My Email is my Passport; Verify Me
SparkFun is taking steps to ensure that our user community is a safe space. That means we need to make a few changes.
SparkFun is taking steps to ensure that our user community is a safe space. That means we need to make a few changes.
Recently a lot of our commenters have been frustrated by one of our latest changes to SparkFun's commenting website. We are asking our user community to verify their email addresses before we let them comment. While this is an inconvenience for our customers, it is a pretty important step for SparkFun. We want to try and make SparkFun a safe place for everyone to come out and play. This includes our blog platform. We want to have a conversation with our user community, which means the community needs to have valid email address.
We are trying to stop spambots. While this isn’t a perfect solution, it is a road block. We want to make it just a little harder for the bots to think we are a solid forum for spamming. That being said, we don’t want it to be too hard for you, our loyal reads and customers either. This balance is what we are trying to strike.
Curse you, spambots.
Also, we might not stop at valid email addresses on comments. There are tools at our disposal; how we use them affects you and we are aware of that.
Moving forward, we’ll probably make validating your email address one of our steps in the account creation process. We haven’t implemented this yet, in an attempt to get it right. We still want customers coming in and checking out while creating a new account. We are working through all of these steps now. Everyone already registered is going through the process of validating email address as you comment around our blog platform. Soon new users will most likely need to validate email addresses to create accounts.
SparkFun had a Captcha system for a while. It was disabled when enough people complained it was hindering their shopping experience, but that was before we had a guest checkout system that allowed purchasing without registration. Implementing Captcha again is on the table and being discussed.
Running a modern E-Commerce website is a complicated collection of trade-offs. SparkFun is committed to creating an environment that is welcoming to customers of all types, but we also have to do it in a way that is responsible for our team. SparkFun is working to make the right decisions. As we slowly implement new features we want to keep our user base informed. As we implement these features please let us know what you think. Validate your email address today and speak your mind. We’re listening!
This post references the movie Sneakers (1992): http://www.imdb.com/title/tt0105435/
No, It's not available for stream on Netflix, but it's well worth tracking down a copy.
Wow... a good hacker movie! Loved it!
You get aaaaaaaaallll the fun stuff...
;)
Great movie!
I love 'Sneakers', I can still remember buying it on DVD to take to my college math club's movie night.
I saw 'Sneakers' at a very impressionable age. I think it is why I wanted to go into pen testing and red team. Basically, reverse engineering security systems has always been a passion of mine, this is probably why.
Yep, great movie!
totally!
For the record, we also already have a comment filter in place where we essentially just enter a regex for certain words/whatever. Took us forever to figure out how they got through said filters before we realized they inserted non-printing characters in the middle of URLs and stuff, leading to beautiful regexes.
I was going to paste one of them in here before I realized it would be filtered out by one of the other regexes and this comment wouldn't show up. :)
Couldn't you just normalize the comment text and remove the non-printable characters before letting the post go in anyway? To me, I'd think if someone is posting non-printable characters, I can't think of any reason that would be a necessary feature to allow..
Sure, that's definitely one of many solutions we could use. This obviously happened after we had already implemented a filter feature, though, and truth be told, we have a looooooong list of other features that our time is better spent working on. :)
To deal with spammers and server load have you considered using the four different available lists from https://www.projecthoneypot.org/ to input into your firewall or reject at the httpd? This saves bandwidth and server load as the crawlers cannot request resources. When I used to run some webservers, this was a huge performance increase.
I'll look into this, thanks.
I have to ask - why do you need those who have placed multiple orders in the past to still verify email addresses? It would have been a touch of class to allow users who have placed orders to be "pre-verified."
We had discussions about pre-verifying a bulk of users. We decided that there was some benefit in having everyone verify their email address, even if they had just recently places some orders. It was also much easier to implement this way.
Sparkfun's dedication to quality is admirable. Going through a quick verification process is no big deal to me, I'm sure most others feel the similarly.
I particularly appreciate the time taken to write up the decision process. I think it's really interesting to see how these kinds of things are handled. Transparency is awesome!
