OpenID is wildly convenient for users, which is good for vendors, but is that motivation enough to really spur its adoption? Cutting-edge social bookmarking service Ma.gnolia stopped issuing new user credentials last night and now requires new users to create a Ma.gnolia account using an OpenID from somewhere else.
Why? Because 75% of new accounts being created there lately have been created by spammers using automated tools. Spammers took over Ma.gnolia. Now, the company is using OpenID as a system of 3rd party verified identity and using the superior spam blocking skills of services like Yahoo! and AIM to clean up the Ma.gnolia ranks. Spamfighting could be the incentive that puts many other vendors over the edge to leverage OpenID.
As of this morning Ma.gnolia still hasn't made any official announcement about the move, but it's being discussed online by leaders in the OpenID movement and OpenID vendor Vidoop spelled out the verified identity logic in a post on their blog. ("Once Incremental Step for Ma.gnolia, One Large Step for OpenID")
There are at least a few ways that people have discussed using OpenID for spam control online and this is just one of them. Others are working on ways to use OpenID and FOAF (friend of a friend) together to fight spam. OpenID has also got potential to act as an anchor point for activity data portability. There are many possible uses beyond simple single-sign-on. That's just the easiest way to explain OpenID and the most clear value proposition today. We'd love to read about other ways people are using OpenID in comments; it's something we keep our eyes peeled for in the "best of" Data Portability and Semantic Web feeds offered in the RWW Toolkit for Key Issues of 2008.
This is just one of many examples we've seen of really great ideas that need more than one layer of incentive to really take off. Semantic markup is another - there's lots of great reasons to leverage semantic web technology, but the recent announcement that Yahoo! will index semantic markup will likely be the tipping point.
Keep your eyes on Ma.gnolia to see how this strategy, and a whole lot of other steps they are taking to leverage emerging standards, play out.
Comments
Subscribe to comments for this post OR Subscribe to comments for all Read/WriteWeb posts
Good. Now the Open ID vendors should go the extra mile and provide profile management services for the many-many relation between sites accepting OpenID and the identities they define.
Each participating site should have a "Remember this site" button in the upper right corner that brings up a dialog box offering sign up services, including connecting the current session transparently to OpenID.
If accepted, then the sites session cookie should be passed to the user's OpenID manager of choice, making the session, with all its implied user customisations, available from any computer. Vidoop already does this quite well for one aspect of sessions, sign-in.
In effect, OpenID providers could compete to be 'opt-in' trackers of sites, identities, and profiles, only given the user control of their data and profile -- this is a function that requires one login identity per site at present.
This would go a long way towards enabling one-click data portability. If the user wants to 'remember' the functionality a site offers, it should be possible to save their environment (cookie) and transport that session transparently to another browser type on another computer, using at most a 'pet name' or profile name connected to their open ID.
Posted by: John Goodwin | March 27, 2008 12:09 PMHave a look at BotBouncer.com - it's a CAPTCHA service for OpenIDs. I've been really impressed with it.
Posted by: Tom Morris | March 27, 2008 1:24 PMHow the heck would OpenID ever work for anti-spam prevention?
Spammers can just run their own OpenID server to authenticate them.
Posted by: engtech | March 27, 2008 1:28 PMI think part of the idea is that Ma.gnolia might be able to have additional trust in a user coming from AOL or Yahoo! as they're doing their own abuse prevention for their accounts. This isn't the silver bullet, but building on things like the Google Social Graph API also allows Ma.gnolia to get a better idea of who a user might be around the web.
Posted by: David Recordon | March 27, 2008 1:35 PMI was just about to ask the same question as engtech just did. I don't understand how OpenID will prevent spammers from creating accounts at Magnolia. They just have to create their own OpenID server, or even use another OpenID provider like Wordpress.com - they would only need the account open, long enough to log into the site and post the spam. Perhaps I'm missing something here...
Posted by: stuart | March 27, 2008 1:43 PMOur decision to require verified identities (We accept Facebook as a provider, too.) is part of an iterative redesign of how we handle identity within Ma.gnolia. This was a huge change; but, more tweaks will coming, and we will blog about this process once we're a little further down the road.
