Blog Usability: Avoid Spam Comments
Since yesterday, the volume of spam comments has gone up even more. Now we get 150 spam comments every 12 hours. (Yesterday it was 21 hours). I promised to tell about what countermeasures we have taken against spam comments.
What has that to do with usability? Well, in my opinion, irrelevant comments removes focus from the relevant content on the page, and makes your article less useful because of the irrelevant content.
In the last 8 months we had 348 real comments out of 6517 (with the 6,169 being spam comments we removed). Imagine what this blog would be like with 95% spam comments: Each relevant comment buried in 20 spam comments.
In my opinion, spam comments in that amount makes all comments unusable. Currently we’re only using two countermeasures to avoid spam:
What we have done
1. Use Akismet for wordpress
Akismet is a plugin for the blog software justaddwater.dk runs on. The plugin checks all comments and trackbacks collaboratively on a lot of blogs. If the comment is already known as spam, it’s never published. Here’s what other people are saying about it:
Before Akismet I was spending more time deleting spam than creating content. Now I can focus on actually blogging!
I think Akismet is the best automated spam killer that actually gets better as it learns from the whole community marking new spam comments as spam. It just WORKS.
As i mentioned yesterday, an occational spam comment slips through the Akismet filter. Then we mark it as spam, and this way Akismet learns from us so that other users can benefit from this.
2. Make a spam filter against BBCode like “[/url]“
We noticed recently that almost all of the comments that slipped through Akismet contained weird formed codes like:
[url=spam.domain.com]Spam comment[/url]
This has been noted by many other bloggers including Sam Ruby (via Jeremy Voorhis) and Mike Haugland. To avoid this we’ve added another filter that holds comment for moderation if it contains [/url]. We put that into the “comment moderation” field as seen on the screenshot below:
This is the two things, we’ve done and it’s caught all our spam comments the last days.
What we might do
We feel it’s not necessary at the moment but at some point that’ll obviously not be enough. So we might do the following:
Remove standard URLs for posting comments
Recently, Thomas and I met with François Nonnenmacher, a French Capgemini employee blogging at padawan.info. He told that he had been very successful by renaming the files that receive comments — in our case
. From his webserver log he saw that many spam comments still hit on the standard comment file names.
Encode forms with JavaScript
Thomas Baekdal recommended this trick in a comment yesterday: Remove the comment form in the HTML source code and replace it with JavaScript that generates the same HTML. Can be done with online tools like http://automaticlabs.com/products/enkoderform.
A variation of this would be to use DOM scripting to change the URL the form posts to via JavaScript. Example:
And then via DOM scripting change form.action to the proper URL (
).
if(obj)
obj.action = "wp-comments-post.php"
Moderate all comments before publishing
It’s also likely that we might toggle that setting in WordPress, to moderate all comments before they’re published. It’s of course a disadvantage to our readers that they can’t read what other people are saying until we approve it. But we might toggle this setting if it’s necessary and comment spam gets out of our hands.
What we won’t do
Captcha
A non-machine readable image or similar. We probably won’t use that, because most implementations have accessibility issues to disabled users. See our ealier “Captcha usability revisited: Google inaccessible to blind people”
More info:
- WordPress article: Combating Comment Spam
- Six Apart guide to comment spam
- WeblogToolsCollection – WordPress comment spam stoppage techniques
Technorati Tags: blog, usability, spam, comments, akismet, bbcode, dom scripting, javascript, captcha
June 25th, 2006 at 15:03 (GMT-1)
Unbelievable, but this comment actually slipped through just a few moments ago:
June 25th, 2006 at 16:00 (GMT-1)
Actually I’m using a combination of both renaming the comment script and the same javascript trick that you also mention. Not a single automated comment spam in two years and that without any anti-spam plugin! (Though I can’t say the same about TrackBacks unfortunately, which will remain disabled until I switch to either MT 3.3 or DotClear 2 which have anti-spam filters for TBs).
(and thks for the mention ;-))
June 26th, 2006 at 13:53 (GMT-1)
I’ve been using spam karma in combination with Akismet for the past few weeks. Result: 2400 spam comments and trackbacks stopped.
Spam Karma runs a lot of different filters on posted comments and can be tweaked and tuned to be super agressive or mellow and friendly towards new comments – and it also catches trackback spam :-)
June 26th, 2006 at 14:12 (GMT-1)
Pål,
I know Spam Karma from Webword, where one of my comments got caught in the spamfilter. So I really don’t want to use it when comments like my own are marked as spam.
