I’ve been thinking about the evils of spam of late.

So much about Weblogs is open to attack: comments are a simple Web form, easy to script into oblivion; PingBack and TrackBack are open protocols that, in essence, put stuff on your page without your consent [assuming your logware allows that, of course]; referral logs can be spammed by spoofed HTTP requests, no matter what measures you take to lock down your referral logs.

I think I know the answer to this issue: a decentralized, permission-based system rolled out on a site-by-site basis.

You want to leave a comment on my site? You fill out a form that sends you an email with an authorization to link to my site, giving you an account from which you can comment. It’s a pain, and it’s a multi-step process, and yes, it raises the bar … but we have spam because there is no significant barrier to entry.

You want to PingBack or TrackBack my site? I agree with the WP people that TB/PB is, essentially, a comment and should be treated as such. If you want to TB/PB, you should have to fill out the same form.

Referral logs … not much to do there, other than maybe setting up a script that checks each referring page for an actual link before recording it to the log. Apache certainly shouldn’t do this, and this would be prone to DDoS [and also would make you far more prone to Slashdotting], but it would be a nice-to-have, I guess.

I thought about suggesting a centralized commenting service that would work on trust … but that’s too easy to socially engineer.

I think this is where it’s gotta go. If you put up a different barrier at each site that must be overcome, you’ve made it harder for each spammer to nail you.

[I will be updating this post with relevant linkage later on, but right now, I'm trying to get work done around the office, and I just wanted to strike while the iron was hot.]