Web of distrust

I moderate a reasonable number of forums, both as the "owner" and generally as a service to others (still working on getting paid for those services). Mostly I work for free or myself which means I'm one of those overworked moderators.

Now, there are the various social dramas as a forum gets larger, but most of my work is dealing with spammers. And, since spamming goes in a wave, it gets *very* annoying because I'll be handling dozens an hour. Right now, I have automated accounts signing up for my blog which just screams I'm going to be hit by spammers, but I really don't want to remove an account that might be accidentally good. I know that sales@mortgageloanscheap.com is a spammer, but others... I'm not entirely sure.

There are a number of sites out there that try to protect from spam, but I haven't found the magic combination that works because as soon as it works, three months later, they start getting through again.

Most of the communities I work with a relatively small (<20k people or <100k niche) and anonymous. Things like Google+ and Facebook, with their intolerate views of handles/pseudonames) are useless for that, plus *I don't trust them*. Email, on the other hand, is pretty much universal in this day and age. It allows handles (dmoonfire in my case) and you can make it private or public as you want.

There are already services that are based on emails, such as Gravatar and other avatar services, so this isn't entirely bad. Though, a simple REST based API for spammers based on email... that would be pretty interesting.

Another idea I have is SSH keys. When I was getting into Debian development, I had to get a SSH key for my email address. And then, go find another Debian developer so they could meet me in person. It ended up being a great conversation and dinner and I joined the Debian developer "web of trust" as he signed my key that said "I actually met Dylan and he's real and who he claims to be."

Now, for an anonymous community, you don't need the physical verification. If the trust network is based only on online presence, then I would treat it as an online trust network but it would still be a web of trust. If I trust three handles and all three of those handles trust the fourth, then there is a good chance I'm going to trust them.

I think SSH can do that. You can build a SSH web of trust among the community and use that to help fight against spammers. I'd put less restrictions on someone trusted by someone else on the forum and more on the unknowns of the community.

If an email does get compromised, SSH has a revocation system plus you can distrust a link and have it remove all of the associated links beyond that if they are all based on a single user. Those with multiple trust connections can survive a revocation because they are "known" by other people.

There is a lot of hard parts on this idea. One, getting people in a niche community to actually set up SSH keys and sign each other. Two, getting forum software to actually use SSH keys as a part of the 'trust' network and then allow that to be used for filtering or permissions set. And finally, getting enough critical mass that it works.

I'd love to see it happen.