Surprisingly, it didn’t require any verification beyond an Apple ID to join or post. Not surprisingly, it immediately began to ooze spam.

Apple has managed to clean the Ping system of this unwanted content, likely by identifying the offending accounts, then removing them and their spam.

The notion behind using only an Apple ID as verification may stem from the idea that most Apple product owners have used their Apple ID to purchase content and it therefore represents a real person with a real credit card. It then follows that Apple IDs have value to these users who wouldn’t want to risk them by posting spam.

The problem is that Apple IDs have no inherent security value. To create an account you fill out a form (name, email address, and password). No verification is done, making it incredibly easy for a script to generate Apple IDs that can then be used to post spam.

How do you protect users from these accounts? The most effective way is to use a strong Captcha. Using Captchas strategically can significantly reduce the amount of spam while minimizing the impact on legitimate users. A simple strategy is to require Captcha completion on the first number of comment posts. The longer a user is around without posting spam, the less likely it is they would see a Captcha. Another strategy is to show Captchas to users who have not made a purchase associated with their Apple ID, which would leverage the value of the ID.

As the battle between Ping and the spammers continues it will be interesting to see how Apple’s approach evolves. Will they continue with costly manual filtering? Or will they move to strategic deployment of Captchas?