This reminds me of one of my former ESPN co-workers - Mike Davidson[1] - who founded of one of the first community news sites (Newsvine[2]) back in 2006.
Newsvine had comments and upvotes and link submissions and posts - it was very reddit-esque except it was focused around the news. The team had to have a way to deal with spammers and trolls. They found the most effective way was to flag a user as a troll on the Newsvine backend. If the troll flag was set to true, Newsvine would add a random 10-60 second delay to every page load for the troll's account. IIRC it solved the problem pretty effectively.
I built a custom stylesheet which makes old reddit mobile friendly (basically to look like an app). I'll throw it up if anyone is interested, I was going to build a webview app which just uses old reddit to provide an app-like experience.
How would this work for something like Twitter/X when accounting for individuals serving the US government? Someone could be flagged as a troll on the backend for unrelated reasons, but now their experience in communicating with someone in government is delayed. I understand that a delay is not the same thing as a block, but I wonder if the damage to the user’s experience is sufficiently similar for a federal judge.
Twitter has been doing things worse than that for years. They seem to even have different levels of shadow banning.
The practice is fundamentally malicious because innocent people get caught in it all the time. The two main problems both stem from the fact that they don't admit to doing it.
The first is that you're posting interesting things but nobody ever sees it because you're shadow banned, and then what you should really do is create a new account and start over, but you don't know why nobody ever sees it. "Maybe you just don't have much of a following yet." But you never will with that account. An innocent person is subjected to the penalty meant for a spammer -- and suffers longer for it because they have no reason to expect they're being punished when they haven't done anything wrong.
The second is that even if you figure it out, they still don't admit to doing it, the consequence of which is that there is no appeals process. So if you have an account with a significant following and then get shadow banned illegitimately, you're much more likely to notice this because your engagement falls off a cliff, but there is no process for undoing it other than to abandon your account and start over from scratch.
idk if some of those things are "shadowbanning" per se but more like limiting reach and promotion.
there's the confusion (unaware or intentional) between 'getting actually shadowbanned, as in, your posts actually do not appear to anyone else but you' and 'not getting free promo, free algo boost, free views from the platform, if it either doesn't choose to promote you, or chooses to not promote you' (these two are subtle but different as well). 'not getting the extra boost from a platform' - or just really 'having a piece of content fare for what it is, just by itself'. these kinds of mixups lead to kinda inane takes like 'i'm not getting as many views -> the platform has shadowbanned me', which are particularly weird to actually see, as a post, that is very much up and visible (and not "shadowbanned").
there's almost a vague sense of entitlement to getting views, getting an audience from a platform, in bulk and for free, and for whatever it may be. when a platform really just may choose to not extraneously promote something. or have a more sophisticated way by which some piece of content 'bubbles up', as it gets engagement and moves up in ranks of reach and virality. or it may downrank something, which still isn't a "shadowban". but lo and behold, "shadowbanning" now has its meaning so diluted, you'll just get talking heads throwing it around, and very visibly so - almost as if they're unencumbered by it and just saying a buzzy word.
That's what I mean by different levels of shadowbanning.
"Well, the algorithm just isn't promoting you, that's not the same thing."
The algorithm is sorting a feed containing millions of posts. There is no mathematical difference between a penalty and the removal of a bonus that similarly situated accounts get. They both cause your posts to be not seen by people who would otherwise have seen it. You can easily be blocked from 95% of your audience and still be able to find people in the last 5% who occasionally see your posts.
The thing that makes it a shadowban is that it's a hidden penalty applied to your account, regardless of what you subsequently post or how the people who do see it respond to it.
how is something that _isn't_ shadowbanning, somehow a "level" of "shadowbanning"?
no, a platform not promoting posts, and a platform hiding posts and making them not visible to anyone else at all, are not the same thing.
see, it's going as far with complaints about "shadowbanning" as to say "well maaaybe 5% might see it - But it's still a shadowban!" - that's the part that makes the complaints sound like bullshit that they are
> how is something that _isn't_ shadowbanning, somehow a "level" of "shadowbanning"?
