The Frustration Loop
I've been engaged in an ongoing war with spammers. Because Bear is free-to-use it's naturally the target of backlink farmers, credit card phishers, illegal drug sellers, online casino advertisers, and crypto shillers.
I won't go into too much detail on the causes. I've written about them twice before. In brief: the barrier to entry is low (easy signup to a free service) which leads to bad actors trying to exploit the platform (usually for backlinks).
For context, this isn't bot traffic. It's instead the kinds of spam farms you can purchase 100 backlinks from on Fiverr. They have a team of a few hundred low paid workers submitting content to every corner of the web in the hopes it will boost SEO ranking (it won't).
To combat this, I have a few mechanisms in place. If a piece of spam is posted on Bear, it is by default not visible to the wider internet until reviewed. All unreviewed blogs have "no-index" and "no-follow" tags and do not show up on the sitemap or discovery feed. This is easily resolved by opting into a review. However, I'd still prefer the spam content weren't on the platform at all, regardless of its discoverability.
Enter Akismet. This is a spam detection tool by the Wordpress people and is pretty accurate and easy to use. At one point I tried to spin up my own spam detection system using GPT4, but it was less accurate and more expensive than Akismet so I took out a subscription and never looked back.
Blocking spam on signup worked somewhat, but was easily circumventable by spammers who are well versed in dealing with these kinds of barriers. When a spammer is blocked this action provides them with information about how certain kinds of content are regulated, and hints at how to sidestep those regulations.
So despite having robust spam detection on creating a blog, some spammers found ways to parade as legitimate blogs, then post spam in less regulated areas, which I would have to manually sniff out and flag.
This combined with spammers using commercial VPN services like Nord meant that simply blocking posts from certain IP addresses could result in valid users being blocked. Nord VPN alone has several hundred servers all over the world so spammers are rarely hindered by IP bans.
This lead me to an idea: The Frustration Loop
The premise is simple. When spam is detected, instead of blocking the blog, fake system error or failure in the most frustrating way possible. Waste their time and make them give up.
I got the idea from The Password Game which I highly recommend checking out. Here's how it works:
- When spam is detected, clear the form (so all the info needs to re-typed) and throw an error, eg: "Our servers are bearly managing. Try again later."
- Disable pasting in all text areas. We can't make it too easy.
- Every 5 to 10 seconds the element focus switches to a different input so while they're typing in one area, they may accidentally start typing in another in a mildly annoying way.
- And finally to top it off, if/when they finally manage to submit the form again, throw a different error, eg: "Ensure content contains necessary parameters."
- Repeat.
And so they get stuck in my never ending web of frustration and after a while deem the software to be malfunctioning and give up.
"Now hold up there Herman! Won't this be triggered by valid users?" you say.
Perhaps, but it's fairly unlikely. In my tests I haven't managed to trigger it without explicitly performing a dodgy action. On top of that, it's been running in production for the past 3 months and I've only had one user report this as an issue. He was advertising online casinos.
Did it stop the spammers?
Yes! Since implementing The Frustration Loop the amount of spam has dropped from about 30% of new blogs, to less than 5% (nothing is perfect). There are a few improvements to be made, and some holes to patch, but it's working well.
I was hesitant about writing this post, since by describing The Frustration Loop potential spammers could potentially circumvent it. But somehow I don't think they read my blog.