Wednesday, September 30, 2009

Spam and Google Wave

After a bunch of Googling around I can find very, very little information on how Google Wave intends to handle the spam problem. A search for 'spam' on the Wave Protocol site yields no results at all. Searching the Google Wave API group for spam yields six unhelpful results. A search of the Wave Protocol group yields a single discussion with eight posts.

In a discussion reported on TechCrunch there was a mention of using whitelisting for spam control in Google Wave:

Q: This seems like this will replace email –but can it really replace all we love about email?

Lars: We think of email as an incredibly successful protocol. Google Wave is our suggestion for how this could work better. You can certainly store your own copy by way of the APIs and with the extensions. The model for ownership — it’s a shared object, so how do you delete the object? Even though it’s a shared object, no one can take it away from you without your consent. There will eventually be reversion to sync up with the cloud or you own servers. We’re not planning on having spam in wave (laughs). Early on in email, spam wasn’t really taken into account, so we benefit from that learning experience. We’re planning on a feature so that you can’t add me to your Wave without being on a white list.

Well, whitelisting doesn't work because people need to receive unsolicited messages from people they don't know. For example, I get lots of messages about my book, or my open source software. I can't whitelist those people before they contact me.

And it's not just me, but businesses need to receive unsolicited mail from potential customers (or even their own customers). Whitelisting simply doesn't work.

Having dealt with spam for a long time, they are going to have to come up with a better answer than that. Otherwise a botnet master is going to run a wave server on every bot and started posting spam waves (or worse, waves that appear legitimate and turn into spam waves) to everyone.

I suspect the answer is that it turns out to be the same mix of technologies used for email spam: messsage hashing, content analysis, sender reputation, IP blacklisting, ...


shaunxcode said...

Perhaps a large influx of spam on google wave could be referred to as a tsunami?

Massa said...

Spam is an undecidable problem.

David Rusenko said...

Just a thought, but could the Wave protocol be built around a partial white list system? If you're on the white list, you get straight through.

If you're not, two things could happen:
- If you're a human, the receiving wave server sends back some kind of CAPTCHA challenge right after you hit the send button that shows up in your client. You must solve this challenge before the message is delivered.
- To allow for marketing messages, any marketer would have to request permission from the user to add their sending address to the white list. This could be accomplished with OAuth or a similar mechanism to which Facebook applications must request permission.

This would still make certain functionality more difficult (such as a human that wants to mass-email their friends), but it may be a fair trade.

aphex said...

I have to differ with Mr. Graham-Cumming (and with TechCrunch). I don't think Google Wave will encounter spam problems, also it will not replace e-mail, for the exact reason he mentioned "because people need to receive unsolicited messages from people they don't know". Therefore the whitelisting solution should be perfectly capable of dealing with the spam issue.
Google Wave will be a very good communication tool for people who know each other, but it can't -- by its nature -- replace e-mail.

John Graham-Cumming said...

@David Rusenko

What you are proposing is a challenge/response system for unsolicited messages.

These have been largely unacceptable in email systems because senders get annoyed at having to prove who they are before sending. This has been widely tried and hasn't taken off.

Of course, it might do in the context of Google Wave if that becomes the accepted way of operating from the start.

jafl said...

Wave spam will be exactly like blog comment spam.

As long as waves are "by invitation only", then spam will only get it via implementation bugs. I had to physically remove code from older versions of WordPress to stop comments from being added.

If waves are open to everybody, they will crash on the rocks of spam.