Anti-Comment Spam Tactics
There is a lot of discussion going on right now about now regarding comment spam and how to stop it. Comment spam is basically a comment posted to your blog that may/may not have anything to do with your post (I’ve seen/had it both ways), but it will include a link either within the comments or from the authors “website” for a commercial website. Most of them seem to be selling herbal products, Viagra, or direct mail items. The idea behind stopping comment spam is two-fold: First, no one wants their website to be a graffiti wall. Second, this seems to be just the first “wave”. Many of the spam comments are being done by a few individuals actually trolling for MT websites. The real deluge is coming as more and more automated “bots” start searching the web MT comments forms to auto-fill with their spam messages.
So, the question is: What can I do to stop comment spam? Here’s a rundown of some ideas that are slowly making their way around the internet. They are certainly going to be expanded and revised over the next few months, but –rather than wait– you should get an early start and stop spam now. As with graffiti, once it’s there, it just leads to more people tagging your site because you’re “easy”. (You don’t want to be “easy”, do you?)
- Implement the ScriptyGoddess Comment Queue Hack. This great script will put all comments into a “holding cell” until you can approve/disapprove them. With this method, you do lose some of the immediate interaction, but you can screen comments and pull out the spam. For a lot of people, this is a very difficult solution because it does involve modifying your Movable Type installation somewhat and you do need to monitor the comment queue on a regular basis. For these two reasons, this may not be the answer for you.
- Implement Burningbird’s Comment Spam Quick Fix. This is a very good, simple solution and a great first step. You are adding a hidden field to all of your comment forms and then telling MT to look for that information when it processes the comment form. This should eliminate a lot of the spam comments from bots. When you work this into your templates, please make sure you choose your very own, unique value. Burningbird uses “goaway”. You could use any alphanumeric combination. Just like passwords, the more jumbled the better.
- Implement Jacob’s “Edit/Delete Comment” hack for your comment notification. Jacob modified the mt-comments.pm file to add a line to the bottom of your comment notification email that includes the link to the “Edit/Delete Comment” screen. This is a simple and fast way to take care of comment spam that is sent by actual visitors to your site. It’s a very simple hack and the documentation is really goo.
- Integrate a Turing test to eliminate spam from bots. James Seng has finished his version of a Captcha Turing Test as an MT Plugin. You can see it in action and download it on James’s website. James’s plugin basically gives you a graphical validation - so the user has to type in the numbers shown in a graphic in order for the comment to be processed. If you have ever signed up for Yahoo mail or used Paypal or Network Solutions, you’ve probably seen something like this in action. This will eliminate all of the comment spam from bots, as very few of them will be programmed with the ability to defeat the random sequence. I first saw this on a blog by MrBlog, who has since released his source code for Greymatter in hopes that it will be ported to MT. It needs to be said that using a captcha presents some usability issues, as those with graphics disabled or users who have a visual handicap may not be able to comment using the default install. At this time, there is not an enhancement to this plugin to remedy that. This is still an OUTSTANDING solution, just measure the accessibility versus the effectiveness when considering this solution.
- Implement the Comment Spam Blacklist being put together by Jay Allen. It’s not actually released yet, but Jay is making it possible to use this plugin to test URLs in your comments and trackbacks against a blacklist of known spam offenders. This is supposed to be available for download on 10/13/2003, but it may/may not be as this is just one man’s project and we all have to be respectful of his time. Girlie is implementing Jay’s solution as his alpha tester and reports that it is working with no hiccups just yet. Everyone can add to the blacklist and the community list should be included once the plugin is released. In the meantime, Jay has some screenshots of how it works. You definitely want to stay updated on Jay’s site to get the latest.
Finally, the only 100% foolproof way to stop comment spam is to stop comments altogether on your website. For me, this is not a solution. Comments encourage interaction and help visitors get to know you and vice versa. But, if you can’t comment, you can’t comment spam, so your mileage may vary!
