Comments on: Abusing OpenID to Increase Server Traffic

By: Rich

Rich — Wed, 26 Aug 2009 11:55:04 +0000

Seems to have fixed it. A syslog grep from the last 24 hours shows no outbound connections to “.cn” sites.

By: Rich

Rich — Tue, 25 Aug 2009 07:04:00 +0000

Thanks Will – barring an attack of sausage fingers during entry, that should be running now. I’ll let you know how it fares.

By: willnorris

willnorris — Mon, 24 Aug 2009 20:51:54 +0000

So it looks like the plugin definitely was NOT integrating with akismet properly. That has been fixed in trunk. I would not actually recommend running the trunk version of OpenID (it's a bit unstable right now), but you can apply the changes shown in this changeset. Watch your log files for a day or so and see how that changes things.

By: Rich

Rich — Mon, 24 Aug 2009 18:34:29 +0000

Hi Will, yep, I have Akismet, so if you’d like to test anything on this server I’m happy to do so (I can SVN stuff from a branch or trunk as necessary). I’m not convinced captchas will cut the mustard, for all the normal reasons – they’re a pain for users until the day they get cracked, and then they’re no good at all.

By: willnorris

willnorris — Mon, 24 Aug 2009 16:40:28 +0000

I would agree with Chris, that this sounds like something that could be caught and some kind of message displayed, or a CAPTCHA required. I do currently send the comment through Akismet first, and only attempt OpenID discovery if it passes the spam check. The way I’m doing that is a little less clean that I’d like, but it *should* be working. If it turns out it is not, then that’s something I’ll see about fixing. It does of course require that you have akismet installed and activated with an API key. Are there any public spam-checking APIs I can check the URL against before doing OpenID discovery? I know Google has a service for phishing sites, but I’m not sure if that would catch the URLs you’ve listed that you’re seeing.

By: Rich

Rich — Fri, 21 Aug 2009 16:44:10 +0000

Thanks Chris. The web amazes me yet again, almost exactly 18 years since my first http request. Ask the right questions or make relevant observations and answers (or at least the beginnings of answers) turn up out of thin air.

By: FactoryJoe

FactoryJoe — Fri, 21 Aug 2009 15:16:06 +0000

Thanks for bringing this up. That’s certainly an interesting point — and not one that hasn’t been brought up in the OpenID developer community.

That said, it would seem that preventing automated or repeated OpenID authentication requests — the same way you might prevent automated comment spam with a CAPTCHA — might prevent this kind of abuse.

For example, after 3-4 unsuccessful authentication requests from the same IP, throw a CAPTCHA. After failing the captcha, or after unsuccessfully attempting subsequent OpenID requests, replace the form with an email prompt like, “Looks like you’re having trouble signing in. Drop me an email and I’ll help you.” Or something like that (being nice in case someone, say, forgot their OpenID).

By: The Musings of Chris Samuel » Blog Archive » Abusing OpenID for Phun and Profit

The Musings of Chris Samuel » Blog Archive » Abusing OpenID for Phun and Profit — Fri, 21 Aug 2009 08:16:18 +0000

[...] friend Rich has noticed some odd behaviour in his Apache logs that turned out to be people abusing his OpenID server to make page requests to remote sites, presumably as a way of increasing clicks. He raises an [...]

By: Chris Samuel

Chris Samuel — Fri, 21 Aug 2009 08:06:54 +0000

There is a commercial tool called Splunk http://www.splunk.com/ (free-as-in-beer up to a certain amount of logs per day) which does log aggregation from many sources and searching/correlation – I don’t know how semantic it is though..

Nice spot!