Posted Jul 29, 2010 5:36 UTC (Thu) by jmorris42 (subscriber, #2203)
Parent article: On comment spam
First one must know the enemy.
The spammer is a volume guy and is cheap. He wants to spew as many copies of his ad as possible at the lowest possible cost.
So first off, any post by a subscriber can be assumed good. After all, if the spammer is willing to pay to put his ad here he could just write email@example.com and if he isn't pitching something totally bogus/illegal he could just buy a real ad. This means that while in theory a spammer could post spam with paid accounts or use paid accounts to approve posts in a moderation scenario, etc. in reality it isn't likely to happen unless the spam scene drastically changes in the future.
While they really like automated tools some do pay third world labor to manually post because humans can still get past filters better than current bots. They can grind out accounts and posts and a captcha just slows them down a little bit. So what are their weaknesses? How about leverage the fact this site caters to a very specific demo? Instead of a typical captcha use a small set of multiple choice questions that anyone who should be posting here could answer but spammers would have to go google. Or display five distro mascots/logos and require matching them to their names. That would waste a lot more of their time than a typical captcha, thus encouraging them to go somewhere they can get more bang for their buck.
And again, after one or two successful ontopic posts it can be assumed that the user is legit. Again, this is a specialty site and a lowest possible labor rate third worlder (who can't graduate to outsourced call center work or something more legit) probably isn't likely to be able to make a couple of cogent posts in a place like this just to get to spew comment spam for a few hours until the account gets closed and every post they made gets rubbed out. The return on the labor is bad.
Don't try to stop the spammers. Realize you can't. What you can do is make it too expensive for most to bother. You will always get a few who try it as they figure this out.
Now know thyself (and the users). You are short on labor but have a highly technical and generally spam hostile readership. Only new accounts need to be suspected so put a spam mallet icon beside those user's posts and let the readers bang on it. Three strikes and it is out. Two posts go out and the account goes dead and after a quick moderation double check by a staffer all posts from that account go away with a single click. Add one final feature to limit how many posts a new account can make in a day and the spam problem should be under control.
Only one problem remains... the spammers who creep in and post in old threads might survive the probationary period. So just don't allow a newly created account to post in a thread over an age threshold, perhaps a month?