October 12th, 2003 at 9:18 pm
I’ve read the article with great interest, but…
comment queue: Maybe nice for people online most of the day and a site that is not too crowded, but it could get annoying.
comment spam quick fix: It’s no more that a quick fix.
But, just out of curiosity: Instead of using a hidden parameter that is fixed, why not using one that uses a encoded timestamp and/or ip information?
Thus it’s possible to get rid of any comment spammer who tries to adapt to the hidden field (I’ve seen it with email spam, so why not with comment spam - just check the page for “INPUT HIDDEN” and go on). Check the time and if it’s older that x minutes redirect to the message and ask to click again to get to the comment form. Check whether an ip is trying to send comments too often in x minutes and block it for a while to access the comment form (it would be helpful for this to work right to separate the comment form from the article, using a new page for the comment form).
Another way could be to use sessions - sending a comment without reading the news or other comments beforehand seems quite odd, so sessions would guarantee that someone is not just accessing the comment form to comment on things he didn’t even read (here to it would be helpful to separate article/comment form).
In both cases (with separated article/comment form pages) you have to visit the article page and follow the link from there to be able to write a comment making it less likely that someone writes a script to spam - at least more unlikely as with the other solutions.
The edit/delete comment fix is nice for people who swear or use inappropriate comments (in my country it’s sometimes against the law not to delete such comments - so it’s a thing I really appreciate even not in the context of spam) but I doubt that it’ll help against spammers - especially if it get’s so nasty like email spam.
turing test: you already mentioned the usability issues so I’m strongly against it. It’s a pity that some big pages use these and disabled people can’t access some of them - please don’t use them with weblogs.
The comment Spam blacklist seems to be a good idea as well (hopefully the maintainer chekcks for proxies as well - would be a pity to ban people that are so unfortunate to share the same proxy like the black sheeps…) and it could be feed by the ip detection way I mentioned earlier in my comment.
Thanks for listening
October 12th, 2003 at 9:26 pm
I should probably add - although it doesn’t matter really
that the “comment queue script” wasn’t originally intended to avoid comment spam. I know some people use it for this purpose, or suggested it be used for this purpose. But actually, it was requested by a business-blog owner that only wanted certain comments on the site (so even the “hey cool site” comments wouldn’t go through). Also - if you get more than your fair share of “troll-type-comments”, then it may be the logical choice, too… In any case, just wanted to clarify that - since so many people bring that script up when discussing anti comment spam options… 
October 12th, 2003 at 10:59 pm
long ago, i came to the conclusion that the only solution to spam was to increase the cost of doing business with spam. to that end, i’ve set a nice, reasonable price point for the time it should take me…
October 13th, 2003 at 12:07 am
Jennifer was so kind as to let me do a Anti-Comment Spam Summary post over at Scriptygoddess. I think this is my fifth guest post over there. I think I’m moving up towards Christine’s ScriptyDiva status! LOL!…
October 13th, 2003 at 1:07 am
For a weblog, I think the Turing test is great - and I surf using Ghostzilla a lot, which affects what images I see. I have reservations about a spam blocking list simply because I’m afraid that good people will be blacklisted thanks to dynamic IPs.
As this continues to be a bigger problem, it will be interesting to see what solutions come out.
October 13th, 2003 at 1:26 am
We’ve been hit by the Lolita comments spam, and there’s also a Swedish neo-nazi spammer at work. We’re dealing with it… and we may have stronger measures on the way.
October 13th, 2003 at 1:57 am
I tried Burningbird’s hack, and it ended up stopping ALL comments cold and giving me -500 errors. Wondering what I might be doing wrong.
In line with your guidelines, I’ve left the broken implementation running, and you can see it by clicking any comments links on the Winds of Change.NET home page. Sigh. It’ll spam-proof the blog, anyway. You can see the code I’m using over here:
http://windsofchange.net/Blog_CommentSpam_QuickFix_Try.txt
This should work, no? Can anyone out there tell me what I’ve done wrong (MT 2.64, MySQL, Perl 5, Apache)?
