

Evercookie - chaosmachine
http://en.wikipedia.org/wiki/Evercookie

======
barmstrong
I've found Evercookie to be really useful in eliminating spam.

Despite having captchas and per user send limits on my site, Nigerians were
submitting tons of forms through my site a while back trying to trick users
with the same scams that are popular on Craigslist. They know to clear their
cookies, etc. Adding Evercookie cut down on the number of spam messages
considerably just by keeping a count of the number of messages sent from a
particular computer and blocking messages after more than a certain number per
day.

Perhaps most satisfying, I implemented it so the message appeared to have been
sent successfully even when it was blocked. So there are Nigerians happily
working away all day "sending" message on my site still thinking it is
working. I sometimes get hundreds of blocked message notifications per day.

~~~
smokinn
If you're already implementing messages like that another fun thing to do when
the person goes way past the threshold is start making the site slow/buggy.
Add in random sleeps, redirect to a random valid or error page, etc. Basically
make the site increasingly buggy. The added benefit is that is breaks any
automated scripts people might be scamming with.

That's what I did when we marked an account as obvious spam. Usually that was
when an account was created and the same or next day sent 1000+ messages to
random other users. Basically the person using the account would think the
messages got sent but really they usually hit either a keyword/bayes
moderation or a similarity throttle and the messages were put into a
moderation queue rather than delivered immediately. Once the moderator picks
"obvious spam", for that account the site gets buggier and buggier for 30 days
until the account gets completely shut down and the person can't log in with
it anymore. I did that for 30 days because I didn't want to warn them their
account had been flagged and just have them create a new one.

Basically it's a spammer tarpit.

------
lloeki
Barring all ethical issues aside, while most are just "use whatever other
readily available storage", I enjoyed this hack of a storage method:

 _"Storing cookies in RGB values of auto-generated, force-cached PNGs using
HTML5 Canvas tag to read pixels (cookies) back out"_

------
robinduckett
This, on linux, is defeated by Chrome's Incognito mode. It's why I didn't use
it to track spammers on ragechat.com.

Edit: that, and it tries to use silverlight to store some silverlight based
cookies, and people would just get big "Install Silverlight!" button/adverts
coming up.

~~~
jjcm
Careful though: older versions of flash will still store cookies even if
you're in incognito mode
([http://www.google.com/support/forum/p/Chrome/thread?tid=072d...](http://www.google.com/support/forum/p/Chrome/thread?tid=072def08b84998f8&hl=en)).
This is especially true with many linux installations, as often times they
have older versions of flash for compatibility purposes (64 bit flash...
ugh...)

------
oniTony
Evercookie is the herpes of user tracking. Wear protection (don't run
JavaScript from untrusted websites).

Still, there are some interesting ideas for places to hide trackers. I wonder
which parts actually survive (as wiki suggests that something does) after
doing a full "clear browsing data" on something like Chrome (which comes with
a super helpful link to clear Flash cookies).

~~~
lloeki
Also, isn't the best way to defend against this once it's there not to try to
clear it only to have it come back later, but to shuffle it's content so much
that their perpetrator can't make use of it? The core of it is it's resiliency
thanks to redundancy, so let's corrupt it so that the information becomes
noise.

~~~
jamesbritt
Indeed. I would love a browser plug-in that fucked with cookies and spread
disinformation.

------
yannickmahe
Awesome, my client requested just that for his project.

I wish I was kidding.

~~~
Refringe
Evercookie isn't evil, it's just a tool; it's how you use it that matters.
Using it to keep track of users for spam or troll purposes is perfectly fine
to me.

------
mcav
Some communities seem to act like magnets for trolls and abusive behavior. I
use evercookies on one of my websites to keep the trolls out. Works
tremendously well. It has allowed the community there to really flourish,
absent petty personal attacks and troublemakers.

------
jarin
I wouldn't be surprised to find out that this is already in use by ad
networks.

~~~
gyardley
I would be, at least for ad networks based in the United States or Europe. The
rhetoric around online privacy has gotten rather heated lately, and they're
trying to avoid government regulation by being on their best behavior and
trying to self-regulate. Evercookies are the opposite of that - it'd be like
holding up a sign saying 'make me a target'.

Back when things were a little less heated (aka a couple of years ago), some
companies did use a combination of cookies and Local Shared Objects in order
to provide redundancy - information deleted from one was later restored by the
other. Those companies have almost certainly stopped.

Not that it indicates any wrongdoing, because there's a class-action lawsuit
for _everything_ remotely advertising-related, but there's been a ton of
class-action lawsuits in the Flash cookie space. I believe the ones involving
actively rewriting deleted information have largely been settled, and now it's
mostly lawyers trolling companies for the use of Flash cookies to store _any_
type of information more complicated than a volume setting.

For a recent example, search for Del Vecchio vs Amazon.

~~~
jarin
Ah very cool. Tangentially related: I've been helping a client get some
affiliate marketing set up, and the email-based affiliates require CAN-SPAM
compliance. Basically, this requires a generic unsubscribe link where people
can put in their email address to be added to a "suppression file" blacklist,
which the affiliates can then download. It's intended to act as a shared
blacklist when you're working with multiple affiliates, but I'm wondering
what's to stop someone from just harvesting suppression files?

~~~
iigs
I believe CAN-SPAM has provisions against that, but several vendors have
standardized on storing the suppression files as a list of md5s. Of course
that is not bulletproof (the source space is small, especially among the big
mail providers) but at the moment it seems to have shifted the economics
favorably.

------
trurl123
This page was nominated for deletion on 27 October 2010.

~~~
Herald_MJ
The result of the discussion was nomination withdrawn.

