James Galvin

Apologies to anyone who’s comment hasn’t made it onto this site in recent months. I’ve spotted a few false positives in my Akismet spam list lately, which makes me wonder how many I’ve missed in the past (because I usually just ‘delete all’). The inability to sort by “spamminess”, as Techcrunch puts it, is a glaring omission in Akismet’s functionality. It would be OK if I had 10 spam comments a day, but with hundreds of messages in the queue, I could never have time to check them all.

I used to filter e-mail with SpamAssassin. Any mail with a “spam score” of between 5 and 8 (higher probability of being spam) was held for moderation, and anything above 8 was just automatically deleted. A score of 5.01 means there’s a (relatively) good chance that the email is legit, while a score of 7.9 is almost certainly spam. Sorting by spam score meant I could quickly and easily identify false positives, and 90% of them would have a score of 5.x.

Matt et al are very secretive about the way Akismet operates behind the scenes, but if there is some fundamental reason why future releases won’t have this functionality, then I would see that as a fatal flaw. I might try out Defensio this week. If their spam filtering can get anywhere close to Akismet’s accuracy, then the ability to easily find false positives will make all the difference.

I’m seeing some referrals from this LiveJournal post by a member of the team behind Librarything regarding Shelfari’s unethical spamming strategy. When I wrote about Shelfari’s “confusing and deceptive” sign-up process last week, I did consider at the time that I was over-reacting, but now I see what a widespread problem Shelfari has caused. The Librarything Ideas Blog has gathered 51 similar blog posts on the topic. Mostly angry/annoyed users who accidentally spammed all their business contacts, listservs and long dead relations. The writer also makes allegations of more unethical practice by the Shelfari team:

We respect our competitors with one exception: the site “Shelfari.com.” We have always spoken our mind, so here’s a piece of it: Shelfari has gained traction by engaging in unethical practices, including astroturfing (posting on blogs pretending to be users, not employees*) and putting out press releases about how they invented the idea. But the worst has been their spamming campaign.

Astroturfing is a practice I’m familiar with, although I had never heard the term before - I think it might be illegal, but it is definitely “evil” (in the Web 2.0 sense). This spamming campaign is plain stupid, regardless of how many new users it brings in. With bad press like this, Shelfari surely have no choice but to change their policy and apologise to their users.

Who decided that it was OK to send a spammy mass-invitation to everyone in your addressbook by default? Allowing some web app to access my private email account is an act of trust, and it is being abused by every site that tries to dupe me into spamming my contacts. Anyone who is thinking “it’s your fault for not reading the whole page before clicking ‘continue’”, has probably never worked in IT. You don’t log in to a server as root for the same reason the fabled “big red button” has a plastic cover over it. When you’re dealing with large amounts of contact data, you are required to take extra precautions to maintain privacy. When I was running a decent sized Moodle, I had scripts that explicitly asked for confirmation more than once so that I wouldn’t accidentally email 7,000 students.

Are you sure you want to email these 498 people?
yes
Really sure? 498 users!
yes

Most of these new web 2.0 sites have only one thing in mind: increasing the number of users in their database. So you can forget about extra precautions, by “conveniently” neglecting to show even the most basic respect for the privacy of your contacts (e.g. leaving them unselected for invitation by default) they are furthering their own agenda at your expense.

I blame Facebook for making this the norm, with apps like Flixter configured to send invitations to all of your friends by default every time you access the application (e.g., to see your movie taste compatibility with Worzel Gumimdge’s nephew). This is annoying for Facebook users (ask Doc) and will only get worse as the user base grows. What’s more worrying is seeing this crop up outside of Facebook’s walled garden. With so many web 2.0 apps now integrating with your gmail/yahoo/hotmail, it is all too easy to miss the “skip this step” button and bombard everyone you ever knew with an invitation. Today, Bernie accidentally spammed 2961 people:

Shelfari started sending invitations to many people who are stored inside of my Yahoo! address book. These are legacy addresses, some gathered from the early 90s. One hour after I pressed the button, Shelfari invited two dead people, one prisoner (he should probably read books but his warden is reading his mail), the CNN news desk, four European editors–and potentially a boatload of others who I hope I never meet.

Automatically selecting all of your contacts for invitation is very bad practice and unethical. Facebook should force the policy that all the boxes are unticked by default, and if some particularly spammy individual wants to tell all his friends about his University Diplomas app then he can tick the “select all” button, that’s OK by me. This would set a good precedent, and then we could complain about rogues like Shelfari who have no respect for privacy. I’m keeping a “name and shame” list of all web 2.0 companies that abuse your trust by deliberately setting out to spam in your name.