October 13th, 2003 at 2:06 am
I have the Captcha working wonders.
Currently it has solved my problem.
October 13th, 2003 at 9:23 am
I think the “Spam blocking list” isn’t IP based - but content and URL based… Take a look at the screenshots. I actually didn’t see ANY IP information there.
October 13th, 2003 at 10:07 am
Spammers have found a new target: Weblog and messageboard comment forms. I’ve heard a little about comment spam — unsolicited advertisements for, say, products or porn sites posted to blogs and messageboards, sometimes en masse — over the past couple…
October 13th, 2003 at 12:14 pm
Anti-Comment Spam Tactics…
October 13th, 2003 at 12:31 pm
meryl's notes]
October 13th, 2003 at 12:31 pm
meryl's notes]
October 13th, 2003 at 1:07 pm
I like blog comments. I understand why some folks don’t turn on the comments functionality in their blogs, either because…
October 13th, 2003 at 5:30 pm
最近çªç„¶å¤šäº†ä¸€äº› MT 部è½æ ¼çš„垃圾迴響,本來以為有人開我玩笑,深入看看發ç¾æ˜¯æœ€è¿‘ MT support forum 上討論得很熱門的一個大å•é¡Œ - Comment Spam,我稱之為垃圾迴響。…
October 13th, 2003 at 6:44 pm
There’s been a lot of talk recently about spammers posting comments in Moveable Type to attract people to their sites. Jay Allen has created MT-Blacklist which blacklists comments based on the linked content. He surmises that the linked content is…
October 13th, 2003 at 8:04 pm
Comment spam is suddenly the topic du jour in the blogosphere. I admit that even when suffering from writer’s block, a single spam comment can inspire much ranting. While there’s plenty of suggestions out there for how to stop comment spam, a lo…
October 13th, 2003 at 8:16 pm
The blacklist concept is content driven, not IP driven. It’s a great solution, once it’s available. I have the captcha running on my site and I like it. I’m keeping it. I guess I could load up some random wav files as an alternate for text only use, but I think the percentage is very, very low for my audience.
The best part about this discussion is that it is definitely moving the solutions to be better & better for everyone.
October 13th, 2003 at 8:23 pm
I’m glad to know I’m not the only one that’s getting hammered with this stuff. Granted, I maybe get 1 or 2 spam comments a day, but nothing major. This…
October 13th, 2003 at 8:35 pm
Joe - Your code looks correct so I have to wonder if you have cgi.pm installed. If you have shell access, you can use the command “perldoc CGI” and it should return the documentation. If it doesn’t, then the module isn’t installed on the server. It’s pretty standard for most apache installs, so that seems like I’m reaching for a remedy. If you could verify that, I’ll try to track it down in more detail.
October 13th, 2003 at 11:29 pm
I looked at my control Panel (cPanel X at Bloghosts.com). It lists that module as installed, and I can find it there, perl version 5.6.1. CGI - simple common gateway interface class. I can also see CGI.pm when I FTP to cgi-bin\extlib, it’s about 204 KB
I’ll take this one to my host, and if they tell me anything I’ll fill y’all in here. Meanwhile… suggestions?
October 13th, 2003 at 11:53 pm
Okay, this solution seems to work pretty well. Describing it will make it useless in a few days if the spammers find out how I’m doing it, but that’s okay because it looks like I’ll have phpBB integration by then anyway (since I finally got the informa…
October 14th, 2003 at 10:19 am
I like the captcha idea more than the rest, for obvious reasons, but there are a few thoughts that I had on it.
a) A centralized system for this could be nice, as currently even decent OCR programs can read the numbers. Centralizing could allow the program to take advantage of more complicated image libraries.
b) With a bit of thought and a well developed cookie, it seems like you could prevent real people from having to verify their humanity more than once. Keeping a list of current cookies that are out could allow you to invalidtate one if a comment spammer did manage to break it.
c) It would be possible to implement the captcha, use Javascript checking to ensure that it’s not blank. If it IS blank, run it through the Turing test and if it fails, put it in a queue to be reviewed before being published. If the turing test worked (and worked well) that would be a fairly stable option that really limited the number of false-positives.