How is it not shadowbanning? They're not showing your posts to people they would otherwise show your posts to because of an opaque penalty tag on your account. This can obviously be done to varying degrees ranging from not putting your posts in anyone else's feed, to not showing your replies even when viewing the post it's a direct reply to, to not notifying the person you replied to that they have a new reply because it was you who posted it.
These are all forms of shadowbanning. Meanwhile a given post might still be visible via some other means even when they're being applied.
> no, a platform not promoting posts, and a platform hiding posts and making them not visible to anyone else at all, are not the same thing.
This is a kind of pedantic reasoning where if you hide a post from very nearly everyone you want to call it something else because "very nearly everyone" and "everyone" theoretically isn't the same thing even if it's practically the same thing. It's like saying well, you know, technically we didn't remove you from the search results, we just put you on page 50384.
> see, it's going as far with complaints about "shadowbanning" as to say "well maaaybe 5% might see it - But it's still a shadowban!" - that's the part that makes the complaints sound like bullshit that they are
I've no dog in this fight, but this seems deliberately obtuse. You could call "traditional" shadowbanning "100% shadowbanning" and what you've just described "95% shadowbanning". They're extremely close.
The Twitter shadowbanning that I saw was that if I was one of 10 people who replied to a tweet, someone using another account would not see my reply among them.
And of course with the way the service functions, plus the bloated UI, for the first couple hours they keep the plausible deniability of "eventual consistency".
Don't use Twitter for government comms I guess? It's a private system with its own rules. They can degrade the experience as much as they like if the system flags one as a troll, regardless of their being part of an organization.
Well, here is the thing: maybe a troll can use the idea that a comments on a government official's account is a public forum and demand that the third party remove the troll flag, or demand that the troll flag be ignored for government accounts.
> U.S. District Judge Naomi Reice Buchwald in Manhattan ruled on May 23 that comments on the president's account, and those of other government officials, were public forums and that blocking Twitter Inc TWTR.N users for their views violated their right to free speech under the First Amendment of the U.S. Constitution.
In the above case, the block was executed by the account holder who was a government official. Having the service provider flag a user as a troll and degrading their experience might be acceptable for comments on non-government accounts, but if a federal judge "flags" government accounts as public forums in a US court of law, then the service provider is now creating additional friction for a user participating in a public forum.
Surely the solution then is to block government officials from the platform. Bad for engagement but keeps your "no, really, this is a private forum" status.
(Rather like how lots of non-US banks block US nationals from having an account even if they're resident in the bank's country, because of the paperwork overhead)
It's really useful for fast moving emergent stuff like wildfires where there is patchy information from multiple sources (some people report smoke, some fire etc.)
You'd be probably slapped with a law banning exactly that, which I'm surprised if it doesn't already exist.
It's not the same thing as a bank in another country refusing to open an account to an average Joe because of too many hurdles involved with reporting your balance the the IRS.
It isn't. When you're banned, you know you're banned. Thus, you know you can't expect to use your account for communication anymore. When you're shadow-banned, you don't know you are shadow-banned, and will continue to attempt using your account for communication, and believe it's the other people who are just ignoring you.
What type of shadow ban are you talking about? Are you talking about being unable to post (e.g. The Frustration Loop) or about other people being unable to see your posts? Then yes, I agree that's worse than being banned. But if we're talking about a 10-60s lag (as I mentioned in my comment and the previous posters were talking about), I say that's better than being banned, because communication can still take place.
Right, my mistake. I was talking about both shadow-bans and error-bans/The Frustration Loop. The common thing here is that you're being gaslighted by the service.
Spam and trolling even happens on a physical newspapers/radio/tv/books/magazines. Its just that you have to pay to do it.
The rich/ceremonial/leisure classes have through out history been constantly spamming everyone with whatever shit occurs to their 3 inch brains, because they can afford to buy the largest amount of attention.
To bad there is not enough attention for anything anymore cause production of content is happening at volumes that dwarf Consumption of content.
If 99% of comments and links on HN are not read by anyone, do you think the great geniuses who run HN will tell you that? Whats the use of such systems no one asks. They want to just keep it alive like some dumb engineers in the control room of Jurassic Park after the children are lost and the T Rex is loose.
