OpenID, A Spam Heaven?

I say, Yes!

Dmitry Shechtman quickly and rightly realized that my Anonymous OpenID server is a heaven for spam.

First, why did I create the server if I knew/realized this as well? Well to generate awareness the hard way ;)


What about spam?
Again, this is not a trust system.

The above statement at reflects total ignorance about it. C’mon guys, we cannot be ignorant about it. I am sure all “normal” people hate spam. I think we must implement a solution for it in the protocol itself. We don’t have to be 100% accurate but we must be able to deter a major chunk of spammers.

See, all that I did to create my Anonymous OpenID server was to modify a few lines of code in phpMyID and the spammer friendly OpenID server was up and running. (And, no, I am not going to release the changes I made.)

We know that spammers have lot of domains and I am sure all of their servers are capable enough to have one or the other OpenID IdP running. This means they are also capable of generating unlimited number of OpenID’s like I did.

I don’t think using only blacklists is a good idea given that all that it takes for a spammer is to buy a domain, modify and setup phpMyID and voila! He’s back in business (maybe only for sometime but still).

Here is what I propose:
When we initiate the process, the client/consumer sends a dynamically generated image to the IdP. The IdP shows the normal login form, along with the captcha image and a input field.

When the user submits the form, the IdP server communicates with the client/ consumer and gives it the text the user entered for the captcha image to verified. The client checks if the text is proper and sends the reply back to the server.

If the user entered captcha text was not proper, we request another image from the client. We do it at maximum 3 times for a given IP.

If the user entered text for captcha image is found to be correct, we proceed with the present authentication process.

Is the solution proposed full-proof? Ofcourse not, but it will deter a lot for the spammers.

I am sure there will be folks that will not like the above captcha idea given that some people may have problems reading them etc. I do understand that. I think with some constructive discussion around it, we can do it in a way that suits everyone and can make things difficult for the spammers.

I hope I’d be successful in my attempt to get the protocol changed slightly and to try and make things difficult for spammers.

What will I do with this Anonymous OpenID server? Well, it will be online for now till I am able to convince the change of protocol. If the spammers use it too often or I have any bandwidth issues, I might take it down earlier.

On a side note, Dmitry also thinks that the Anonymous OpenID server is a perfect anti-phishing solution since no authentication happens ;)

But, that won’t stop the anti-phishing debate though :)

4 Responses to “OpenID, A Spam Heaven?”

  1. The Undevelopment Blog » Blog Archive » Talking to an Angel Says:

    [...] Jayant Gandhi comments on Spam Heaven? I say, Yes! [...]

  2. Totof Says:

    I had exactly the same thought !

  3. monkinetic | Blog Archive » Is This OpenID? Says:

    [...] So, I know that OpenID does not claim to be an end to SPAM in and of itself (thanks to singpolyma for the reminder), but this just seems completely wrong to me. There was a recent spat over the anonymous OpenID server, and the community consensus seems to be that we’re going to have to resort to server blacklists eventually (though the author of the annoymous server makes a decent case that blacklists are not going to do it either). [...]

  4. ppnw Says:

    You are right, I like your demonstration with the anonymous server. I changed the phpMyID code myself and managed to do the same. So spammers will be all over this and in the end nothing is gained. As you can see ( it works with googles blogger now too!

Leave a Reply