In recent times, many blacklist entries have been added while bending the rules. We should adapt the rules if they are not consistent with our actual practice.
One common such pattern is for spam from a single account during a short time period, all below auto.
My proposal would be to add this to qualify for 3/3 blacklisting in addition to the "part of a campaign" criterion (which should probably be clarified as well, actually; or maybe we want to call this a special case of campaign?)
Please leave thums up or thumbs down on this proposal:
I'm leaning towards a single account being a reason not to blacklist, because 1) we get "Blacklisted user" tracking, and 2) it could be a one-off, misguided attempt at self-promotion rather than a strong spam campaign.
That being said, I feel like I've been much more strict than everyone else lately -- it's possible either the room's culture or my attitude shifted while I was away.
I'm leaning towards a single account being a reason _not_ to blacklist, because 1) we get "Blacklisted user" tracking, and 2) it could be a one-off, misguided attempt at self-promotion rather than a strong spam campaign.
@NobodyNada frequently, it isn't actually a single account, but rather an individual creating a bunch of new accounts.
@WELZ-gh If it’s an individual creating a bunch of new accounts, that is a much more clear demonstration of malicious intent than if the spam came from just one account.
I don’t mind lowering the blacklist criteria in some circumstances, but I’m not convinced “spam from a single account during a short time period” is the correct criteria.
@NobodyNada yes, but there have been instances which happened like I said, though I'm not sure if that's exactly what @tripleee is referring to.
I don’t mind lowering the blacklist criteria in some circumstances, but I’m not convinced “spam from a single account during a short time period” is the correct criteria.
I agree, if it comes from the same exact user it may not always be necessary. (Though, this frequently happened during less active hours and BLU and Potentially Bad Keyword just isn't enough to trigger autoflags.)
Thanks for the remarks. So can we have an updated proposal for the wording, "similar or identical but distinct user accounts"?
I would like to first see some data. How often has a watched website become fp on the 4-5th instance? I am not an SQL guru - therefore I'm not sure how difficult it would be to gather such data. If the answer is _never_ then there may be a strong case for this to be implemented. I personally don't feel that it's _necessary_ to make any changes - waiting for 2 more tp's is not really a big deal.
I also think since 'gamification' has been brought up recently - people who are constantly adding items to the blacklist prematurely probably should fall into that category as well. If we think that people being the first to feedback a post is gamification to see their name popup, then perhaps being the first to make the decision of a keyword/website/phone number is blacklist-worthy can also be considered this.
I am leaning more towards "let's just leave this alone", but I am okay with either decision. 3 tp's to me just doesn't necessarily warrant a blacklist imo, unless the domain is completely obvious, i.e. _freemalwarez.tk_.
Edit: I should also add the type of watch can also make a difference as well. Obviously an offensive keyword could probably be blacklisted on the first hit, as well as special cases (unique usernames, obvious spam phrases, etc). _My response above was aimed primarily towards websites._
I don't inherently have a problem with putting things on the blacklist more aggressively. However, I think it's a bad idea at this time, given our current practices.
The criteria we have for the blacklists are intended to be good predictors of the pattern's long-term %TP rate. Currently, people are very eager to put things on the blacklist, but almost nobody checks on when things should be removed from the blacklist. If we were as diligent about removing patterns from the blacklist when they get FP that drop them below the %TP target for the blacklists, then it might be reasonable to set a lower initial criteria for putting patterns on the list.
Basically, with the criteria that we have of 5 TP and 0 FP, patterns should be removed from the blacklist if it gets any FP in the next 20, or so, detections (assuming we're wanting to keep the blacklist %TP at about where it currently is). The problem is that nobody is in the habit of checking for FP generated by blacklist terms and removing them when they don't meet the %TP which the blacklist is intended to maintain (that criteria is unclear, but I've assumed the goal is to maintain about what we already have).
A couple of examples:
10\W?cloud was placed on the blacklist at 3 TP and over the next year got 5 FP and no additional TP, but was not removed from the blacklist until today.cloudways\.com was placed on the blacklist with 3 TP then got 7 FP and 1 NAA prior to picking up another 1 TP; after which, it got an additional 3 FP and 1 NAA, for a total of 1 TP , 10 FP, and 2 NAA in the 3 months it was on the blacklist.So, my opinion is that we should improve our ongoing maintenance of the blacklist by removing patterns that drop below the %TP we intend to target, prior to loosening up the criteria for things to be placed on the blacklist. When it has become habit for people to check on the bad keyword pattern that got an FP and downgrade the pattern to a watch, if it's fallen below the blacklist target %TP, only then should we be considering loosening the criteria for putting things on the blacklists.
Obviously, there are going to be exceptions to the criteria, but the exceptions shouldn't be rampant.
Most helpful comment
I would like to first see some data. How often has a watched website become fp on the 4-5th instance? I am not an SQL guru - therefore I'm not sure how difficult it would be to gather such data. If the answer is _never_ then there may be a strong case for this to be implemented. I personally don't feel that it's _necessary_ to make any changes - waiting for 2 more tp's is not really a big deal.
I also think since 'gamification' has been brought up recently - people who are constantly adding items to the blacklist prematurely probably should fall into that category as well. If we think that people being the first to feedback a post is gamification to see their name popup, then perhaps being the first to make the decision of a keyword/website/phone number is blacklist-worthy can also be considered this.
I am leaning more towards "let's just leave this alone", but I am okay with either decision. 3 tp's to me just doesn't necessarily warrant a blacklist imo, unless the domain is completely obvious, i.e. _freemalwarez.tk_.
Edit: I should also add the type of watch can also make a difference as well. Obviously an offensive keyword could probably be blacklisted on the first hit, as well as special cases (unique usernames, obvious spam phrases, etc). _My response above was aimed primarily towards websites._