openid used for spamming

Evan Martin evan.martin at gmail.com
Wed Jul 6 08:48:45 PDT 2005


Our little baby's all grown up!  Brings a tear to my eye:
http://www.livejournal.com/users/rynfitz/63055.html?thread=162639#t162639

But in seriousness, I want to emphasize that this is *not* a flaw with OpenID.
That LJ allowed anonymous comments, so they didn't need an OpenID to
do the spamming.

It helps that GJ doesn't have any CAPTCHA for creating accounts,
though it looks like that one was made manually.

This is why OpenIDs should be considered equivalent to anonymous in
terms of spam.  It might even be worth preserving as an example for
all of the people requesting allowing OpenIDs while disallowing anons
on LJ.

However, there is a valid use case for allowing OpenIDs and
disallowing anons:  if I want to deal with spam on my own, or if I can
deal with spam in a different layer, and simply want every comment to
be attached to a name (URL).


More information about the yadis mailing list