Image of the glider from the Game of Life by John Conway
Skip to content

New Feature For OpenID Users

I have created a new feature for OpenID users on this blog. Actually, I didn't "create" it, but more like adopted it. In any event, if you have an OpenID account, and use it to register as a user on this blog, you will be added to a whitelist in my database that bypasses Spam Karma, and automatically posts your comment. No captchas. No "This comment is being held for moderation". No harassment. Just write your comment, use OpenID, hit submit, and see it posted.

However, as with all technology, this could be abused. Phishers and spammers can still create OpenID accounts, and use them to bypass spam security. However, the level of work that is involved in using an OpenID account makes this unlikely. For example, not only do they need to create OpenID identities, but every time they use it to spam a blog with comment floods, they will have to verify from their OpenID provider that they want to trust that blog with their identity. So, in the meantime, it's pretty safe. Also, I know that once whitelisted, on OpenID user could still become a troll or other problem in the comment system. Those will just have to be dealt with on a case-by-case basis.

So, if you have an OpenID account, and would like to bypass my spam filters completely (I know they can be a pain sometimes), go ahead and use it here, and you'll be added to the whitelist. As of this writing, all newly created accounts with OpenID are added to the whitelist by hand. I hope to have some code released soon to automate the process. Also, I'll be publishing my whitelist for other bloggers to use in their blogs if they would like.

{ 9 } Comments

  1. Stéphan K. | July 1, 2007 at 10:17 am | Permalink

    It's even less effective than you think. The burden of creating identities and trusting a site is on the side of the server the spammer is using. He can easily run one himself, create millions of identities and skip the 'trust this site' step completely, then even automate the spamming.

    You can rely on not many spammers supporting openid for now. But in the long run, the problem is similar to what we have with e-mail now.

  2. on
    you can even get one time openids
    without login -- without anything, just a question of time before the bots know, you could check with -- which at some point will also be valuable enough to clear for bots, selling cleared openid identities might soon be a market, better than selling accounts on random blogs/websites as it is the case now.

  3. Aaron | July 1, 2007 at 10:42 am | Permalink

    Stephan- I know that there are still potential problems that the OpenID community needs to resolve, such as spammers setting up their own OpenID servers. However, luckily, as a community, we are looking at solutions to fix these security issues, and make OpenID a reliable system to trust.

  4. Jason | July 1, 2007 at 12:09 pm | Permalink

    The funny thing is that I've already seen plenty of spam accounts from , I haven't ever seen a identifier until now.

    (Though I've known about the site for months.)

  5. phoenyx | July 1, 2007 at 10:20 pm | Permalink

    "Also, I’ll be publishing my whitelist for other bloggers to sue..."

    I hope you meant to type use 🙂

  6. Dmitry Shechtman | July 2, 2007 at 1:30 am | Permalink

  7. Aaron | July 2, 2007 at 5:56 am | Permalink

    Dmitry Schechtman- I've commented on your blog. I hope you take the time to read it. Basically, in a nutshell, I mention the following:

    1) The spammer manually, rather than automated, published that comment. That means that he was physically sitting at his computer posting the comment.

    2) Cases like the one you mention can be handled on a case-by-case basis. We can take advantage of whitelists for reliable OpenID providers making everyone else who is not whitelisted, pass spam tests, and blacklists for non-reliable providers.

    3) It is safe to link to that page, as is not a spam site, but a legitimate site that the spammer has absolutely no control over. All you would be doing is giving "Google Juice", or a higher page rank, to a trusted site. This doesn't affect the comment spammer in any way.

  8. Aaron | July 2, 2007 at 5:57 am | Permalink

    phoenyx- Thanks. Fixed.

  9. Christer Edwards | July 8, 2007 at 10:07 am | Permalink

    testing (you can delete this if you like)

Post a Comment

Your email is never published nor shared.