David A. Wheeler
FYI, we have implemented some simple spam countering mechanisms on the best practices badge application.
Most trivially, whenever someone tries to create a project badge entry, they now see this:
Please tell us about your free/libre/open source software (FLOSS) project. This MUST be a FLOSS project; nothing else is permitted. Do NOT add an unrelated site to try to improve a site's search engine optimization (SEO). This spamming is forbidden because it harms users, and it will not help SEO anyway (all hyperlinks are marked with ugc and nofollow).We've also made some changes because we've noticed that so far all spam attempts so far use "local" accounts:
* After creating a local account, we intentionally delay activation emails by 5 minutes. We have our mailer do this, so we don't have to worry about maintaining a job service just to do this.
* After activating a local account, we intentionally delay any login to the account for 1 hour, and explain that it's an anti-spam measure.
For local users these changes are mildly annoying, sorry about that, but it should be acceptable while discouraging some spammers. Our understanding is that many spammers are trying to add their junk to as many sites as possible, so little roadblocks should make the badge site less enticing. Obviously it's possible to work around this, the goal is to make it not worth it. We'll continue to remove spam, too.
--- David A. Wheeler