Abuse and Misuse of WAVE
August 19, 2008
Since it was launched in January, the server version of WAVE has processed nearly 500,000 distinct WAVE reports! We are thrilled that it has been so popular.
We spend a lot of time monitoring WAVE to make sure it is functioning properly and is not being abused/misused. Recently, there has been a great increase in the number of automate bot and spam submissions to WAVE. This has resulted in degraded performance for legitimate users. WAVE now includes some tests to guard against this type of misuse.
The newly updated WAVE code now detects most automated spam submissions. It has better checks for properly formatted URLs, ensures that uploaded code is submitted from the WAVE homepage, detects inappropriate content, and a few other things. WAVE now auto-blacklists IP addresses that are misusing WAVE. After 10 instances of abuse, the IP address is automatically blacklisted.
Identifying less blatant abuses of WAVE is very difficult. WAVE limits the number of submissions per minute and hour and day. These limitations are to ensure that all users have access to WAVE and that some users are not misusing WAVE or automating WAVE reports (something that is against our Terms of Use, though we do grant permission to do this in certain instances). Despite these limitations, we’ve had one IP address that has processed 6700 WAVE reports and 20 distinct IP address have run over 1000 WAVE reports! There are certainly some power-WAVE users out there!
Distinguishing between users that use WAVE a lot and bots is very difficult. To ensure better performance for legitimate users, we have loosened the limitations on the number of reports that can be processed in any given time period, but at the same time have implemented much harsher penalties for going over those limitations. When a user surpasses the limitations or submits automated or spam-like content to WAVE, they are given several warnings. Continued abuse will result in an automatic blacklisting of their IP address.
We know of several instances where WAVE reports have been implemented into quality assurance, content management, and site authoring systems. We are thrilled that WAVE is being used in such ways and want to ensure that such uses of WAVE do not result in a blacklisting. If you are interested in using WAVE to perform automated or site-wide reports or if you want to automatically post content directly to the WAVE result page (e.g., bypass the homepage), please contact us and describe how you are using WAVE. If appropriate, we can add your IP address to a whitelist or provide a key that bypasses many of these tests.
We hope these changes improve WAVE for everyone. We plan to continue monitoring and make further tweaks or changes in the future as necessary as we continue our efforts to make WAVE the best accessibility evaluation tool available.
I also face many challenges with automated spam robots and such submitting spam to sites that we build. I just wanted to post a quick comment about how important the WAVE project is, and how much developers such as myself appreciate. Thank you all for your hard work, and for such a useful tool that is much needed.
Keep up the great work.
Brian, thank you for your kind words. I wrote a blog entry some time ago that outlines many accessible approaches to limiting bot submissions – http://www.webaim.org/blog/spam_free_accessible_forms/
We’ve implemented a few of these approaches on WAVE. Since implementing the new code a little over 24 hours ago, we’ve already stopped 1042 bot submissions from 348 unique IP addresses!
Jared,
When it became available, I stated using the WAVE toolbar which in combination with the Web Developer Toolbar does everything I require. If enough people are doing the same, the contention should be diminished. Of course that doesn’t give you an accurate count of the number of WAVE users and uses unless the toolbar calls the server. Does it?
I have had hands-on training classes use the WAVE server version in the past. Depending upon the limits per minute and hour and the way users and uses are counted could this present a problem now?
The question recently came up whether WAVE could still be tailored to evaluate Section 508 compliance rather than WCAG. That was available in WAVE 2.x but now?
Larry Hull, Emeritus
Accessibility Engineer
Larry G. Hull said:
No. The toolbar functions entirely independent of any server interaction. It sure was tempting for us to get an idea of how much the toolbar is used, but we opted for higher independence and security instead. We do know it has been downloaded thousands of times. And that it is installed in a lot of active Firefox installations – we can tell because Firefox checks for updates occasionally.
Probably not. The time limits are pretty high – 10 reports per minute and 60 reports per hour. It is not likely that legitimate use of WAVE would go over these limits. And these limits are by IP address, so this shouldn’t affect a training setting. If it does, let us know. We want to ensure that legitimate users are not limited.
We could indiscriminately decide which rules are part of 508 and which aren’t and then provide a report that only flags these things, but because of the varying interpretations of guidelines, we would be forcing our interpretation of Section 508 onto our users. We might think that something is part of Section 508 and you might disagree. For instance, we might interpret redundant alt to be a violation when you clearly see it as something not restricted in Section 508. There are MANY cases like this.
We are working on an enterprise version of WAVE that will allow customization of rules and even user-generated rules. This would allow users to specify exactly what WAVE will do. But for now, we have chosen to flag everything we can, then leave it up to the user to decide if they want to ignore our error or warning because it is not part of a guideline they are trying to become compliant with.
I’m just glad you smart people didn’t think it was a good idea to put image verification on the submission process.
I would have giving up with web design and lost the will to live if an accessability tool required me to do that!
Well done on the 500,000 submission mark