Blog spam prevention

September 27, 2007

I’ve noticed that the minute I write a new post on my artsmontana.com blog, I get a few new spam entries in comments. This is clearly automated by someone scanning blogs for new posts and submitting comments.

Since I am recommending blogs, I’d like to mention a few easy to implement ways to trap or prevent comment spam. First of all, allowing anyone to comment without moderation seems like a nightmare to me. On all of my blogs, comments are placed in a moderation queue awaiting my approval. I can also edit them there before approving them. You won’t miss comments when you have moderation turned on because an email alert lets you know there is something in the moderation queue.

For spam filtering in comments, I use the Akismet plugin for WordPress, and I also set my spam filter to look for any comment that contains more than one link. Spammers like to populate comments with their own links, so that helps. Akismet is free for personal use, and they have a commercial key (at $5 a month) for what they call “mad paper” sites, or sites that are generating more than $500 a month in income. They also have an enterprise-level key (at $50 a month) for large businesses. To get Akismet, you sign up (also free) and they give you an API key that you enter in your WP administration panel. It’s easy, and it’s useful. Spam comments usually reiterate a bit of text from a post and add an irrelevant bit of text. Aksimet grabs those, as well as the stupid comments spammers include in their automated content to make it seem legitimate, like “very interesting” or “nice job”, and puts them in a spam queue. That way you can see at a glance all the garbage that has come in and delete it in bulk. Akismet also provides information for those who want to extend it to work with other applications besides WordPress.

I have already installed Akismet for all of my WordPress blog clients, but here is how to use it if you are new to blogs and plugins. If your WordPress installation does not come with Akismet already listed in the Plugins tab, go to akismet.com, download the plugin, uncompress it with an unzip tool (e.g. WinZip or Stuffit Expander), then upload it to the wp-content/plugins subdirectory in your blog directory. Once that is done (by WordPress or by you), go to Plugins on your WordPress dashboard, activate Akismet, follow the link to the free API key, enter the API key in the configuration screen, and you are done.

Bad Behavior is also a popular choice, and seems especially well-suited to blogs with heavier traffic because it keeps spam from even entering your comment queue, saving time, trouble, and server bandwidth. It achieves that by analyzing the delivery method of the comment. According to the Bad Behvior Web site, “it is designed to work alongside existing spam prevention services to increase their effectiveness and efficiency. Whenever possible, you should run it in combination with a more traditional spam prevention service.” It works with many more PHP-based platforms besides WordPress, including Drupal, ExpressionEngine, and LifeType. If you install and use Bad Behavior, a modest voluntary contribution is suggested. [Note: I just installed Bad Behavior (9/30), keeping the Akismet plugin activated, and will report how it goes. Bad Behavior logs blocked requests, so I’ll check that as well as spam levels. ]

WordPress allows you to create a Comment Blacklist, too. Go to Options > Discussion and scroll to the bottom of the page where you can enter keywords that you’d like to block. (You know what they are!) You can also enter offending email addresses, IPs, and URLs.

Some bloggers use a challenge-response system for comments to ensure that all comments come from humans and not spamming software. This can take the form of a simple question (e.g., What is 4 times 5?) that has to be answered before the comment can be submitted. There are also CAPTCHA (”Completely Automated Public Turing test to tell Computers and Humans Apart”) tools, and anyone who has filled out an online form that requires you to read and enter a batch of characters presented graphically before you can submit has seen this model. Once you are a recognized commenter (i.e. trusted) you can sometimes forgo this step. One of my favorite local blogs, Livingston, I Presume, uses a CAPTCHA model and it is not at all inconvenient. It is a better experience for your visitor than requiring them to register and log in before commenting. Some annoying Blogger.com blogs expect you to have a Blogger account to comment. Unless you have a large and very public site with huge amounts of commenting traffic, this is overkill. Nothing chills a comment-prone visitor faster, and since comments are a part of a blog’s lifeblood, you don’t want to stop them that way, especially when there are friendlier gatekeeping methods like moderating everything before publication, using a plugin like Akismet, and/or employing a simple challenge-response algorithm.

For more on personal spam prevention (especially email), see the list of resources at ctrl-zweb.com.

On the topic of blogs, after the Democratic debate last night I visited the Web sites and blogs of Barack Obama, Hillary Clinton, Joe Biden, and John Edwards. I doubt there is a presidential candidate who is not using a blog as an interaction tool. While I am not committed to any candidate, I give John Edwards’ site and blog the highest marks. He has real content instead of single paragraph issues statements that are virtually content free; and not only does he get specific about every issue, he has all of the topics nicely organized so that it is easy to find his position and his plan for the issues that interest you. You are required to register to comment on Edwards’ blog (I’m sure that’s true for all of them), but you’d do that, too, if you were running for Prez and had all that (sometimes wacky) blog traffic.

Posted by Lynn | Filed Under Web Tips |