Also, I'd like to add that spammers had not taken over the Ma.gnolia community, they were simply using a largely disproportionate amount of our computational resources: processor time, database queries, bandwidth, and hard drive space; adding up in real costs.
Posted by: Larry Halff | March 27, 2008 2:27 PMThanks for the writeup, Marshall. We're looking to OpenID and verified identities as a way of strengthening what is already done to to manage spam activity.
I have to call you on the idea that 'spammers had taken over ma.gnolia', because it's pretty far from the full story. Spammer activity, largely run through bots and people working in click-farms, did indeed create a huge tax on Ma.gnolia's performance, but the whitelisting and Gardeners program had kept almost all of it out of sight for legitimate users. There are some really aggressive spammers who will work the social features manually to get their links in front of people, and while very annoying there was almost no payback. The bots were the big problem. To say that Ma.gnolia had been taken over by spammers misses by a mile the actual quality of experience.
@engtech & @stuart- It is true that a spammer could run their own OpenID server, and we can then block specific providers if we see spam coming in from them. As David noted, we have not a silver bullet but an extra layer of protection that will add to our existing spam control methods. We're looking to raise the bar for illegitimate use, and to hopefully not burden our legitimate members while still trying to push the edges of web development.
I think Larry is commenting, as well, so we will likely overlap. Just the same, many thanks for the interest in what we're doing. It's a problem that affects many services, and it's good to get these ideas out for feedback and hopefully to help others seeing the same trouble from unwelcome guests.
Posted by: Todd Sieling | March 27, 2008 2:28 PMSpam from OpenID confirmed users is one of the problems previous commenters have mentioned that I've been wondering about as well.
While I haven't tested the ma.gnolia login process (my openid is already registered), I find the team's policy of having a positive list of accepted sites to be quite a turn for the worse.
These kinds of lists take out a lot of the charm of OpenID, allowing anyone to run their own open id, pushing for a few centralised providers instead. The Yahoo decision of only accepting their own OpenID's for login is (I guess) based on them having relevant security concerns (you can use a YAHOO id for quite a lot of real-world interaction), but ma.gnolia is different.
Todd Sieling's post proposes a far better pattern: Spotting evil providers based on similarities in usage patterns would be relatively easy, and less mauling on the open internet landscape, in my opinion.
Posted by: Johnny Castrup JørgensenJohnny: We do NOT white list OpenID providers. Todd was referring to our modified NIPSA (Not In Public Search Areas) policy for bookmark content.
Posted by: Larry Halff | March 27, 2008 3:41 PMYes, that was poorly worded on my part.
Posted by: Todd Sieling | March 27, 2008 5:26 PMI work for a company who is using the notion of a social white list (FOAF-like) to help combat email (not blog/social media) spam. While we're not using OpenID (yet), we do use strong authentication (DKIM and SPF) to verify that messages come from where they claim to.
Using FOAF for email has been extremely helpful in both reducing spam as well as decreasing the burden on the user to maintain their own white list.
This works well on a person to person level.
@Larry hit it, though. - I would strongly caution against trusting a third party like Yahoo! or AOL. While it's great to assume that they have greater incentive to remove spammers, it's questionable how successful they are.
That said, there certainly is strength in numbers, so having a third party OpenID provider watching your back can't hurt. Just don't rely on it completely.
Posted by: Randy Stewart | March 27, 2008 5:28 PMCheers,
Randy Stewart
randy@boxbe.com
Good move by ma.gnolia. Need to see if it effects the number of (unique) registrations.
Posted by: Thejesh GN | March 27, 2008 11:59 PMDoesn't this make life easier for spammers and click-farmers? Pass one Turing test and use the resulting ID at hundreds of sites, each of which has to manually black-list you.
Without white-listing providers, the process gives you additional magnification as you can create a bunch of identities in one salvo until eventually nobody trusts you anymore.
Posted by: mags | March 28, 2008 2:05 AMI really hope OpenID can improve things, but with email the tools are all in place yet it hasn't happened.