The platforms, without knowing what the fuck they are building, have made it Free for everyone to Broadcast. So its now not just the rich who are spamming and trolling. Its everyone. For free. All you get is noise. Read the UN Report on the Attention Economy.
One dimensional software engineers now have capability to build and scale systems quickly. Thats the only reason we have these dumb fucking mindless systems wasting everyones time and energy.
What I want is a "content condensor" tool. Something OSS and mathematically pure that can just take all the signal, drop the noise, and run some NLP to "condense" the information for me to effectively wade through it. Yes, there's a lot of bullshit content now, but there's also a lot of valid content. To be proficient today, we need to be able to swim effectively through the sea.
What's screwed up right now is we are currently forced to rely on 3rd-parties to filter for us, and they do so often poorly by just dropping content that's not "popular" which results in biased sampling, or worse, they select based on some kind of profit motive. Why can't we own our own "social media algorithm" or something? Why do I have to spend so much time consuming? Give me the IV drip, and filter out the unhealthy portion, please. Ideally, I should be able to trust the filter, too.
But of course it would be trivial to modify the llm output, to include random misstakes, if this ever would become a standard way of dealing with bots.
Akismet is very good at detecting comment spam. If it were any good at detecting signup spam then wordpress.com would not have so many spam blogs.
I also would track down spam blogs there. Sometimes manually through search engines and a curated list of known terms and sometimes with tools that one of the devs created for me.
I suspended thousands of genuine spam blogs. Sometims mistakes were made but they were rare.
Then, although some automated tools were created to try and stem the tide, that hunting and suspending was deemed not to be a priority. It was important at the start that wordpress.com was seen to be clean so it could grow but once deemed big enough, it was stopped. While I know I was using a supersoaker to put out a burning car it didn't take long and I found it satisfying
This time of year I'd be hunting hunting Halloween spam blogs and would start to see Christmas spam blogs too.
I came up with a simple way to eliminate spam in my email, without any third party filtering.
I have my own domain name for email. My email box accepts anything that goes the domain. I.e. a catchall email account.
However, I give a different email address to every site and service. I.e. sitea@mydomain.com, site2@mydomain.com
This lets my email reliably get auto sorted by who its from.
But I also use a consistent form to the names I hand out, so that random email that comes to my domain gets deleted instantly and I never see it.
I almost never get spam. But sometimes some service leaks my email somehow and I start getting some. So I change my email with that service (or cancel it) and add that email to a manual list of incoming addresses to block.
It's so dead simple, I feel like all email programs should have the option of working with a whole domain this way.
And even if you do have your own domain (I do), for one-offs these services are still useful, since they're not relatable to you, and motivated spammers can't just guess new addresses for you. For example, y'all can send me an email at 0yiulnql3@mozmail.com, but if I get lots of spam there, I'll disable it and you'll never know what other Firefox Relay masks I have.
That, and the UI for disabling masks is much easier than having to create a new filter.
Similar setup for me: separate addresses for external parties, which BTW, helps phishing recognition too, because e.g. a "note from my bank" to an address I did set up for some shop cannot be real. And those abused addresses can be deleted from /etc/aliases to render them void.
Besides that my postfix server is configured to reject connections, where the sending site does not have a reverse DNS mapping. Worked twenty years ago, is still useful today when I check my logs.
I have a similar system. My domain is catch-all, but I give everyone a unique email address with a bit at the end of the alias to indicate what my email rules should do.
For example, if I get an email at anything_s@mydomain.com, that will go directly to spam. I use this for everything from Google to every small website I sign up on. They usually only spam anyways. And I check my spam every now and then for if there's anything important - there has never been.
I consider whatever most normal businesses send me spam as well, as I don't care for most of it. Uber Eats, for example, sends a number of emails per each order. That is just spam in my eyes. If I'll use a service I care about, I'll give it an email with a different alias suffix that will never go to spam. But I almost never do.
This has keep out the phishing spam when websites leak my email address just as well as the regular "important information about a minor interaction you did with us" spam that comes from most websites.
I have a similar system. But I "register" the addresses in a .txt-File first. (sitename-random-number@mydomain) A catchall will flag every mail send to you as successfully delivered on the spammer site. So the spammer will send again and again, wasting your resources.
I've been doing the same for some years now, except auto deleting anything.