In the end, though, I think the Captcha is probably the best idea.
Just my 1.5 cents.
October 14th, 2003 at 10:51 am
Lately, there have been a lot of issues with spammers attacking blogs and leaving spam in the comments. This weekend,…
October 14th, 2003 at 11:33 am
Looks like I was hit with a comment spammer recently. This weekend, lots of comments were added that linked to
October 14th, 2003 at 12:14 pm
Kevin, I have the answer…
“Have you reset the permissions on mt-comments.cgi after you made the changes? It looks like the file has been modified. If I chmod it to 755 and attempt to pull up comments on your site it works fine.”
That works.
October 14th, 2003 at 12:53 pm
Here are a bunch of random links I’ve been saving…
October 14th, 2003 at 1:19 pm
Information at Scripty Goddess on what you can do to keep your weblog from becoming a “wall of grafitti”. I need to study up… (link via Melissa)…
October 14th, 2003 at 1:35 pm
There seems to be a sudden interest in stopping SPAM from filling up blog comments, and several people have
October 14th, 2003 at 4:13 pm
New Spam MT-plugin! Killing Comment Spam Dead! Go get them!
October 14th, 2003 at 7:38 pm
I have a different way of attacking the problem.
October 15th, 2003 at 4:47 am
So far this blog has been free of SPAM comments but it is a large and growing problem but there are different methods on how to deal with it. Emmanuel found a page at the Scriptygoddess that lists several methods….
October 15th, 2003 at 10:16 am
The general complain is that the image verifier is unfriendly to disabled or those who do not have a graphic browser. Hearing your feedback, I spent the last 2 days working on a bayesian plugin. To cut the story short, I wrote a plugin which will allow you to train your movabletype blog to automatically identify spam comments and pings.
http://james.seng.cc/archives/000152.html
October 15th, 2003 at 10:46 am
I am a huge fan of Bayes as an anti spam solution however I’m with Pete on the captcha side of the fence.
James - you should go for that programmer job at MT - you rock.
October 15th, 2003 at 2:33 pm
Agreed… I use a bayesian filter for email spam and it works very well, although I still think that allowing captcha-verified email to bypass the filter would be a very handy thing.
October 17th, 2003 at 1:35 am
Scriptygoddess has posted a nice summary of tactics to use against spammers. I’m (knock on wood) relatively spam free at…
October 17th, 2003 at 8:13 am
Honestly, I kind of regret doing the CAPTCHA
Nearly 10 years, I spend a lot of time helping to blind and deaf folks getting online, using IRCs and stuff. I regret not remembering them when I release the image verifier…
But then again, there is no 100% solution. So for those who did use my image verifier, I appeal to you to give those disabled a bit of consideration, or an alternative ways to post.
