This article continues down the same path as Teaching Akismet Part 1: I am good with a look at how Akismet could be used for nefarious purposes. In the first post we learned that user input determines what Akismet thinks is spam. In this article, that idea is expanded in order to teach akismet to be bad. Below are listed three potential applications of the idea that Akismet can be taught things.
Applications
Application One: The Comment Spammer (theoretical):
Suppose you really are a comment spammer and would like your message heard? Whats to prevent you from setting up a network of fake blogs that are protected by Akismet. Then maybe, say, creating some very clever non threatening comment spams (perhaps with only one link to the payoff) and posting them to blogs in your network making sure that Akismet ‘learns’ that your comments aren’t spam. Then, releasing the comments out into the wild… ?
Application Two: The Hate on (theoretical):
Suppose your best myspace buddy with a blog just insults you, or maybe you just really hate [insert name of right / left wing blogger here] and you feel like getting even (I’m thinking the ‘Falling Down’ blogging kind of even). If you have the proper credentials, you could pretend to be victim. All you need is their regular ‘Name’, email, and the ‘website’ that the unsuspecting users fills in when making a comment. Post several comments using his or her credentials, then label them spam via Akismet. Rinse and repeat. Since we know Akismet uses the IP of the commentor you could either use Tor to become anonymous or edit the the wordpress DB switching your IP for the victims. Continue to make comments and telling Akismet they are spam (or just keep mentioning C1alis or P0ker). Rinse, repeat. Sooner or later Akismet will learn.
Application Three: The Group Silencing (theoretical):
This is really a combo of the above two approaches. Suppose a bunch of people get together and decide they don’t like somebody (victim). All they would need to do is mass mark all the victims posts as spam in akismet. If enough people marked previously made posts, the victim would loose their identity. Alternatively, if the credentials are known, they could just spoof comments made by the victim and label as spam.
Since there is no Akismet judge or jury… the victim is doomed and must create a new online identity or somehow convince one of the higher ups at Akismet HQ that they are a victim (this could be hard given that there is only one method of contacting Akismet for help — and everyone else with a problem is also emailing too).
25 Apr 06
4:51 pm
Each of these relies on the fact that the only input Akismet uses is its feedback mechanism, which is really just one of thousands of variables.
26 Apr 06
4:20 pm
Thanks for your comment, indeed Akismet does use a whole host of variables to determine spam / not spam. But I continue to think that, if I can get myself de-listed as a comment spammer then I can also get someone listed as a comment spammer.
I think most people just ’set and forget’ their Akismet installation. They don’t check what the filter is catching very often. I don’t want to sound like a typical internet crank, I love the ideals of Akismet, heck even the implementation is great. But I worry that there is no appeal process for those caught in the net.
Keep fighting the good fight!
26 Apr 06
4:23 pm
Well, as a non-spammer you got yourself delisted. A better test would be to spam 1000 blogs, and then try to delist yourself.
The thresholds are very different for different types of actions which may trigger the spam flag. There is also a small percentage of things in Akismet that get flagged for manual review.
26 Apr 06
4:42 pm
I haven’t put in for an akismet API key so I haven’t used the service yet… how much information do they require? In other words, is it amazingly easy to get the keys or can people be banned from the service (realistically)?
Also, do users get rankings based on anything that changes the weighting of their markings? For example, the most accurate email spam protection I’ve ever seen is Safetybar by Cloudmark. It uses ai+community in a similar manner. On the community side (keeping it real simple) if a user gets spam in their inbox they mark it as spam (or fraud) and their reputation ranking is taken into account as one of the variables. Marking stuff inaccurately lowers your reputation ranking while marking stuff accurately over time builds up your reputation level. Each account is tied to a paying individual though.
It’s a bit trickier than that in the blogosphere and I really don’t know much about how akismet works so I can’t comment on how relative the system is or how plausible the scenarios are (any system is exploitable).