What I noticed is that the only spam I get goes to my mail address that's published on my blog and my github address. So it seems that nobody sold my address to spammers, they only scraped Publicly available addresses.
> So it seems that nobody sold my address to spammers, they only scraped Publicly available addresses.
I've been doing it for many years and have already went through quite a few leaked addresses (at least a dozen or two, out of many hundreds). Even a small hotel, not part of any hotel chain, in Portugal in the middle of nowhere has leaked my address.
That said, I believe almost all of those leaks were due to websites or databases having been hacked, not due to them actually selling my email addresses.
When they sell my data (which has also happened before) I tend to get spam from actual businesses, often related ones. When the email gets leaked, I tend to get huge amounts of generic spam/scams (e.g. "your device was hacked!!"). You also tend to find the latter addresses on haveibeenpwned.com.
I did this but a nerd sniped myself. I had out addresses like {name}-{hmac}@me.example. These addresses then bypass the spam filter and if they start spamming me I block them.
The problem is that I still need a general address for my website, resume, HN profile, Git author info... So I still accept mail to a handful of publicly available addresses. However it does let me play with the spam rules a bit more. Signed: auto-accept, known address: moderate spam filter, unknown address: heavy spam filter.
You can do something similar with Gmail - if your email is matt@gmail.com you can receive to Matt+1@gmail.com, matt+2 etc.
Although some websites reject this format.
I've been "fighting" many websites in the last 20+ years, which use(d) javascript libaries which accept "only a-z, 0-9 and _" as valid characters in a local part. Some even changed their code after I complained and pointed them to the relevant parts of RFC822 (and all successors)
IMNSHO: sysadmins who do not know that the local part of an email address is not of their concern (as long as it complies to RFC 822++), are not worth their money. And web designers? Don't get me started on that topic ;-0
Edit: ok, they even allow "." and "-" in local parts.
Or worse, they'll accept it, but then some backend system trips over it, and now the product you ordered never ships to you, but customer service doesn't know how to refund it either.
Gmail does not see "." as contributing to uniqueness of the addressee name. So for instance a missing "." expected in "matt.smith@" is a reliable flag for rejection.
Spam teams at social networks typically shadow-ban spammers. The goal of this is to make it as difficult as possible for the spammer to determine that they've been caught (which is why I think the frustration techniques, or simply account suspension aren't widely used).
The field of spam-prevention is fascinating because it's essentially an arms race between companies deploying tactics to detect spam and sophisticated spammers using increasingly complex methods to avoid detection.
So there's an advantage gained by companies if spammers believe they don't need to evolve their methods.
The problem is real humans getting snared. My TikTok account is shadowbanned (anything I post now gets zero views, and my LIVE gets zero viewers).
And my Instagram account got permabanned because they said I was impersonating myself. This was worse because I lost the entire account. They even had me send a selfie of myself and the instant I submitted the image was when they did the permaban lol.
There is a clip from The Grand Tour where James May explains what happened when he tried to create an Instagram account: He signed up, discovered that there was already an account on there impersonating him, reported the impersonator, and so Instagram took the report and shut down his real account instead.
The harsh truth is that the occasional false positive doesn't affect their bottom line even slightly. Unless a false positive is some social engineering genius that can stir up a shitstorm of bad PR, they can be silently ignored forever.
You're the sacrifice that they're willing to make to build their social media, and if you don't think it's fair... no one cares.
Even if this somehow offends people, those people will never notice that it actually happened.
Probably, this means that sane people should want the government to regulate at least those services considered essential to life to require appeals systems. Not TikTok, but I've heard of people losing access to Amazon forever. There are people for whom Amazon is essential, there are no local alternatives. And if the people wrongly permabanned from it ever overlap with those who can hardly live without it, then we have a big problem.
Just out of curiosity, how would you build a following if none of your videos ever receives any views? I'm not someone who uses the tikity tok but it seems like an intractable problem.
Leave noteworthy comments on other peoples videos, make noteworthy stitches of theirs. Embrace remix culture, essentially. It only seems like an intractable problem to non power users of social media.
If those videos receive no views, then it means the concept of the stitch wasn't compelling. Practically speaking -- just do it over and over again until you find something that does work.