The workaround for me was to email John at Webword. He did some detective work and found the comment. Then he re-posted it in his own name but was only able to post a text-only version of my comment: The links I initially posted were gone.
I have no problem that comments are held for moderation, but when they’re automatically (and wrongly) marked as spam, it’s a problem.
So I’d prefer to avoid Spam Karma (because it’s too agressive).
June 26th, 2006 at 19:02 (GMT-1)
Another thing about CAPTCHA: manually entered spam can get through.
There might be a reality behind the weak defense speech in wiki-spammers’ CSS-hidden comments: “We are delicate, we don’t destroy your content. Hungry children to feed.” And, that reality might put our content at spam-risk.
That annoyance couldn’t happen with Akismet, or other pattern-matching solutions.
Wikipedia’s meta-wikipedia pages on antispam are instructive in this regard. That’s where I got the notion of manually entered spam. http://meta.wikimedia.org/wiki/Spam
June 28th, 2006 at 19:26 (GMT-1)
[...] In our previous article Blog usability: Avoid spam comments we discussed the two ways we currently where fighting spam comments on our blog: [...]
June 30th, 2006 at 11:56 (GMT-1)
Isn’t encoding forms with JS a usability problem for users of mobile browsers and people who have disabled JavaScript?
July 1st, 2006 at 23:36 (GMT-1)
Emil,
I agree with you that JavaScript encoding is a big accessibility problem. The
reason why it’s listed under “what we might do” is because we might do it if we can’t stop spam comments in other ways.
But for now, spam comments seem to have stopped, as we introduced a new trick Thomas wrote about recently: “Avoid Spam Comments part 2“.
One more thing, I think that the JavaScript trick could be done in a way that makes comments accessible and unobtrusive:
Imagine that the form-tag action contains the “usual” URL: wp-post-comment.php (URL must not be illegal). Then, via JavaScript we rewrite URL to some other URL. This URL can receive comments with no further ado.
BUT if on the other hand, JavaScript is turned off, the original URL is posted to. I would then suggest a <noscript> element with a hidden field. The field should behave as a non-image CAPTCHA with a label like: “add two and three and write result here:”
The comment-receiving script on the original URL is then programmed so that comments are rejected without the text-based CAPTCHA (or held for moderation).
The method with the hidden field has similarities with Sam Ruby’s original example, where he uses JavaScript to fill out a hidden field.
You should decide for yourself which methods are necessary in your blog. For us, (so far), CAPTCHA and JavaScript has not been necessary.
October 23rd, 2006 at 10:23 (GMT-1)
HashCash plugin for wordpress may also be able to help:
HashCash wordpress plugin by Elliott Back
October 23rd, 2006 at 15:30 (GMT-1)
[...] Blog usability: Avoid spam comments [...]
October 28th, 2006 at 17:51 (GMT-1)
Most popular CAPTCHA types alredy recognize by spammers. I hate spammers. Every day i get a 50-120 letters to e-mail and over 100 comments into blog. It’s crazy! Spam filters is not best way…
February 6th, 2007 at 12:45 (GMT-1)
[...] We have for example been blocking certain keywords that we found where common in spam that slipped through Akismet, or we have been changing the standard WordPress URL for posting comments. Finally we have incorporated a little htaccess hack that validates the posters referral URL. This should of cause be our own domain justaddwater.dk, but many spammers actually put some garbage into this header field – and we can then easily block it directly in the Apache web server before it even reaches WordPress. [...]
April 2nd, 2007 at 02:34 (GMT-1)
[...] we have written about our spam comment countermeasures in “how to avoid spam comments” (part 1, part 2), and the last 2 months since we passed 100,000 spam comments, we have had another 57,000 [...]
October 3rd, 2007 at 11:54 (GMT-1)
Spam Filtering may reduce the number of spam for a short while but you cant say that it is an ultimate solution to Spamming. The reason is that the Spammers are aware of these filtering techniques whether it is Filtering with CAPTCHA or some other. There are many websites available that are providing the information on Anti-Spamming Solutions but most of this information is either irrelevant or not useful. I have recently visited a website
http://www.anti-spam-info.com
and i found it much reliable for the anti spamming.
October 18th, 2008 at 21:14 (GMT-1)
I came here because I was looking for some info about comment spam. I dont have a problem with the spam bots, but some guy started to implant commentspam by hand.
Intresting solution you used here at that time..