What might be nice for an additional plugin would be something that applies specifically on a site-wide level first giving your commenters the ability to build up reputation over time with useful (non spam) comments and promoting their rights to at a specified reputation level to allow them to mark other comments on your site as spam to send it into moderation to help you out. If you disagree with them over something greyarea that they likely had good intentions with it lowers their reputation or if they do something obviously wrong you can just ban them so even if they did start a different identity they’d have to build up reputation all over again. There would obviously be ai setup to cut off enabled spam taggers automatically if they went bonkers one day and just started marking everything as spam or get into a spam tagging fight with another high reputation individual. I know this would be particularly helpful for mid-level blogs that have some regular commentors but not a huge community of them. I know personally that sometimes when I visit a blog and I see spam in the comments I’d love to get rid of them myself, lol. I haven’t thought it out, but I guess this could also eventually contribute to an overall system like akismet by giving your blog reputation over time and having that help in weightiing and in fingerprinting spam correctly.
Ultimately, for a widespread community system though the best method is having credentials associated with a a real individual either through a small subscription fee (which almost always wards off the troublemakers from joining in the first place) or other validation methods I’ve seen that are effective in verifying individuals are in fact themselves. As much as I’ve always believed in privacy rights and being able to be anonymous on the net, these days there are times and places for both. At some point you have to be responsible for the things you do and in certain blogging circles this would be appropriate. This is also putting privacy worries aside because most online privacy issues imo are caused by stupidity in implementation. There are much bigger risks in every day life as well as other types of online services. So I’m not really up for discussing that aspect.
In any case, interesting read, I’ll have to revisit it your thoughts after I’ve started using akismet and have learned more about it. We really do need to clean things up on the net one step at a time and part of that process is spotting areas where improvements could possibly be made or flaws may be present.
As an aside, since you brought it up in one of your examples, all Myspace users should automatically be marked as bad.
I hope you’ll follow up with Teaching Microsoft: “Stop being so bad!!”
Ja
27 Apr 06
6:15 pm
Ja,
Its easy to get an Akismet key, just signup for a blog at wordpress.com. Your key comes in the mail and you don’t ever have to touch the blog you just signed up for. I’m not sure why they make you sign up, but whatever. Its a hoop.
No, rankings (if they exist) are not publicly available (as far as I know). Rankings would be interesting at any rate. I’d love to know what other people think of your comments…
Imagine if you get a comment on your site and think, “what the heck is this guy thinking?” You click on his name to reveal that the blogosphere thinks he is a crank. Of course in the dystopian future that I sometimes envision, all this is brought to by Survivor or Coca Cola. Anyways…
28 Apr 06
6:36 am
Ha! Love that last comment.
I didn’t mean publicly available rankings, I just meant ones the system kept track of to take into account as one of their many variables. Publicly available ones would likely be a disaster but would be pretty funny at the same time. It’s useful on things like Ebay, but here it’s a little more to it in other places. Even on this forum I used to check regularly, they had some type of points system and it was terrible… leading to a hierarchy of people that could instantly discredit you they didn’t like your personal opinion or you didn’t fully agree with them on something.
In the future that I invision there is no blogosphere (well, not in this form anyway) and sometimes the net doesn’t even exist… guess it’s time to finally start that BBS, hahaha. Wow, that was totally a joke, but there may be some merit to that…okay, maybe not BBSs but starting an initiative to have a government implemented backup infrastructure of some sort on a town-by-town basis that will kick in when problems with larger surrounding internet connections arise. It would also allow for local private community networking while in its dormant state. Though I guess if it worked it might put a damper on the party I’ve reserved for the day the whole net goes down.
28 Apr 06
8:41 am
Cool. Sounds like ‘waterworld’ except instead of water there is ‘internet’. If its ok with you, I’d play the the Dennis Hopper character and shake my first a lot / crack lame jokes that everyone is forced to laugh at. That there is a quality bad guy. Jokes…
29 Oct 06
11:41 pm
[...] Introduction: Part 1 of a 2 part series focused on how Akismet can / could be taught good or evil. Part 1 below explains the situation I found myself in, and the steps that I took to remove myself from Akismet’s list of comment spammers. Part 2 introduces some theoretical concepts for the creation of spamming networks. [...]