My anti-spam experiment
Long before my legitimate traffic started to pick up on the debabblog, the blog spammers arrived. Since I programmed my blog from scratch, I experimented with a number of ways to deal with that spam, and a recent conversation over at The Hot Iron made me realize that what I learned during that experiment might be useful to other bloggers. Of course, this information might also be useful to spammers, but I think the benefits outweigh the risks.For starters, I should mention that I wanted to avoid two things: active moderation and captchas (those distorted word-images that users have to type in for verification). Moderation, besides being time-consuming, takes away the immediacy of commenting, which I think is important, and captchas are notoriously bad from a usability standpoint. So, here are some of the tricks I did try:
(1) Form submission timer
I originally assumed that most of the spam was automated, so I surmised that it would hit the submission page directly and with almost no delay (no one had to compose the message). I put a timestamp in the form and compared that on submission. This had almost no effect, as most of my blog spam seemed to be human-entered.
(2) Hidden button trap-door
Also under the automation assumption, I switched my standard form submit to an image-based button and then added a 1x1 pixel image button in front of (in the code) the real submission button. That hidden button was meant to be a trap-door for automated form submissions, whereas human users wouldn't even see it. The tactic worked, but, again, I found that the vast majority of my spammers were people, not programs.
(3) Information requirements
I eventually disallowed anonymous posts and required a name and email address. Yes, these can be easily faked, but even a small amount of accountability did discourage some of the human spammers.
(4) Link/URL threshold
Finally, and this was easily the most effective technique (which I still use), I started counting the links in the comments. Specifically, I counted instances of "http" and "url=". Virtually all spam comments contain links, and very few human comments do; I fairly easily found an appropriate threshold that, in a month of testing, blocked no legitimate users and over 95% of spam. Of course, spammers could circumvent this filter by not linking out in their comments, but that would also completely negate the point of the spam.
Unfortunately, I'm sure spam is here to stay with us for quite a while, but my experiment was surprisingly successful. I admit that, as a coder, I find the cat-and-mouse game almost fun, but as a blog administrator, I hate wasting my time with opportunistic morons. I'd love to hear from others about successes they've had in combating blog spam.
Dr. Pete
· Tuesday, April 3That's a handy feature. I may have to consider going to a packaged platform or using third-party anti-spam solutions at some point. I find the same thing on my spam targets; two main posts got picked up by somebody and must have been passed around, and those posts get the vast majority of my spam comments. Oddly, they're old posts that weren't even very popular.
Mike Maddaloni
· Wednesday, April 4Same here with the spam on the old posts. And I have opted to not have captcha and leave moderation on.
Maybe you should be selling your blog app, as it seems you have as many features as most of the packages out there!
mp/m
tom sherman
· Friday, April 6Akismet is nice and has an API, although it still lets through a couple per day to my blog.
Dr. Pete
· Friday, April 6I've heard good things about Akismet but didn't realize they had an API I could code around. If my spam problems increase, I may check that out.
Sean
· Tuesday, April 3I just implemented a captcha on my blog. My spam was interesting in that it was targeting just one post. When I turned commenting off on that post, I was still getting comments to it which must mean that it was being generated off-site and pushed to my site.
I hate captchas, but at the moment I'm stymied as to an effective countermeasure. Active moderation isn't too big of a deal, because with WordPress once I allow someone's comment to go through, all future comments are automatically allowed.