I created an application to send text messages using http://www.vodafone.ie. Now this you say is no impressive task but let me continue.

Their system is setup much like an anti spam system. It checks the time it took you to input a text, the time it took you to log on, the time it took you to take a cup of tea and everything else it can.

Wanna know how I got around it? Simple… I created an application which basically mimics a user. First it opens http://www.vodafone.ie, it then waits 4 seconds and then inputs the user and password and clicks submit. It then waits a couple of seconds and clicks “SMS Messages” and then allows you to enter as many characters as you want. Their version only allows 160 so what mine does is it splits the text into 154 length chunks and adds a … to the end and beginning of each text. It waits about 5 seconds between each text to make the server think it’s an actual person typing it in. And know what? I know for a fact there is absolutely no way to tell the difference beteween it and an actual person without causing more harm than good.

I know it’s not pretty but face facts o.O

Replies to email only.

When both plugins are on, strange things seem to happen.

I have noticed a fair number of people (or robots) finding my site by searching for the SK2 “spams eaten” footer. Perhaps those are bots targetting SK2 protected sites specifically.

Sorry for the stingy donation – but we can’t have millionaire Wordpress plugin developers now, can we

How do blind users do what? some Captcha algorithms also offer to make the chars being spoken through a wave-file generation (click on the picture to hear the char-sequence).
Using a little algorithm to add random patterns of noise to the audio so the spoken char is still audible enough to be recognised by the human ear, but fooling fourier algorithms to analyse the audio and extract the character from it.

Blocking Ip’s is another thing, i know there are a lot of open proxy servers, why can’t they be blacklisted using a similar globally deployed detection protocol like being used for open relay mail-servers?

There are various sites that publish open (or anonymous) proxy servers, 2 hints:
http://tools.rosinstrument.com/proxy/
http://www.atomintersoft.com/products/alive-proxy/proxy-list/

You can make use of those sites by updating your ip-blocking list.
I know it’s not friendly to block proxy ip’s, but i call it stupid of srever- hosts to make their server wide open in the first place.

To prevent nagging from victims of a false positive, yield expressions and accusations but rather inform a user that he/she is denied submission because one of the situations is applicable like:
-User uses an IP from an open proxy server that is blacklisted
-User uses a (dynamic) IP that has been registered earlier for spam origination.
-Submitted urls are listed as spam-sites or contain unrelevant information to the contents of this site
-Too many spam-related keywords detected used in the submitted text.

It sounds formal yet will bring a lot more understanding than shouting an accusing phrase (“You are a dirty spammer!” or whatever similar a legitimate poster is being confronted with).

Regards,

Vince.

What’s still quite effective though is the ’spam quiz’ idea. A bot will have a seriously hard time answering trivial questions, especially if each blog uses a different one. It defeats all spam except for manual spam of course. If your blog happens to be in a non-english language the protection is even better because manual spammers will need to understand the language the question was written in

I must admit though, I haven’t seen much of the really smart bots yet. My own blog doesn’t have any protection enabled at all at the moment. I use a custom AJAX comment submission scheme. There’s no form action to be scraped. Instead the form submission is hidden inside the javascript. A bot which executes the javascript would be able to beat this but… so far this has never happened on my weblog. When it does I’ll need to throw in the spam quiz thing.

If you combine the spamquiz thing with a cookie to remember the answer I think it’s as unobtrusive as possible. Unlike captcha’s, blind people can use it and it can’t be beaten with any script (except for hardcore AI maybe). It’s a ridiculously lo-fi solution compared to SK2, Akismet, Hashcash or AJAX stuff but it works INCREDIBLY well.

March 23, 2006, 9:20 pm 60.56.229.13 blocked hashcash violation: (Your site is amaizing. Can I share some
March 23, 2006, 9:35 pm 200.242.249.70 blocked hashcash violation: (It looks like you really had a nice time
March 23, 2006, 10:39 pm 68.87.76.148 blocked hashcash violation: (I like your website alot…its lots of f

And it just keeps on going. Check it out though. Maybe there is something from it that you can add, or vice versa. Marco, the author, also makes WP plugins.

Fini

Indeed, I mentioned that in the comments above, but basically I am not at all surprised and can think of many ways spambots could be driving browsers… Unfortunately that means all filtering systems relying on “imperfections” of spambots (the way they would miss small details in headers and such) are gonna become irrelevant eventually. Since it was never something I relied on that much, this is not the end of it for now… But we’ll need to work on other areas to catch spambots…

Hi Dr. Dave,
Regarding your comments about spambots mimicking users, I think it’s a fair assumption that most spambots are actually remote controlled browser clients, I have made this kind app for a web-test tool and it really made things simpler for simulation purposes because of JS, CSS+IMG loading, headers etc. are all the real deal.

Peaceout

From one student to another – Spam Karma is one of the best things about Word Press. In my opinion, without Spam Karm, I wouldn’t even use Word Press. So thanks a millin for making it, keeping it up to date – and keeping it so incredibly painless!

I don’t have much money over, but I’m certainly willing to help write FAQs. Let me know!