Tuesday, September 26, 2006

Forum and comment spammers

A week or so ago, while working on a project for the SlothMUD III website, I came across some comments to a few of the news items on our site that were undoubtedly spam. I went through a moderately laborious effort of deleting all of the comments and then deleting the user accounts under which they were posted. This isn't a big deal to me, but I wanted to find a little bit more secure way of managing the comments, so I went digging on the PostNuke (our CMS) site.

The comment spam always started with something like "Great site love what you've done here." followed by about 50-100 links to random websites. I don't believe this spammer's intent was to ever have anyone purposefully click on these links as they are obviously crap to anyone with enough of a brain to turn on a computer. I do believe that the intent was to bring up those sites in Google Page Rank so that they might be returned in search results. I could be wrong, since I didn't actually click on any of the links to see what was actually on the page. The URLs had long random strings attached to the end of them, so I believe they could be used to track the originating site (even though a web browser usually will tell you that anyway).

He signed up to our site with a Gmail account, and tempting as it is to post it here so he can get spammed himself, it probably isn't worth the effort.

As it turns out the same spammer has hit and posted on an enormous amount of PostNuke-based sites. At the time I checked, there wasn't a feature in the PostNuke core that could be used to prevent machines from easily posting spam, so I disabled posting of comments. I believe that the reason that this is that there is an implied level of trust between hosters of this type of site and their readers.

Since this guy did most of the work to figure out how to post comment spam on PostNuke, I'm sure he's not too far away from doing the same thing on PHPBB-based Forums. My expectation is that the PHPBB guys will do what the PostNuke comments addon modules do in that they require people to type those distorted characters in to supposedly prove you are human (so-called CAPTCHA). This will likely be cracked with a year or so an included in scripts like the one this spammer has used. Despite my statement about how stupid someone would have to be to click on a link in this comment spam, there are spam companies that make a living off of this and they work to defeat spam detection algorithms constantly out of necessity.

Human moderation is, of course, one way to eliminate comment spam as well as keep people on topic and stop flamers. However, it doesn't really work well for a site like ours where we don't want to have nor are able to have people dedicated to this. Perhaps we'll find some non-game administrators when it comes to this to help out. But it also leads to arguments about trust when posts are deleted which aren't spam.

I believe that really the only way to go is to have a community of trust built up that let's people post freely within that environment. It's also a "chicken and egg" in that if you are new it's really hard to join the community since nobody trusts you.

Fortunately, we might have a relatively spam proof way to do this (basically, it wouldn't be worth a spammers effort) if it ever comes to it. We could make people sign up for an account in the game with their player and then have that propogate to the website. It's one extra step for someone who plays the game, which isn't a big deal, but a clearly not worth it for someone who is interested in scaling their spam. It's a long way off (I hope) until we have to do this, but at least we are prepared with an answer within this context anyway.

Feel free to post your comment spam on this blog; I think they use CAPTCHA for now. I haven't been a victim here and had to disable it, but have a feeling I eventually will.

Monday, September 25, 2006

Not Exactly a Tom Petty Song

Tom Petty sings "The Waiting is the hardest part"; for me "The Finishing The Project" is the hardest part. It often is significanltly more difficult than it should be. Typically, the "figuring out" of things that I enjoy and spend my time on during projects. After that part is done, it is a lot harder for me to stay focused on the result. This is especially true if the project I'm working is spread out over time and interrupted frequently by other projects.

Fortunately, I have finally finished a website project that was started at least six months ago. It's not live (as of this moment), but will be within a week or so. There were many breaks in the project along the way and many unanticipated hurdles overcome or avoided. I have to provide thanks to Splork for his nagging and encouragement and for initially going out and getting the artwork. It is very much like him to take a few comments out of context like "Man I wish we had some good artwork for our website. I can make the rest of it fit if we only had that." and go out and get some really exceptional artwork.

It took me a good three weeks (not continuously studying this, but with interruptions of course) just to figure out how I could do it. This "figuring out" was a lot of fun and also necessary, since I ran my mouth off that I could do it. Three weeks isn't so bad for a project, but the next 5 months are not something I want to repeat for a long time. I'd prefer to keep the "figuring out/grunt work" ratio quite a bit higher than it was with this one.

There are still a few little things that people will look at when they see the website and say "this needs to be done" or "why didn't they do this?". To that, my answer will be "Wait for it, Tom Petty-style."

Tuesday, September 12, 2006

IE versus Firefox

As a relatively novice web developer, it is hard to convey my complete and utter frustration at the differences between browser rendering engines. Minute details within CSS and HTML cause relatively dramatic differences in the overall presentation of a page.

I asked myself "how did we get here?" How can relatively intelligent and definite experts in their fields cause so much time to be wasted by web developers toward the relatively simple goal of getting people to see what they mean? I believe it is the innappropriate use of an elegant design at the very inception of web technologies.

HTML (I'll remind you that stands for Hyper Text Markup Language), I believe was intended to allow authors to take their text and make it do more things than simple text. Authors were still expected to focus on the quality of their text and add references to other related content which would further enlighten the reader. The default presentations were stark, but didn't distract a user from the main purpose of technology.

