Chad Perrin: SOB

26 April 2006

a bit about the blog spam situation

Filed under: Metalog — apotheon @ 06:59

I started getting a lot of blog spam a little while ago. I started using the automatic post moderation feature that sends posts into moderation if they contain too many links. This worked for a little while, though I still had to delete the posts from the moderation queue myself. Better that than getting false positives and never knowing it, I reasoned.

I started getting hit by blog spammers who included only one link in the body of the comment, or no links at all, and only used the ability to use a URL to make a link of the poster’s name to create links to whatever they were spamming. I of course was somewhat troubled by this, and after a while of deleting several a day I decided to change things.

I instituted a policy here at SOB where anyone that wanted to post a comment needed to register. Thus far, I haven’t gotten any blog spam at all, and the amount of discussion that my posts generate doesn’t seem particularly reduced by this. Of course, a problem here is that potential legitimate discussion that doesn’t happen is never noticed: I don’t know if someone refuses to comment due to the mandatory registration. I’m considering removing the necessity of an email address when someone registers, because I know that might be a barrier to casual commenting even when it isn’t spam, but I’m also hesitant to open the door even that much to spammers.

It was suggested by a reader known here as Alex that I should use Akismet and the WordPress Spam Image plugin, in his comments to my entry about requiring registration. I’ve looked at Akismet, and it appears to be a heuristic spam filter based on spam example blacklists, which if well-executed would be an excellent approach to the matter. I’ve chosen to eschew it for now, however, for reasons not easily articulated. Perhaps I’ll revisit this later. The Spam Image plugin looks easy to use and probably reasonably effective, though as long as I require registration I’m not sure it’s actually necessary. I’ll have to think about it.

Speaking of the Spam Image plugin, there’s something similar being used over at Chip’s Quips, another weblog I make an effort to follow. He always has interesting stuff to say, and has said quite a bit about blog spam. In particular, he seems disappointed with the performance of WordPress in blocking spam based on my own reports in comments to his weblog, but he probably shouldn’t be: I’ve done almost nothing about stemming the tide until I started requiring user registration to post comments, and I’ve done nothing since. I haven’t actually used any of the more advanced anti-spam technologies available to WordPress users, and thus really don’t have anything to say about them, positive or negative, except as a visitor who compares what he sees on others’ weblogs. What I see is this:

The image plugin being used to keep spammers out of Chip’s Quips is awful. Half the time, the characters you have to enter aren’t even legible to the visitor, let alone to a spambot. I tried to comment on this a couple times, and couldn’t get through the spam filtering to post the commentary, so I gave up. Sorry, Sterling: I’d rather have told you in a less public way than this, but I can’t get through. It’s like those child-proof caps that some manufacturers use that are so effective they even keep the adults out. This is the flip side of the “false positives” coin, and something I really would like to avoid: I don’t want to make it difficult for people to post legitimate commentary. I’m going to try to alert him to this post with a comment to one of his, but I don’t know if it will get through. I recommend checking out his posts on the matter of blog spam, in any case, which are basically all linked-to through this entry about ham, and jam, and spam.


  1. note: I got the comment through, but it took three tries.

    Comment by apotheon — 26 April 2006 @ 07:04

  2. His anti-spam image is much harsher then mine or others I’ve seen. Since everything in WP is done in PHP perhaps one could improve upon the methods used to make the image.

    BTW, will you let me know if my images are too illegible? I’m always logged in to my journal so I never see that stuff.

    Comment by Alex — 26 April 2006 @ 09:31

  3. On the contrary . . . if anything, I’m just wondering how long it’ll be before a spambot that can circumvent your anti-spam images happens by. It’s very legible. I’m not sure if anyone’s really trying to come up with spambots that can read images, though, so you might be safe for years to come. There are plenty of weblogs that don’t use that sort of protection at all, after all.

    edit: Low-hanging fruit, y’know. Go after the guy whose security sucks.

    Comment by apotheon — 26 April 2006 @ 09:43

  4. Ouch! OK, ignore my question to your comment. I think I’ll have to turn off CAPTCHA and just wade through the spam again. I’d rather have that than turn back the discussion.

    My CAPTCHA came as an option with the blog script I use, which is Marko’s muBlog. I haven’t examined the PHP it uses for that.

    OK, I’m back to thinking it’s time to move to WordPress.

    Thanks for the input.

    Comment by SterlingCamden — 27 April 2006 @ 07:54

  5. oops — not well formed HTML in that last comment. Sorry. Brain fritz again.

    Comment by SterlingCamden — 27 April 2006 @ 07:55

  6. Done.

    Comment by SterlingCamden — 27 April 2006 @ 11:45

  7. I removed the extraneous anchor tags for ya.

    I need to find a comment preview plugin for WordPress. Seriously.

    Oh, yeah, and keep posting relevant links here. I always appreciate your commentary (along with everyone else’s so far, blam spomments notwithstanding) and links, particularly when those links lead to things that link back to me.

    Comment by apotheon — 27 April 2006 @ 01:54

  8. Even if they did manage to circumvent the image, they’d have to get past Akismet. I have both employed at the same time. No spam at all anymore.

    Comment by Alex — 27 April 2006 @ 09:15

  9. […] Apparently, blogger spam is still a big issue. It was for me as well until I employed two methods to not just stem the tide of visible spam (the first method employed I still had to delete the crap after it was posted), but preventing it completely. I use a legible anti-spam image verification system for Ameliorations; I also keep Akismet active, just in case. Any of you other bloggers having problems with spam and use WordPress, let me know and I’ll point you toward both anti-spam measures that I use. […]

    Pingback by Ameliorations » Boys and Girls in Toyland — 28 April 2006 @ 10:57

  10. Do the images have to be unintelligible? Samizdata’s images always appear quite readable.

    Comment by h3st — 28 April 2006 @ 01:33

  11. Well, no, they don’t have to be unintelligible. That’s sorta the point. While I’m sure they’re very good at blocking spambots, the images previously employed at Chip’s Quips (he has now apparently fixed that issue) were also good at blocking users: by contrast, the images used at Ameliorations are quite legible, and still probably do a reasonably good job of blocking spam. It all depends on what you use to generate the images.

    By the way, I hope everyone likes the new post preview functionality.

    Comment by apotheon — 28 April 2006 @ 01:53

  12. […] BTW, apotheon posted today on this whole blam spomment plague. My mistake earlier, apparently he hasn’t employed Akismet yet. Methinks converting to WordPress might be a good plan for me after all. For a lot of reasons. Support for pings and trackbacks are two more. Not to mention having a field for the commenter’s URL. I could add all of that to the PHP script I’m using, but who has the time? Yep, think I’ll jump ship — when I have the time for the conversion. Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages. […]

    Pingback by Waffling on spomment prevention -- Chip’s Quips — 27 May 2006 @ 10:07

  13. […] Back in April, I wrote about how I addressed the problem of blog spam at the time. We might consider, in this case, comments to be analogous to people and blog spam comments to terrorists, all of which are trying to get into the “country” of SOB: […]

    Pingback by SOB: Scion Of Backronymics » the importance of false positives — 15 October 2006 @ 02:40

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License