"Spam egg spam spam bacon and spam..."

Spam ManThere's little I hate more online than comment and forum spam. It takes what should be a pleasurable or informative romp through a site and turns it into a vile, seething mess contrived to hawk disreputable wares like faux-Canadian pharmaceuticals, male potency techniques, barely-legal porn, and fake-label running shoes. Worse yet, it's a hydra -- cut off one head and two more venomous ones appear to take its place. The second we figure out one way to combat the creature, our struggle seems for naught. So what, then, do we do?

First of all, I'm not convinced that turning off anonymous posting is the answer. This is for three reasons very important to me:

  • Many of these spammers actually register on the site, either manually or via a special scripts that register users automatically. Some of you may remember the notorious Chinese shoe spammers from last year who registered for several new accounts a day and posted hundreds of messages.
  • Studies show that a person typically posts three times on a site before he or she feels the interest or loyalty to actually register as a member. Plus, many people will not register as a member. (I know I hate to rack up memberships I don't know if I'm ever going to use again.) The "locking down" of anonymous postings is going to have an effect on the potentially valuable insights and information that drive-by commenters may contribute, and possibly deter them from joining.
  • Joining a site should offer perks (like being able to create profiles, or get special access permissions), and not be a forced result of one's need to express him- or herself. That limits one's freedom of expression needlessly.

So what is the solution?

Well, we do have a good system in place already, although it occasionally shows a crack or two that's soon mended.

First, many, many hundreds of spam comments and forum posts are caught in the course of a week and silently discarded by our spam filter Akismet. It "learns" from posts marked spam, and from what other WordPress and Drupal sites are marking as spam. It sometimes takes a number of spam attempts before marking certain text or IPs to deny, but it's probably the most effective filter of its kind. I've seen its ability to discard up to 4000 spam a week on another blog of mine and it's impressive, to say the least.

Second, the other members of our site team now have the instructions to deny the IP of a spammer. (That's why we're no longer seeing the dreaded shoe-bomber of a few hours ago.) Once a spammer squeaks a few past the filter, one of us can simply block the originator.

Third, we do have the option of putting in a "captcha" of some kind. These are the simple little questions you see at the base of forms to determine if you're a human or an automated script. Some use images of slightly askew text, some use simple math (3+6=?), and some will ask what the third word of a random sentence might be. I generally don't like these, but we're investigating the options.

In the meantime, we're sorry about the spam, but hopefully things have now returned to normal.

Syndicate content

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Captchas

I vote no on the captchas. I hate those things.

I think you and the rest of the team are doing a wonderful job dealing with spam. You guys rock. Thanks again for providing a home for us office pr0n junkies...

Yes, thanks!

I think you and the rest of the team are doing a wonderful job dealing with spam. You guys rock.

You all do put a lot of work into this. I just hate to see you have to put the work into killing the spam. I wish there were another way! But, with the others, the captchas, ect. are frustrating. I tried to post somewhere a day or so ago, and never could get my text to "match". It was so frustrating...

If only there was a way that would make it easier for the "elves" who have to clean up after the spammers...

But I do appreciate, Doug, your take on anonymous posters, etc. It's very refreshing to see this kind of perspective. Thanks...

-Jon

Spam Wedding

Many years ago, when Spam was merely a questionable meat product, my husband went to a wedding uniting Sam and Pam. Spam! Someone contacted the Spam company and they sent a whole bunch of Spam promotional products for wedding decorations and favors. I think the Spam "piggy" banks where a hit.

well thought out

Hi Doug. After reading about your thinking, I'm actually glad you didn't just block out Anonymous posting like so many people (including myself) were asking.

Options 1 & 2 would catch most of the spam, I'd think. I'm with the others, I find captchas annoying, especially when the font makes a 1 look like a lowercase "L".

How about putting a button that marks a comment as spam?

-Kenny

captchas work

Sometimes I'll comment without logging in. "Is that bad?" (Dirty Rotten Scoundrels) But if you go with captchas for anons that's fine by me. It's as much work as logging in. Otherwise comments from only registered users may give you more insightful replies. Sometimes my anon comments arn't all that insightful. Come to think of it, my other comments arn't all that insightful either.

By the way, a slice of spam on rice wrapped in seaweed (Japanese nori) is really good stuff. Called Musubi. They sell it at every 7-Eleven in Hawaii. Good stuff that. See Spam Musubi on Wikipedia.
...dave

Bloody Vikings !

I would agree that "captchas" can be annoying, but I would accept them as a necessary evil.

My apologies if I made too much fuss about it, but it is one of them subjects on which I get easily "spun up". I sometimes just grouch too (much/loud).

I would like to express my confidence in the folks running things here to do the proper and necessary things.

"Baked beans are off"
"Well, could I have Spam instead ?"
-----------------------------------
"I think the surest sign that there is intelligent life out there in the universe is that none of it has tried to contact us." (Calvin and Hobbes/Bill Waterson)

I put my vote in for captchas

I find captchas as annoying as the next person, but when faced between signing up to post or just filling in a captcha, a captcha isn't that big a hurdle.

On my sites, I've tried to keep from even implementing user accounts (even though I get asked to do it from the regular users). The past three months however got to be too much, with too many spammers just randomly filling in forms every day. This is even on forms that need pre-approval before content appears on the site (meaning the spam never gets seen by anyone but an administrator). I implemented captchas and the spam has pretty much disappeared.