Fastfoward 10 or 15 years an now web authors (it's hard to be a plain author anymore) aren't as interested in the content as they are the presentation of the content. People aren't trying to make sure their content has good references, they are trying to make sure that they have a nice background it is eye catching enough to entice someone to read part of it. The advent of CSS really helped cement this transition.

HTML/CSS has grown from a set of markup tags to a gigantic laundry list of presentation related checkmarks. It's now possible to do the same presentation markup in many ways which is to me first indication that a language or platform is creeping over the proverbial hill. With the scope of this it is no wonder to me that browser engines have issues trying to render what is meant by the web author. Since they all do it slightly differently, it takes a long time to get them all to present a page in exactly the way a web author intends. The time is spent iteratively modifying presentation, checking it in a browser, fixing it, then going back and ensuring the change didn't break something in another browser.

The ratio of time spent on authoring content verus marking it up for presentation has shifted to a near unreasonable balance. I believe it is time to abandon the HTML/CSS standards and adopt something more along the lines of PDF. With PDF you simply render it the way you want it one time and a user will see it that way. I'm not proposing that PDF itself be the standard, but something analogous to it that allows the rich interactions of the web. While we are at it, let's get rid of HTTP (yes that is Hyper Text Transfer Protocol) and move to a protocol for the twenty-first century.

Granted there could be issues with scroll bars and different monitor dimensions, but to that I say a big "so what?!?!" If people are able to maximize a much larger portion of their time on authoring content versus wasting it on presentation, the content quality should increase and a user would be more involved in reading and less annoyed with the size of their monitor.

Perhaps I'm wrong. Perhaps the original contributors and founders of HTML are on the same mission I'm on and it is just taking a long time to get the tools in place to free up authors and web authors alike to maximize their creativity. Perhaps the original contributors and founders are no longer involved and we are in a free-for-all where we still may be headed in the right direction. In the mean time, it is frustrating and a huge time waste.

In any case, I've worked through most of the issues with the presentation I've been working on and will release it shortly. After that I hope to not have to return to this space for quite some time.

Monday, September 11, 2006

An unsavory day in the life of an administrator

Over the past few weeks I have dealt with a few game situations that were unpleasant for everyone involved. These included rule violations by players and I had to deal with it as fairly as possible, while maintaining my personal stance on administration in general. I believe that the Sloth MUD should not require continuous involvement from administration to mediate disputes between players.

Of course, the reality is, that sometimes it does and the first situation that comes to mind is one where two (or more) long term players got rather annoyed at each other and one took it beyond the rules of engagement by "player killing" the other one. This is against the rules of the game, but can be accomplished in fairly easy ways by players with enough power or experience in the game.

The first question that may come to the mind of an outsider would be to make something against the rules impossible to do. Unfortunately this would be extremely tricky to do and probably would affect the normal game play. Undoubtedly someone would find a way around this in the gaming environment and we would end up back in the same situation, although likely less often.

What normally happens in this situation is that one player accuses the other of "starting it" and as the dispute mediator; I have to go back and look through the logs to see who did what. This time, fortunately, both parties told the same story of the facts (though motivations were clearly distorted by both sides) so this was not necessary. It was clear who acted beyond the rules first and how they got there. At this point, both players acknowledged that the offending player did the best he could to repair the situation, as death is a tricky thing in games. The net result was nobody lost anything but their temper, though technically rules were violated.

In this particular case, I chose to exercise what is analogous to discretionary law enforcement. Typically this is a serious rule to violate, but the circumstances led me to simply put the offending player in the same situation as his victim. He took the same small risk of bigger repercussions that he imposed on his victim and got lucky as well. I took this approach for a few reasons:
  • The players involved were all experienced.
  • The players involved stopped further involvement with each other.
  • The players involved didn't lie to me.
  • I warned everyone that further issues would result in very severe punishments and believed they would act accordingly.
  • There wasn't any actual loss to any player other than perhaps pride.
  • I told both parties to avoid each other.

This didn't make the victim happen, and this party accused me of many unsavory things including cronism. This is the most amusing to me as I had barely heard of either party involved prior to this incident. At this time, at least a few weeks have passed and I haven't heard any complaints from either player.

In a similar situation a couple weeks later, an experienced player also semi-intentionally "player killed" an inexperienced player. I did put a more severe punishment in place in this case (loss of some character powers) because:

  • There was disparity in experience of the players.
  • I had made the warning previously stated.
  • I wanted to make sure I didn't have to continue to deal with more of these and hoped word would spread.

The result of this was actually much more pleasant than the previous situation as the punished player took it very well and the victim did not complain further. Dealing with this case was still not a pleasant experience for me.

In any case, I think you can see that player administration requires some arbitrary decisions that perhaps don't seem fair to all parties involved at the time. But, my goal isn't always exact fairness in each situation; it is that fairness is the steady state with as little involvement from administration as there can be. This is probably an idealistic vision, but we don't get paid for this and don't enjoy dealing with disputes of this nature. To me, it's best to try to minimize their occurrences by enacting stiff penalties when appropriate and avoid heavy-handed actions when not necessary.