Some people have a knack for making content that goes viral, but for most folks, it's a muscle that needs to be learned through lots of practice, with a lot of early going seemingly bearing little fruit until the inflection point is reached.
The problem is that "getting people to see your stuff" is the route to monetization, and therefore is horribly choked with spam that stacks the odds against real humans.
I think at least initially TikTok would push traffic to new accounts. My first few videos got a bunch of likes/views even though I had 0 followers. And then I noticed it started to trickle down video after video even though (subjectively) the content remained largely the same. It’s a clever mechanism to increase stickiness for new users as well as detect early on if a new content producer has that Good Shit that will do mega views.
No, on a regular account TikTok's algorithm will always send a few dozen viewers to any new video or any LIVE just to get feedback from users (e.g. playtime, likes, faves, shares etc).
I have an old account with almost 4000 followers.
TikTok just woke up one day and hated me. Hopefully it has a timeout on it.
I think they just wanted to see that I was a real human. They had me hold up a sign with a code written on it. The only thing I thought of was that they might compare it to my profile pic? But it makes little sense as many people have something abstract as their PFP, or a photo of their cat.
Nice try. What stops anyone from going to Madame Tussauds and posting a selfie of Frank Sinatra holding up a code? Or paying a street performer to do it. Because that would be my first thought, how to screw these sociopaths.
Depending on the context, account suspensions can be weaponized. By making someone you don't like /look/ like they are doing something dodgy, you can get them banned.
Like fail2ban. Nothing quite like the anxiety of almost locking yourself out of your own system because you mistyped a password one too many times. It's a delicate balance (although, for something like SSH, I wouldn't even bother, unless the traffic is measurable enough to cause issues. But then you're getting (D)DoS'd, and you probably have bigger problems).
Modern spam tools I've encountered accept a second account list to be used for verification purposes for this reason. They can automatically purge shadowbanned accounts by spot checking comments for visibility.
I wondered about that - it seems like an actual spammer would have an easy time checking from other accounts, so it adds at most a minor amount of extra work, while real users who are incorrectly flagged never even think to check.
Akismet has no working appeal mechanism. What seems like 1000 years ago I got banned by it for posting comments on my own blog. (haha!) If I comment any place using it my comment are silently filtered out.
I got banned by disquss too! for posting many useful links in comments on blogs by people I know. They resolved the issue in 2 days and were wonderfully polite about it.
Akismet should at least clear wordpress users banned countless years ago and wp should replace it with something less well... insane.
I don't mind not being able to reply on my own wp blog. It is fairly amusing actually. Ill just use some other blog engine. Its easy for me.
but it seems bad for wp to refer to their users as uhh lets kill some spam??? Im not impressed.
I'm an Akismet developer; the best thing to do would be to email us at support@akismet.com with your info and we can look into why your comments are getting caught.
What I usually do for situations like this is give up on the site altogether. It takes me one click to add a domain to my uBlock list and search Google for the title. No appeals process will ever be that easy or reliable.
I'm missing the part on how op determines valid users for the frustration loop.
> Enter Akismet... Blocking spam on signup worked somewhat, but was easily circumventable
> some spammers found ways to parade as legitimate blogs... which I would have to manually sniff out and flag.
> This lead me to an idea: The Frustration Loop... When spam is detected... Waste their time and make them give up.
> "Now hold up there Herman! Won't this be triggered by valid users?"... it's been running in production for the past 3 months and I've only had one user report this as an issue.
imo that would be the most interesting part of the article. It's cool that the action that's being taken is to frustrate the spammer but I wished there was more info on separating spammers from real users, figuring out false positives and false negatives and the like. I understand that giving details on detection is probably not a good idea and that the article is about The Frustration Loop, though.
They pay for Akismet and run the users signup info through it. You can see the kind of data they send to them in the GIF on the post. If Akismet says yes, this is spam, then engage the frustration loop. I thought it was clever.
Yep, but op also mentioned spammers that get through signup without being flagged and having to go and manually flag them.
My thoughts on the loop overall are:
- maybe users are false flagged but not complaining because the "bugs" are rare enough
- spammers with automation may brute force through the "bugs"
- handles manual spammers well because they will encounter the "bugs" more often and just leave; or they'll report it as an issue that you may have to look into.
