On 11-03-16 04:35 PM, Frederick Grose wrote:
On Wed, Mar 16, 2011 at 6:50 PM, Hiram
Clawson<hiram(a)soe.ucsc.edu> wrote:
What prevents the black hat google spammers from
creating OpenID accounts ?
--Hiram
Frederick Grose wrote:
> Install
>
http://www.mediawiki.org/wiki/Extension:OpenID
> and disable new account creation, instead, redirect users to the OpenID
> account page,
> Special:OpenIDLogin.
I suspect that that simply doesn't fit their attack
plan or program.
Perhaps there are other obstacles in taking that route, such as better
filtering by the OpenID providers.
--Fred
Anyone can be an OpenID provider, there is even less filtering and
control. Spammers could create their own private OpenID provider for
their spam accounts and without any CAPTCHA or anything else in their
way. It's like e-mail.
This is just a game of whack-a-mole. The spambots have to be programmed,
naturally they can't take every single situation into account. So they
start, we find a way to stop them. They find a way to bypass that. We
find another way to stop that, they find another way to bypass that. The
spammers haven't coded the bots to handle QuestyCaptcha yet, but if
people start using it to stop them, then they will code it into the bot.
If you use OpenID to stop them, they'll code OpenID into the bots (and
in the meantime you may irritate your potential userbase a bit).
I wrote a AbuseFilter filter to deal with a pattern like this on a wiki,
made that spam pattern require an extra confirmation page. Bots stopped
since they weren't coded to use the confirmation form. Sure enough after
a bit I started seeing the same spam, naturally the bots were now using
the confirmation form. So I had to elevate it to deny. Later I had to
elevate it to autoblock of users using that spam pattern.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://daniel.friesen.name]