Blog Usability: Avoid Spam Comments

Since yesterday, the volume of spam comments has gone up even more. Now we get 150 spam comments every 12 hours. (Yesterday it was 21 hours). I promised to tell about what countermeasures we have taken against spam comments.

What has that to do with usability? Well, in my opinion, irrelevant comments removes focus from the relevant content on the page, and makes your article less useful because of the irrelevant content.

In the last 8 months we had 348 real comments out of 6517 (with the 6,169 being spam comments we removed). Imagine what this blog would be like with 95% spam comments: Each relevant comment buried in 20 spam comments.

In my opinion, spam comments in that amount makes all comments unusable. Currently we’re only using two countermeasures to avoid spam:

What we have done

1. Use Akismet for wordpress

Akismet is a plugin for the blog software justaddwater.dk runs on. The plugin checks all comments and trackbacks collaboratively on a lot of blogs. If the comment is already known as spam, it’s never published. Here’s what other people are saying about it:

Before Akismet I was spending more time deleting spam than creating content. Now I can focus on actually blogging!

Sarah King

I think Akismet is the best automated spam killer that actually gets better as it learns from the whole community marking new spam comments as spam. It just WORKS.

Vinny Carpenter

As i mentioned yesterday, an occational spam comment slips through the Akismet filter. Then we mark it as spam, and this way Akismet learns from us so that other users can benefit from this.

2. Make a spam filter against BBCode like “[/url]”

We noticed recently that almost all of the comments that slipped through Akismet contained weird formed codes like:

[url=spam.domain.com]Spam comment[/url]

This has been noted by many other bloggers including Sam Ruby (via Jeremy Voorhis) and Mike Haugland. To avoid this we’ve added another filter that holds comment for moderation if it contains [/url]. We put that into the “comment moderation” field as seen on the screenshot below:
Wordpress spam settings
This is the two things, we’ve done and it’s caught all our spam comments the last days.

What we might do

We feel it’s not necessary at the moment but at some point that’ll obviously not be enough. So we might do the following:

Remove standard URLs for posting comments

Recently, Thomas and I met with François Nonnenmacher, a French Capgemini employee blogging at padawan.info. He told that he had been very successful by renaming the files that receive comments — in our case

wp-comments-post.php

. From his webserver log he saw that many spam comments still hit on the standard comment file names.

Encode forms with JavaScript

Thomas Baekdal recommended this trick in a comment yesterday: Remove the comment form in the HTML source code and replace it with JavaScript that generates the same HTML. Can be done with online tools like http://automaticlabs.com/products/enkoderform.

A variation of this would be to use DOM scripting to change the URL the form posts to via JavaScript. Example:

<form id="postform" method="post" action="illegal.url">

And then via DOM scripting change form.action to the proper URL (

wp-comments-post.php

).

var obj = document.getElementById(‘postform’)

if(obj)

obj.action = "wp-comments-post.php"

Moderate all comments before publishing

It’s also likely that we might toggle that setting in WordPress, to moderate all comments before they’re published. It’s of course a disadvantage to our readers that they can’t read what other people are saying until we approve it. But we might toggle this setting if it’s necessary and comment spam gets out of our hands.

What we won’t do

Captcha

A non-machine readable image or similar. We probably won’t use that, because most implementations have accessibility issues to disabled users. See our ealier “Captcha usability revisited: Google inaccessible to blind people

More info:

Technorati Tags: , , , , , , , ,

15 Responses to “Blog Usability: Avoid Spam Comments”

  1. Jesper Rønn-Jensen Says:

    Unbelievable, but this comment actually slipped through just a few moments ago:
    spam comment

  2. padawan Says:

    Actually I’m using a combination of both renaming the comment script and the same javascript trick that you also mention. Not a single automated comment spam in two years and that without any anti-spam plugin! (Though I can’t say the same about TrackBacks unfortunately, which will remain disabled until I switch to either MT 3.3 or DotClear 2 which have anti-spam filters for TBs).

    (and thks for the mention ;-))

  3. Pål Heick Says:

    I’ve been using spam karma in combination with Akismet for the past few weeks. Result: 2400 spam comments and trackbacks stopped.
    Spam Karma runs a lot of different filters on posted comments and can be tweaked and tuned to be super agressive or mellow and friendly towards new comments – and it also catches trackback spam :-)

  4. Jesper Rønn-Jensen Says:

    Pål,
    I know Spam Karma from Webword, where one of my comments got caught in the spamfilter. So I really don’t want to use it when comments like my own are marked as spam.

    The workaround for me was to email John at Webword. He did some detective work and found the comment. Then he re-posted it in his own name but was only able to post a text-only version of my comment: The links I initially posted were gone.