Transparency is going to keep being our default setting. I'm glad the road block wasn't too much for you. Looking forward to more interactions about more of my decisions.
I am more than happy to verify my email address because I love this website. Now if we could just get another dumpster dive I'd be happy. :-P
It seems to me that a really easy way to detect spam would be to hash all comments, so that you could easily detect if a comment had been posted before. If the no. of instances of a comment exceeds a certain threshold, flag all instances (both past and future) as spam.
Combined with traditional approaches (and maybe some human oversight for the more borderline cases), this could be really effective.
As Erik-Sparkfun pointed out, blocking the url was took hard because of junk characters, we'd have to leverage that would ignore non-printable characters. it would be too easy for the bots to figure out what we were doing and just develop a system for insuring the posts were different enough to get through. We decided to do the pre-auth regex instead.
How about an additional step of requiring an actual user name to be entered for account creation? The generic Member#xxxxxx format is really easy for spambots isn't it?
Maybe limit accounts to not be able to comment until they have entered a user name...one more hoop to jump through. Trivial for humans...
Also you could enforce a user pic as well, more cumbersome, but not super hard
Believe it or not, that barely slows them down. On the Sparkfun forums you need to solve a captcha that involves you doing a menial task like dragging "food items" into the refrigerator. This eliminates most spam but daily I still see several spammers attempting to post which means a human is involved somewhere in the loop. Since the traffic in the forums isn't as high as on the main Sparkfun site, we've chosen to moderate the first post of all new users. 99/100 times the spammer will get right to business and their first spam post is caught and we can ban the account. Once in a blue moon they play the game long enough to get normal access to the board and then start spamming. The user base is pretty diligent at finding and reporting it so it can be dealt with quickly. Overall I'm pretty happy that the normal user on the forum will see no spam in their daily surfing of the board.
Echoing Erik-Sparkfun, Thank Phalanx, you do great work on the forums.
Speaking of which, thank you for all the work you do on the forums! It's very much appreciated.
How about the account needs to have successfully bought something before being able to comment? I'd like to see Sparkfun posts from only legitimate Sparkfun customers. Or alternatively give me a way to filter the comments of the accounts that have never bought anything.
While sales obviously drive our business (please buy all the things from us!), we want our community to include those who are only just starting to learn and aren't necessarily ready to buy stuff yet (and who may never buy from us, for that matter). Then there are those who choose to purchase our parts through our distributor network to avoid expensive shipping and customs fees, and the ones who get things gifted to them.
I'd rather a person who gets gifted a part can tell there's a problem with a datasheet through the comments, than making them jump through hoops to get to the responsible engineer's attention.
Another drawback of that approach is the spammers will chew through the namespace, taking possible names away from real users (assuming that user names are not allowed to be re-used).
user names are unique, which is why I couldn't use 'Timm' someone else had it already.
If this sort of topic is up your alley (community and spam management, harassment and abuse issues, etc), I highly recommend Sarah Jeong's recent book The Internet of Garbage. It's a very quick read, and a great summary of the state of spam and abuse management in online communities today, and thoughts on the future.
We have an unofficial book club here at SparkFun, I'll see if I can get Nate to buy a few copies. Thanks!
Amazon only, and I do not do business with Amazon.
In this time of evolution it is unfortunate that there is not one (or more) authentication services that uses crypto signatures, that all forum sites can use to cut down on spammers - that way the spammer gets banned at one site they are banned at all subscribing sites - also you only need to validate id once for all sites. That said, I'm all for cleaning up the forums here.
Problem: Spurious banning. You could wind up absolutely blacklisted because your password was guessed/discovered/cracked; you forgot to logout and someone tooled with your account; a pissy moderator just doesn't like your name/political stance/preference of Star Wars over Star Trek. I like the ease of use and accountability. I hate the potential for abuse.
I'm with you on cert-based signatures. There's not a shortage of places where you can get a cert for that very purpose at no charge. StartSSL comes to mind especially.
My Email is my Passport; Verify Me | Computer voice - "Verified"
Thank you!