Each participating site should have a "Remember this site" button in the upper right corner that brings up a dialog box offering sign up services, including connecting the current session transparently to OpenID.

If accepted, then the sites session cookie should be passed to the user's OpenID manager of choice, making the session, with all its implied user customisations, available from any computer. Vidoop already does this quite well for one aspect of sessions, sign-in.

In effect, OpenID providers could compete to be 'opt-in' trackers of sites, identities, and profiles, only given the user control of their data and profile -- this is a function that requires one login identity per site at present.

This would go a long way towards enabling one-click data portability. If the user wants to 'remember' the functionality a site offers, it should be possible to save their environment (cookie) and transport that session transparently to another browser type on another computer, using at most a 'pet name' or profile name connected to their open ID.

Spammers can just run their own OpenID server to authenticate them.

Also, I'd like to add that spammers had not taken over the Ma.gnolia community, they were simply using a largely disproportionate amount of our computational resources: processor time, database queries, bandwidth, and hard drive space; adding up in real costs.

I have to call you on the idea that 'spammers had taken over ma.gnolia', because it's pretty far from the full story. Spammer activity, largely run through bots and people working in click-farms, did indeed create a huge tax on Ma.gnolia's performance, but the whitelisting and Gardeners program had kept almost all of it out of sight for legitimate users. There are some really aggressive spammers who will work the social features manually to get their links in front of people, and while very annoying there was almost no payback. The bots were the big problem. To say that Ma.gnolia had been taken over by spammers misses by a mile the actual quality of experience.

@engtech & @stuart- It is true that a spammer could run their own OpenID server, and we can then block specific providers if we see spam coming in from them. As David noted, we have not a silver bullet but an extra layer of protection that will add to our existing spam control methods. We're looking to raise the bar for illegitimate use, and to hopefully not burden our legitimate members while still trying to push the edges of web development.

I think Larry is commenting, as well, so we will likely overlap. Just the same, many thanks for the interest in what we're doing. It's a problem that affects many services, and it's good to get these ideas out for feedback and hopefully to help others seeing the same trouble from unwelcome guests.

While I haven't tested the ma.gnolia login process (my openid is already registered), I find the team's policy of having a positive list of accepted sites to be quite a turn for the worse.

These kinds of lists take out a lot of the charm of OpenID, allowing anyone to run their own open id, pushing for a few centralised providers instead. The Yahoo decision of only accepting their own OpenID's for login is (I guess) based on them having relevant security concerns (you can use a YAHOO id for quite a lot of real-world interaction), but ma.gnolia is different.

Todd Sieling's post proposes a far better pattern: Spotting evil providers based on similarities in usage patterns would be relatively easy, and less mauling on the open internet landscape, in my opinion.

Using FOAF for email has been extremely helpful in both reducing spam as well as decreasing the burden on the user to maintain their own white list.

This works well on a person to person level.

@Larry hit it, though. - I would strongly caution against trusting a third party like Yahoo! or AOL. While it's great to assume that they have greater incentive to remove spammers, it's questionable how successful they are.

That said, there certainly is strength in numbers, so having a third party OpenID provider watching your back can't hurt. Just don't rely on it completely.

Cheers,
Randy Stewart
randy@boxbe.com

Without white-listing providers, the process gives you additional magnification as you can create a bunch of identities in one salvo until eventually nobody trusts you anymore.

For example if Domain Keys ever gets critical mass then spammers could begin to be blocked based on unforgeable mail identities, yet it looks like it will take years longer.

This may change the spam/bot game, but doesn't end it by any means whatsoever. This security by obscurity doesn't work....EVER.

OpenID is a problem b/c no ONE entity needs to know what sites I log into.

Anyone want to know the monetization strategy of these "pro-consumer", OpenID, "renegades"? I'll give you one guess.

As spam volumes continue to grow, the need for a spam filter that consistently achieves significantly more accurate filtering with very few and easily identifiable false positives becomes more urgent.

Is there such a solution available on the market today?

Register for a complimentary Webinar conducted by Abaca and Ferris research to know more about the best solutions to STOP spam. To register please click the link below:
http://www.surveymonkey.com/s.aspx?sm=LPFKkdkFwOYltiQZtM_2bttw_3d_3d

Anyhow, very interesting move.

Too bad you don't expose traffic through something like Quantcast - it would be interesting to see what this move does to things like:
- pageviews (going down a bit, I'd guess)
- uniques (also going down a bit)
- page views per visit (going up a bit, I'd guess)
- time spent on site (not sure about this one)

Can you comment on these few metrics?

It might well be. We're happy to welcome new members because they like what we're doing technologically as much as we welcome people who come for the community or aesthetic aspects. The increase in legitimate users is a percentage of overall.

Regarding exposure of stats, I wonder what the point would be. We're not big on stats for the sake of stats, but where there are specific questions for which stats can help provide answers, we're all ears.

Larry will be posting to the Ma.gnolia blog in the next couple days to give some details on the outcome so far from this change, and to respond to some of the questions that have come out of the change so far.

So, cutting a bunch of spammers out of the game ought to change some numbers radically, just like it changes the (ab)use of your resources radically. It would be interesting to see this change beyond the change in spammer signup numbers.

As a matter of fact, since one of the reasons for this move was to stop abuse of your resources (and increase of the service cost), it would be educational to see just how much of your, say, bandwidth these people were using and how big was the drop. Did the bandwidth drop by 10%? 50%? 75%?

Educational and curious stuff, if you ask me.