To draw a comparison with my own experiences, I have to jump through hoops when I visit sites with bot detection or other related security measures. I am the normal user being flagged as a spammer being frustration looped in this case.
My guess? Akismet is metered, and he submits only the first few posts to lower costs. Once you have some reputation, you can post anything.
So spammers noticed being blocked on account 1, created account 2 with legitimate content, and then started spamming.
New process is detecting spammers on first post but instead of immediately sending them away (or throwing their content into the void), go to some length to pretend the website irreparably broken in subtle ways.
The point is to waste their time before they realise they've been flagged, and have them give up.
> Enter Akismet. This is a spam detection tool by the Wordpress people and is pretty accurate and easy to use.
> Blocking spam on signup worked somewhat, but was easily circumventable by spammers who are well versed in dealing with these kinds of barriers.
But now that I look at Akismet's description, it sounds like Akismet does a lot more than block on signup. Perhaps they use it after signups but apply the frustration loop instead of blocks because it's less accurate there.
In the gif, the user already has a login and is attempting to make a post. I imagine either the user gets flagged as a spammer or each individual post might.
The best spam protection I ever had, was a bunch of hidden text input fields on my mail contact form, with names like “blindcopy”, “bcc”, “cc”, “additional address”, etc.
They all had default values.
If the submitting handler detected any values in these fields that were different from the default, the submission was rejected.
I don’t think I ever got a single bogus email from that form.
Spam scripts are much less smart than that. I added a hidden field with no text in it to a contact form, and a polite warning as the hint text for accessibility. If anything was filled into that field the submission was silently dropped. I was cc-ed on any entries, and I believe there were 0 spam emails in the 8 years or so that the form was up.
I've heard this concept described as a "honeypot field" before and it works pretty well as you've said. I'm curious how password managers/autofill avoid tripping up though; are they able to detect that the field is not visible?
Maybe I'm thinking specifically of 1Password which can store your previously-filled out form fields as well as autofill fields like address or credit card number.
I got the idea from a book. Can't remember which, but it may have been in the early oughties, or even last century (and the book called it "Honeypot Fields").
The nice thing was, the user didn't have any friction at all. They had a subject and message. No CAPTCHAS, no math problems. Nothing.
The form was on a site with a fair bit of exposure and traffic. Another similar site used Contact Form 7 (or whatever the predecessor to it was), and we would get fairly regular spams. This was a plugin that I hand-crafted.
If it can detect HTML input fields and what to put in them, I'm sure it can also determine if a field is hidden (either by hidden property or styling) and avoid it?
Yeah I guess it depends on how sophisticated the "hiddenness" of the field is. Instead of straight up using the hidden property (which is easier for a bot to detect), you could try other things, like moving the input field offscreen and using overflow: hidden, or styling it such that it's the same color as the background and is unfillable. Now though you'll need to worrying about tabbing through fields (change tabindex to -1) and screen readers that might pick up the fields.
Do you sample the content put into 'frustration' users and see if it's actually legit? Do you have a false positive / false negative rate? Have you seen your total legit signup count go down or up?
You're not the only one to do this, many pages do it whenever you do a vpn, they fail in silent and annoying ways not displaying any errors or otherwise. Turn off the vpn and everything magically starts working. Etsy for a long time would return blank pages if you were on VPNs. Extremely irritating.
Instagram has a frustration loop. I know that, because it is triggered on my account: for every action I take, no matter how minor, it makes me log in again. Every link I click, everything I do, I get to make a detour through the login screen.
It started with "suspicious activity detected on your account", followed by "your account has been disabled", and while it won't state the actual reason for this, the only realistic reason listed in their official rules would be that I posted something that offended someone.
There is one problem with this explanation though: I never posted _anything_. I follow a few people, that's all I do on instagram. So I filled in codes, sent them photos of myself, and eventually received access to the account again - but now it makes me log in again for absolutely everything I do. I can't believe they would do this by accident, or that it would be a bug. Clearly they identified me as a miscreant, and while they couldn't get enough evidence for an execution, they can sure as hell punish me for whatever misdeeds they imagine I committed.
