I feel badly for Prof. DeLong, who is battling comment spam (and wrestling with Movable Type) over at his semi-daily journal. He’s currently swearing by MT-Blacklist, but I read another recent blog posting which complains that MT-Blacklist isn’t all it’s cracked up to be, and can even trade your spam problem for a server load problem.

The article goes on to suggest darkly that Google hasn’t acted against comment spam because of their financial stake in Blogger, but I think this is unlikely — I think it’s just a very hard problem. Staying ahead of a motivated attacker is nearly impossible, as countless computer security experts will attest — close one hole and a motivated attacker will just find another. I looked for a reference to this idea on Bruce Schneier’s site, but I couldn’t find one.

It’s the evil-Universe doppleganger of Open Source software development: not only do we have “given enough eyes, all bugs are shallow,” but also “given enough spammers, all opportunities will be exploited.” It’s the same everywhere — a truly determined attacker, no matter how many holes you plug, will find a new hole.

It’s not enough to blacklist commenters, to bayesian sort your email, to digitally-rights-manage your music, to X-ray every bag at the airport. Motivated parties will find a new way, a new method, a new weakness to exploit. There just isn’t a long-term technical solution, as far as I can see.

I shrugged it off, back in 1994, but maybe spam is going to turn out to be a big problem.

Comments are closed.