They Found Me!

Well, it was a nice little honeymoon, but the comment spammers finally got to me.

I’ve been using WordPress’s out-of-the-box comment moderation utils, which are actually quite nice. Basically, in order to comment, you have to log in. User comments are still moderated unless they have a previously approved comment. Trackbacks/Pingbacks are also held in the moderation queue unless they come from a site with a previously approved tb/pb.

That works great, until some spambot hits my site with 50 or so trackbacks at once, and I’ve gotta spend all my time sifting through them to make sure I don’t delete something from an actual human.

Hooray for Spam Karma. If you use WordPress, and you have comment spam, get Spam Karma. It’s absolute genius. And, the integration with Referer Karma is also really nice.

So, if your comments get eaten, I’m really sorry. I’m definitely going to be doing my best not to let that happen.

2 Responses to “They Found Me!”

  1. On October 6th, 2005 at 01:19:29, kwa Said:

    The easiest way to spam a blog is to referrer spam it. The main issue is most blogs do not publish their statistics. Does that matter? Not a lot. A lot of bloggers check their stats and checks referencing pages. If they link one’s blog, one’s is curious who’s linking it, isn’t he/her? That also makes hits and referrer spamming is cheap enough, so why stop spamming that way?

    Moreover, if your blog does not publish your stats, your host migt be. Mine publish all the stats of all the hosted sites. I can’t convince him to remove them, even after explaining my “security by obscurity” concerns. (Yes, I’ve left a security hole in a script I’ve never published the address of for a couple of days and someone or some robot found it… removing some data files…)

    The second easy way to spam blogs are sending trackbacks. I even don’t see why spammers use comment spam, since trackbacks appear to be cheaper to do and more difficult to fight. I’ve only seen one blog with time-limited dynamic client-side trackback’s address generation. Useless to say, the blogger was seriously involved into spam fight.

  2. On October 6th, 2005 at 09:19:51, Isaac Said:

    kwa,

    I’ve only seen one blog with time-limited dynamic client-side trackback’s address generation. Useless to say, the blogger was seriously involved into spam fight.

    The Spam Karma plugin for WordPress fights all manner of comment/tb/pb spam *incredibly* effectively, with:

    1. User level check (to auto-approve logged in users over a certain level)
    2. Blacklist (IPs and referrers)
    3. Link Counter (large number of links = more likely a spammer)
    4. Javascript client-side payload for comments.
    5. Encrypted payload in comment form.
    6. Entities Detector (checks for invalid html entities that spammers use to get around checks.)
    7. Trackback/pingback referer check
    8. Snowball check (regular commenters are less likely spammers, new commenters are kept on watch.)
    9. Post Age (old posts are more likely to be spammed)
    10. RBL Check (spams coming from IPs in Real-time Blacklists)
    11. Captcha, but only required for comments that look spam-ish.

    Each check adds or subtracts to the comment’s “Karma”. If the karma is > 0, then it goes to “paradise” - it is approved, and you don’t have to do anything. If the karma is between -6 and 0, then it is held in “purgatory” to be approved or deleted. Comments with karma below that value are automatically sent to “hell”, and don’t show up except in the spam harvest. (They can still be recovered, but they’re nicely hidden away.)

    Another plugin, Referrer Karma, works in much the same way, and can integrate with Spam Karma’s blacklist.

    This modular approach is, in my opinion, the *only* way to effectively combat blog spam. Other GPL blog tools would benefit greatly to port these plugins rather than spend time attempting to do the same things.

    So far, I haven’t had a single false positive, and I also have been able to let comments show up right away rather than moderating every one.

Leave a Reply

Comments are moderated like crazy using a variety of plugins. There is a very high likelihood that your comment won't show up right away, especially if you have never commented here before, but it was not deleted.

Please be patient, and do not post your comment more than once. It will show up once it is approved.

You must be logged in to post a comment.