    I have no problem that comments are held for moderation, but when they’re automatically (and wrongly) marked as spam, it’s a problem.

    So I’d prefer to avoid Spam Karma (because it’s too agressive).

  5. Olle Jonsson Says:

    Another thing about CAPTCHA: manually entered spam can get through.

    There might be a reality behind the weak defense speech in wiki-spammers’ CSS-hidden comments: “We are delicate, we don’t destroy your content. Hungry children to feed.” And, that reality might put our content at spam-risk.

    That annoyance couldn’t happen with Akismet, or other pattern-matching solutions.

    Wikipedia’s meta-wikipedia pages on antispam are instructive in this regard. That’s where I got the notion of manually entered spam. http://meta.wikimedia.org/wiki/Spam

  6. justaddwater.dk | Blog usability: Avoid spam comments (part 2) Says:

    […] In our previous article Blog usability: Avoid spam comments we discussed the two ways we currently where fighting spam comments on our blog: […]

  7. Emil Virkki Says:

    Isn’t encoding forms with JS a usability problem for users of mobile browsers and people who have disabled JavaScript?

  8. Jesper Rønn-Jensen Says:

    Emil,
    I agree with you that JavaScript encoding is a big accessibility problem. The
    reason why it’s listed under “what we might do” is because we might do it if we can’t stop spam comments in other ways.

    But for now, spam comments seem to have stopped, as we introduced a new trick Thomas wrote about recently: “Avoid Spam Comments part 2“.

    One more thing, I think that the JavaScript trick could be done in a way that makes comments accessible and unobtrusive:

    Imagine that the form-tag action contains the “usual” URL: wp-post-comment.php (URL must not be illegal). Then, via JavaScript we rewrite URL to some other URL. This URL can receive comments with no further ado.

    BUT if on the other hand, JavaScript is turned off, the original URL is posted to. I would then suggest a <noscript> element with a hidden field. The field should behave as a non-image CAPTCHA with a label like: “add two and three and write result here:”

    The comment-receiving script on the original URL is then programmed so that comments are rejected without the text-based CAPTCHA (or held for moderation).

    The method with the hidden field has similarities with Sam Ruby’s original example, where he uses JavaScript to fill out a hidden field.

    You should decide for yourself which methods are necessary in your blog. For us, (so far), CAPTCHA and JavaScript has not been necessary.

  9. Jesper Rønn-Jensen Says:

    HashCash plugin for wordpress may also be able to help:

    HashCash wordpress plugin by Elliott Back

    Every four hours, your blog picks a random large number (close to 32 bits). Whenever a visitor visits your permalink pages, an ajax call is made which retrieves some javascript. This javascript first decrypts itself, then executes itself again to retrieve the secret value, which it sets in the form. If a comment does not have this value, it is rejected. If a comment is rejected more than four times, the user is blocked for a specified period of time.

  10. justaddwater.dk | CAPTCHA usability: Humane alternative to CAPTCHA Says:

    […] Blog usability: Avoid spam comments […]

  11. Elena Says:

    Most popular CAPTCHA types alredy recognize by spammers. I hate spammers. Every day i get a 50-120 letters to e-mail and over 100 comments into blog. It’s crazy! Spam filters is not best way…

  12. justaddwater.dk | 100,000 Blog Spam Comments Says:

    […] We have for example been blocking certain keywords that we found where common in spam that slipped through Akismet, or we have been changing the standard WordPress URL for posting comments. Finally we have incorporated a little htaccess hack that validates the posters referral URL. This should of cause be our own domain justaddwater.dk, but many spammers actually put some garbage into this header field – and we can then easily block it directly in the Apache web server before it even reaches WordPress. […]

  13. justaddwater.dk | Spam Blog Posted 182 Articles in One Day Says:

    […] we have written about our spam comment countermeasures in “how to avoid spam comments” (part 1, part 2), and the last 2 months since we passed 100,000 spam comments, we have had another 57,000 […]

  14. Christy Says:

    Spam Filtering may reduce the number of spam for a short while but you cant say that it is an ultimate solution to Spamming. The reason is that the Spammers are aware of these filtering techniques whether it is Filtering with CAPTCHA or some other. There are many websites available that are providing the information on Anti-Spamming Solutions but most of this information is either irrelevant or not useful. I have recently visited a website
    http://www.anti-spam-info.com
    and i found it much reliable for the anti spamming.

  15. Redstar aka John Says:

    I came here because I was looking for some info about comment spam. I dont have a problem with the spam bots, but some guy started to implant commentspam by hand.

    Intresting solution you used here at that time..