sure they had a valid signature and that the signature was made using a key that matched a register group member. Although I couldn't comment on how much processing overhead that would create.

Re:Perhaps a new mail header?

[maxume]

It's that, and also a collection of mailing lists that are not mirrored to Usenet. People interact with those mailing lists using email (the group discussed in the summary is a mailing list that is not mirrored to Usenet...).

Re:Time to DIY

[Rude+Turnip]

1. Spam is theft of service.
2. Spam is theft of service.
3. The spam in Google Groups absolutely ruins many groups because the boards are inundated with spam to the point that a real message is like a needle in a haystack. The stock discussion boards have gone to hell in the last few months.

Re:Finally, someone important points out the obvio

[baxissimo]

Google Groups serves as a face to Usenet, yes, but it also advertises itself as a place to create new groups which are hosted by Google, as an alternative to setting up your own mailing list. I suspect the jQuery folks are using a Google hosted group. The spam situation is indeed ridiculous, and Google could indeed do something about it. They even have "report spam" buttons on all the messages, but so far as I can tell clicking on those buttons has no effect. At the very least it should hide the messages from me that I mark as spam. But no, it doesn't even remember which messages I've marked as spam from login to login. They've just dropped the ball for some reason.

my settings

[Deanalator]

We were having some problems with this on the wimax hacking google group.

About a month ago I set all posting options to members only (read is still public, the group is listed in the directory, and there is no moderation). I then set it so people need to request an invite to join. The signup page says "Sorry, about the inconvenience, but spam was starting to ramp up, so now users have to request membership manually. Anyone who is human is welcome, and encouraged to join."

There has been zero spam since the change.

It would be nice if there was an option to just let people solve a captcha to join the group, but until then this solution is working fine.

Block posts to Usenet via Google

[Animats]

Maybe the answer is to block posts to USENET that come in via Google. That seems to be the source of the trouble.

Looking at the newsgroup "comp.lang.python", all the spam seems to be coming in via "posting.google.com" with GMail return addresses. Bulk-created phony gmail accounts are such a source of spam that they should be blocked until Google gets their act together. At this point, we have to view GMail like Hotmail, another free email account system made useless by spammers.

Hotmail is widely blocked. Next, Gmail?

Re:Do more about spam

[cerberusss]

The problem is that the trail of money ends at a Western Union or Moneygram branch.

That's not a problem! We can safely assume that said spammer lives in a 10 KM range of said branch office. A small tactical nuke should take care of it. Sure, it'll cause some collateral damage, but we're talking about spammers here.

Re:Finally, someone important points out the obvio

[DerekLyons]

At the very least it should hide the messages from me that I mark as spam. But no, it doesn't even remember which messages I've marked as spam from login to login. They've just dropped the ball for some reason.

The reason, at least to me, seems abundantly clear: Google has the attention span of a three year old. They fixate heavily on something for a while... then their attention drifts and they are off to the next shiny thing. They've got a lot of products, but no clear vision or effective management.

Re:Time to DIY

[ByOhTek]

When you have 10x more spam than relevant material in a topic, it's easy to miss the relevant material.

That, and some spam subjects are just painfully horrible, and nobody should be subjected to the horror of even glancing at them.

Then again, when I saw one suggesting I could own my own Bionic Turtle (I kid you not), spam did rise *a little bit* in my opinion. I still deleted it, but I loved that title.

Re:Time to DIY

[nacturation]

People who not only force advertising on me, but do it in a deceitful manner, deserve nothing more than forcible, unlubed sodomy during the half time show of the Super Bowl.

So if your local library's cork board has individual citizens pinning up advertising deceitfully, will you unleash your gay sexual fantasies on the library staff since you pay for the library with your tax dollars?

Is there a reason to keep archives private?

[tetranz]

This is more to do with Yahoo Groups than Google Groups but they seem similar. Recently I've joined several Yahoo Groups about specialized ham radio topics. Nearly all of them keep their archives private. I have apply to join (basically push a button and say who I am) and then wait for approval from the admin. Once approved I can read the archives and also post. Posting from members is usually unmoderated. It's painless enough but still very frustrating when I'm just searching around for information and a quick look at the archives is probably all I want.

I don't mind having to join if I want to post but do they achieve anything by keeping the archives private? Yahoo obscure the email addresses so spammers' 'bots are not going to get much from them. I've asked several admins "why do you keep the archives private?" and have not received a convincing answer. It usually goes something like "I understand your frustration but we have a lot of trouble with spam" and sometimes goes on to imply what a silly question I asked. Well ... I still don't see how keeping the archives private helps to reduce spam. I haven't been a group admin so maybe I'm missing something.

I can understand keeping archives private or non-existent for a group on a personal or private subject but that doesn't apply to these groups.

My guess is that this is Yahoo's default setting when a group is created and few admins really think about it. Of course Yahoo want as many people as possible to join.

Re:What's the problem again?

[clone53421]

Why don't you just sign your messages and verify based on signature, rather than something completely meaningless like email-address?

And once again: Why the hell does google not sign all messages which pass through gmail as "really did come from this address"?

(x) technical ( ) legislative ( ) market-based ( ) vigilante
(x) Requires immediate total cooperation from everybody at once
(x) Lack of centrally controlling authority for email
(x) Why should we have to trust you and your servers? (I'm using the short-form.)

What I mean to say is, you don't have to have a Gmail account to be a member of a Google Group. Your approach might keep people from spoofing Gmail addresses and be completely painless for Gmail users, but non-Gmail users would have to manually configure their mail clients to digitally sign their messages and some (web-based) e-mail clients might not even support this.

Re:Time to DIY

[sbeckstead]

Ooh Ooh is spam theft the same way illegal copying of copyrighted materials is theft? I can't wait to see the argument on this one!

Re:Time to DIY

[bruce_the_loon]

Ha ha ha ha ha ha ha

You really truly honestly believe the spammers are paying for their own bandwidth? They're riding on bot-nets and open relays costing someone else their bandwidth. Most of the spam I see on the filters at work comes from residential networks.