For example if Domain Keys ever gets critical mass then spammers could begin to be blocked based on unforgeable mail identities, yet it looks like it will take years longer.
Posted by: old ecard guy | March 28, 2008 6:32 AMHahahaahahhaha. What a complete joke. Anyone care to disclose what proponent of OpenID is involved in consulting with Magnolia?
This may change the spam/bot game, but doesn't end it by any means whatsoever. This security by obscurity doesn't work....EVER.
OpenID is a problem b/c no ONE entity needs to know what sites I log into.
Anyone want to know the monetization strategy of these "pro-consumer", OpenID, "renegades"? I'll give you one guess.
Posted by: Tommyboy | March 29, 2008 5:36 PMHmmm, and to think just two days ago I was asking for rationalization to use OpenId on our site...
Posted by: Andrea Hill | March 29, 2008 10:02 PMSpammers behind the Black Market
As spam volumes continue to grow, the need for a spam filter that consistently achieves significantly more accurate filtering with very few and easily identifiable false positives becomes more urgent.
Is there such a solution available on the market today?
Register for a complimentary Webinar conducted by Abaca and Ferris research to know more about the best solutions to STOP spam. To register please click the link below:
Posted by: Victor Louis | March 31, 2008 10:52 PMhttp://www.surveymonkey.com/s.aspx?sm=LPFKkdkFwOYltiQZtM_2bttw_3d_3d
@12 It has. So far we've seen a severe drop in spam registrations, and even a slight but noticeable uptick in legitimate registrations.
Posted by: Todd Sieling | April 2, 2008 3:37 PM@Todd:
Increase in legitimate registrations? That's quite interesting!
I assume you are referring to absolute before and after numbers, not to percentages or ratios (of legit. signups from total signups).
Are you sure it's not simply due to coverage of this move by Ma.gnolia?
Anyhow, very interesting move.
Too bad you don't expose traffic through something like Quantcast - it would be interesting to see what this move does to things like:
- pageviews (going down a bit, I'd guess)
- uniques (also going down a bit)
- page views per visit (going up a bit, I'd guess)
- time spent on site (not sure about this one)
Can you comment on these few metrics?
Posted by: Otis Gospodnetic | April 2, 2008 10:08 PM> Are you sure it's not simply due to coverage of this move by Ma.gnolia?
It might well be. We're happy to welcome new members because they like what we're doing technologically as much as we welcome people who come for the community or aesthetic aspects. The increase in legitimate users is a percentage of overall.
Regarding exposure of stats, I wonder what the point would be. We're not big on stats for the sake of stats, but where there are specific questions for which stats can help provide answers, we're all ears.
Larry will be posting to the Ma.gnolia blog in the next couple days to give some details on the outcome so far from this change, and to respond to some of the questions that have come out of the change so far.
Posted by: Todd Sieling | April 3, 2008 12:01 AMAs Todd mentioned, I've finally blogged about our reasoning and the results in requiring OpenID for registration. If you're interested, you can check it out here: http://ma.gnolia.com/blog/2008/04/03/on-our-new-front-doors
Posted by: Larry Halff | April 3, 2008 4:59 PM@Todd & Larry:
Regarding stats - it's really about observing the differences in behaviour between spammers and legitimate users. For example, I know for Simpy people who come to http://simpy.com via addthis.com or socialposter.com generate more page views per visit than an average user. I believe those visitors are also "regulars". I also suspect that those are not the 100% "honest" bookmarkers either. In Simpy these people would qualify as "self-promoters", not necessarily "spammers" (blurry diff).
So, cutting a bunch of spammers out of the game ought to change some numbers radically, just like it changes the (ab)use of your resources radically. It would be interesting to see this change beyond the change in spammer signup numbers.
As a matter of fact, since one of the reasons for this move was to stop abuse of your resources (and increase of the service cost), it would be educational to see just how much of your, say, bandwidth these people were using and how big was the drop. Did the bandwidth drop by 10%? 50%? 75%?
Educational and curious stuff, if you ask me.
Posted by: Otis Gospodnetic | April 4, 2008 12:51 AM