I suspect what caused the problem was that occasionally you come across links to pictures on instagram. Apparently following those is suspicious enough that it warrants triggering a frustration-experience. Of course, being part of Meta also means that if they decide to shut down my instagram for good, I'll also lose access to my Facebook account, which I use to communicate with a few faraway friends.
Of course the world moved on from Facebook, and everybody is now on Instagram. I suppose I would be as well - if only it let me...
Could be, but I'm an extremely minimal user. Surely volume counts for such a thing? I check the site once or twice a week, and look at some holiday pics of friends for a few minutes, for crying out loud...
I see people claiming that spam detection is creativity warfare between spammers and spam detectors. That may be true if you're Akismet, but when you're a website that provides a place where spammers may gather that is no longer the case.
It's a race between your blog/website and other blogs/websites. If you're better protected than your neighbor, the spammers will go and haunt your neighbor instead. Especially when it comes to protecting against click farms, not against bots. As the joke goes, you don't have to outrun the bear in a forest, you have to not be the slowest in your group.
We've found that rolling our own spam model can be very effective (especially at improving precision). Many sites have their own quirks around what material counts as spam which leads to false positives or negatives wherever your site differs from the norm. No need to go to GPT4 though. We've found even low compute algorithms like random forest perform quite well at the task. You do have to create your own training set, but even a few hundreds or thousands of manually sorted examples can work pretty well.
> In my tests I haven't managed to trigger it without explicitly performing a dodgy action.
But that just means it doesn't flag you. What is a "dodgy action"? Other people might do things that you think are dodgy, without any malicious intent at all. A common one: if I sign up using Tor, is that dodgy?
It is very frustrating to get caught in these frustration loops.
I think the key here is when you detect that someone is in a bad category, you shouldn't alert them to the fact you know that, because then it just becomes an arms race.
Another approach might be to make it look to them like they managed to create their blog, but just quarantine the content so no one else can ever see it.
The author mentions that they were basically already doing that by no-indexing the content. Plus, that can end up costing you more money hosting the quarantined content.
There used to be a plug in for bulletin that would do something similar to users you hellbanned; it would render the site much more slowly, would show errors frequently, and in general made the forum a frustrating experience. (In addition to hiding anything they posted from others!)
Instantly reminds me of the creative piracy protection from the early days of video games. Nice video about how Atari frustrated people with purposeful memory corruption while making it look like software bugs: https://youtu.be/ewoDLDDgHkI?si=aY29WK_lrZ4jR3bt
How about disabling robot crawling on all blogs by default (and adding nofollow, as you mentioned). Then, manual moderation will allow people to earn to have their blog allowed for crawlers.
To make this clear to users, when posting content, the following is displayed: "Note: This content will not be indexed by search engines unless it has passed our manual review process."
I've never understood the appeal of guestbooks and commenting on Wordpress. Static HTML is a wonderful medium for getting your message out, do we need the validation of visitors commenting?
Emailing comments is possible even with a comment system, assuming the site owner discloses it. But it is invisible to others, as most blogs are not going to curate emails into a "Letter to the Editor" section of the website.
Substack is an email newsletter platform and even that has a comment system.
Seems like this could be abused. A script wouldn't get frustrated, but it might have a handy way to test what content triggers Akismet. I presume I'm overlooking some mitigation strategy.
I've seen sites like discogs do this for tor exits. You quickly realize what they're doing. Same with shadowbans, I verify by accessing the post in a clean session.
They were probably referring to the random delays, form field wiping, focus-jumping and silly back-end errors which are prevalent in "healthcare UI/UX".
Oh of course, I thought that much was implied and the confusion was why someone would have strong objections to this. The answer being that it's extremely hostile to innocent people in the event of a false positive.
Newsvine had comments and upvotes and link submissions and posts - it was very reddit-esque except it was focused around the news. The team had to have a way to deal with spammers and trolls. They found the most effective way was to flag a user as a troll on the Newsvine backend. If the troll flag was set to true, Newsvine would add a random 10-60 second delay to every page load for the troll's account. IIRC it solved the problem pretty effectively.
1- http://mikeindustries.com/blog/
2- https://en.wikipedia.org/wiki/Newsvine