Or just block the sources of abuse while everyone else enjoys and can act on the content. Or just block comments from anonymous nets so they can at least read. Comment sections that are Wild West hurt branding too much for it to be an option.
It seems like we know how to solve this. Put a CAPTCHA on account creation, then allow users to flag posts and auto-ban fresh accounts with high flag rates.
I'm honestly kind of surprised that there isn't more spam from attackers who compromise something close enough to a backbone provider that they can spoof arbitrary IP addresses and still see the return traffic.
Those are possibilities. As is Disqus-style moderation. Nonetheless, it's a lot of extra work with nothing to show for it and possibly dangerous to site experience. That's the problem Tor poses.
The problem isn't unique to Tor. It's anything that allows a spammer to use the same IP address as innocent people, including things that aren't exactly legal, like compromised PCs and routers. Which means blocking Tor blocks the people who follow the law but not the people who break the law.
And the problem is going to get worse as a result of IPv4 address exhaustion because some ISPs are going to have to start using carrier grade NAT (and some already are). The answer to that is IPv6 as ever, but that has the opposite problem. IPv6 addresses are too cheap to meter and using a thing for proof of stake requires the thing to be scarce.
So the thing to show for it is that you can field test your solution prior to the day of Spam Armageddon when a spammer realizes they have a botnet with access to a million billion IPv6 addresses.
"The problem isn't unique to Tor. It's anything that allows a spammer to use the same IP address as innocent people, including things that aren't exactly legal, like compromised PCs and routers. "
That's sort of true. It's technically true that any I.P. address might be the source of malice. Yet, Tor's I.P. addresses will steadily be the source of a ton of malice with no resolution of that problem. Quite different than what happens when someone's ISP tells them there's malware on their machine. There's also economics involved where people have to pay for those machines and are therefore more likely to use them for other, profitable activities. Probably why we see less spam from those accounts.
What remains are WiFi hotspots, libraries, etc. Apparently, they're not drowning services in hatemail and spam because they're still allowed. They could but few are complaining about them.
"And the problem is going to get worse as a result of IPv4 address exhaustion because some ISPs are going to have to start using carrier grade NAT (and some already are). "
Good call. I saw this coming. There were already talks by Ross Anderson IIRC about how critical it was for forensics to get the port number and time-stamp since CG-NAT would make I.P.'s useless. Already is in some areas.
"So the thing to show for it is that you can field test your solution prior to the day of Spam Armageddon when a spammer realizes they have a botnet with access to a million billion IPv6 addresses."
Haha. Interesting way of looking at it. I'm more worried about the routing tables, though, if IPv6 got massive surge of traffic. Never looked to see if they fixed early concerns about how well Tier 1-3 HW would handle it vs IPv4.
If you're a business, you can't. There's a decision to make:
1. Focus on benefiting anonymous people who either don't contribute shit back to the business or barely do. Freeloaders.
2. Focus on benefiting the founders, customers, and employees (in that order). If you loose some freeloaders, then so be it. If it's their design decision, then so be it time 10. They can always set up an unrestricted forum for people like them to discuss the article and deal with security headaches they bring in.
Wait, No 2 seems to work as most readers and the company are benefiting except for the few that choose not to.
If you can't prevent the spam by other means than IP blocking then maybe you should make your website read-only.