More about captchas

I'm not a big fan of the picture-based captchas that show distorted text that you have to decipher and type in. Not only are they annoying and easy to get wrong, but they aren't very friendly to disabled users. However, back when I had a blog I added a line to the posting form with a simple instruction that was really hard to get wrong -- something like "type the word 'orange'". I had three or four phrases, and one was randomly selected each time a comment form was displayed. It was no more obtrusive than any of the fields I just filled in to write this, and it stopped the spam in its tracks. I don't think I ever had a single piece of comment spam ever again.

Another thing that might help is to ban certain bots and crawlers. It's been too long since I quit my blog for me to remember where I came across this, but I had a long list of bots that I banished via my .htaccess file. Configuring robots.txt might also help, provided you have access to it on your server (I didn't). You should be able to find info on both via Google without too much effort, though robotstxt.org is a good place to start.

I initially banned the bots because I had a bot downloading enough data to get the entire site several times an hour, hour after hour, day after day, but it seemed to stem the tide of trackback spam as well. I had already implemented the captcha on comments, so I can't say whether it would have helped with that, but based on my experience with trackback spam I think it might. Eventually I eliminated trackback spam altogether using a WordPress plugin that banishes trackbacks that don't actually link back to the post they're attached to (though nowadays I'm not sure anybody enables trackbacks anymore...).

I'm glad you didn't ban anon

I'm glad you didn't ban anon posting! I like to lurk. Too many passwords to remember already, anyway.

One password

I use only two or three passwords for all the systems, sites, accounts I have access to. Depending upon the security required I grade the passwords. The one used most commonly is with those sites/systems/accounts that don't really need to be secure in the first place; a mis-guided notion on the part of the designer that their stuff is so important I must authenticate before I can be allowed to access it. Typically they are providing stuff that is already in the public domain anyway so why the need for authentication.

Then there's the secure password. Based upon an idea in the PGP encryption package I use a long pass "phrase". In reality it is the initial letters of the words in phrase but it has the virtue of being a random sequence of characters should anyone ever glimpse me typing it. Because I know the phrase I can type it very quickly with 100% accuracy despite the randomness. By the way, no one knows what the phrase pass is but me.

And for the really secure stuff I use GNU Privary Guard with a real (and very long) pass phrase. This, of course, I only use on my own systems here behind my firewall. Oh yes, I really am that paranoid. And for the record it is not the same phrase as that for the secure password. Again no one knows the pass phrase but me.

So I don't have a problem with remembering passwords.

What I occasionally have a problem with is remembering specific account names, is it an email address (and I have 15 or more of them to chose from), my own name (and then with or without middle initial/middle name), some id I've decided upon or one that has been forced on me by a supplier.

former anonymous replies:

I have an extremely similar system, but one that also includes caps, numbers, and punctuation for hardness.

This still leaves me with eight "usual" passwords and four more special-use ones. And then on top of that, the ones other people made up and I have to live with...

I just like to get to know a place before I give it even my least secure password, because a leak of (especially) that password would mean changing it in over fifty systems. *cringe*

Spam

theres no real solution to spam. the nice thing is that your page offers actual valid DIY suggetstions and isnt reallyt eh kinda place for spammers to hang out, so you probably get less spam than places like thesuperficial.com

How about adding "shoe" to the spam filter ?

:)
I am not 100% joking on that.
Silly as it may sound, all the spammers seem to want to sell us shoes.

There's another Douglas Adams/HHGttG reference here, but I will desist.
-----------------------------------
"I think the surest sign that there is intelligent life out there in the universe is that none of it has tried to contact us." (Calvin and Hobbes/Bill Waterson)

Shoe spammers are the worst!

They hit this board and others that I'm a member of with regularity (I see one just nailed us again.)

Unfortunately, the only way I've seen to combat them is exactly the measure you talk about: denying anonymous posts (or at least requiring moderator approval first) and vigilant IP filtering. An open-posting forum is a spam-magnet, sadly.

May they go unshod

There seems to be a pattern to those spam posts. First seems to be posted at 1200UTC and then regular intervals until about 1600UTC. So the appearance of these c**p posts coincides with my lunch-time reading. I suspect that it isn't so much me they are after --- why would I want shoes promoting Jordan, a glamour model here in England --- but those checking the forums at the start of business on the east and west coasts of continental America.

Yesterday or the day before I noticed that one of those s**t posts came from a named (unverified) account. So just blocking anonymous sadly wouldn't be sufficient.

Open posting and/or un-verified accounts will attract that sort of scum.

None of their posts are of the slightest interest to me. I prefer to wear hand-made shoes; think of it as the difference between ball-point pens and fountain pens.

S'right !!

No cheap, throw-away biros here.
:)
-----------------------------------
"I think the surest sign that there is intelligent life out there in the universe is that none of it has tried to contact us." (Calvin and Hobbes/Bill Waterson)

May they cross the Shoe Event Horizon

Yes, another HHGttG reference. But so appropriate and silly.

Shoe Event Horizon

-----------------------------------
"I think the surest sign that there is intelligent life out there in the universe is that none of it has tried to contact us." (Calvin and Hobbes/Bill Waterson)

The spammers are getting thru the filters

Can anything be done ?

Remind me again, please, why we allow guests to post ?

-----------------------------------
"I think the surest sign that there is intelligent life out there in the universe is that none of it has tried to contact us." (Calvin and Hobbes/Bill Waterson)

Sure thing, Ygor!

Abstracted from Doug's start of this thread:

I'm not convinced that turning off anonymous posting is the answer...
* Many of these spammers actually register on the site...
* Studies show that a person typically posts three times on a site before he or she feels the interest or loyalty to actually register as a member...