October 17th, 2003 at 11:01 am
That is highly commendable of you, James. Honestly, I am really happy to read those words…
October 17th, 2003 at 1:48 pm
Seems blogs being hit by comment spam is growing worse with each passing day and as such the talk of the town in the MoveableType community has been how to stop as much of it as possible. There’s a thread devoted to this topic over at ScriptyGoddess th…
October 18th, 2003 at 11:06 am
Hey–if you’re wondering about stopping comment spamming, check out this site. I implemented measure two to keep out automated posting…
October 20th, 2003 at 11:10 pm
While surfing my blogroll, I stopped off at Geoff’s blog - the inimatatable blog driver’s waltz. Saw this item on…
October 26th, 2003 at 10:28 am
Ich hatte zwar seither keine Probleme mehr mit Kommentar-Spam (*auf Holz klopf*), falls es aber mal wieder vermehrt Ärger geben sollte, habe ich hier mal meine dazu gesammelten Links abgelegt: Kommentar-Spam bei MovableType [Bloghaus] Subscribe to comm…
October 28th, 2003 at 1:25 am
I just spent the last hour or so going through my site looking for spam comments, which have become an epidemic in the world of weblogs. Basically, it’s like a little spider that comes to your site and filles out the form with a fake comment filled …
January 10th, 2004 at 11:21 am
Comment spam has been bugging me for some time. I’ve looked at some anti-comment spam solutions and have decided to go with MT-Blacklist at the moment…
January 29th, 2004 at 8:48 pm
久々ã«ã‚³ãƒ¡ãƒ³ãƒˆã‚¹ãƒ‘ムæ¥ã¾ã—ãŸã€‚ カジノãŒã©ã†ã“ã†æ›¸ã„ã¦ã„ã¾ã—ãŸãŒã¾ãサクッã¨ä¾‹ã®å¥´ä½¿ã£ã¦å‰Šé™¤ã—ã¾ã—ãŸã€‚ #2件ã ã‹ã‚‰æ‰‹ã§æ¶ˆã—ã¦ã‚‚大差ãªã„ï½— ã‚“ã§æ˜¨æ—¥ã¡ã‚‡ã£ã¨æ°—ã«ãªã£ãŸã€æµ·å¤–ã…
February 17th, 2004 at 10:46 pm
There’s another solution that I would like to see that’s not mentioned in your blog - make it an option in Moveable Type to take out the
Even if that’s not an option for everyone, it’s an option I would like to see in the next MT.
February 21st, 2004 at 6:26 pm
Over the last few days I was hit by more than the usual amount of spam, which has me trying out some less invasive anti-spam tactics. First, I have implemented Burningbird’s Comment Spam Quick Fix, which places a code that…
February 21st, 2004 at 6:26 pm
Over the last few days I was hit by more than the usual amount of spam, which has me trying out some less invasive anti-spam tactics. First, I have implemented Burningbird’s Comment Spam Quick Fix, which places a code that…
March 5th, 2004 at 11:53 pm
SEM Ūŵ|ÅĵijċĨīĈbGoogle 〓ŦŧŖÅÅ°JÅ–ÅÅ°bweblogbblog, or whateverKĘĎųšųňŹőŠ〓〓IJ〓〓ķĿĽĦćĹJĤĞĎĈij〓Ь〓ĩķĤKc GooglebŦŧŖÅÅ°XųšųňŹőŠ〓〓YIJ〓〓 〓〓Ď BloggerJiKÄĉĦķĆĤīĎīĊġĈ〓ăĿĩb Ã…
March 5th, 2004 at 11:59 pm
SEM Ūŵ|ÅĵijċĨīĈbGoogle 〓ŦŧŖÅÅ°JÅ–ÅÅ°bweblogbblog, or whateverKĘĎųšųňŹőŠ〓〓IJ〓〓ķĿĽĦćĹJĤĞĎĈij〓Ь〓ĩķĤKc GooglebŦŧŖÅÅ°XųšųňŹőŠ〓〓YIJ〓〓 〓〓Ď BloggerJiKÄĉĦķĆĤīĎīĊġĈ〓ăĿĩb Ã…
March 14th, 2004 at 3:11 pm
If you’re seeing a lot of spam on your MT powered blog there are a host of things you can do about it. An overview at scriptygoddess give you the basics. Personally, I suggest Burningbird’s Comment Spam Quick Fix. It’s…
March 27th, 2004 at 12:12 pm
I just checked Six Apart’s (the peeps behind MovableType) page for TypeKey. It looks to be an interesting piece. I suggest keeping your eye on the project if you’re interested in comments/ user registration. In the meantime, if your chief…
November 12th, 2004 at 5:31 pm
MT-Blacklist is great to prevent “Comment” and “Trackback” spams, but as I had alluded to in my previous entry, it’s pretty reactive in nature. Here’s really how MT-Blacklist prevents spam: Install MT-Blacklist, a content filter plugin. Set a bu…