Experience taught me a few things. One is to listen to your gut, no matter how good something sounds on paper. The second is that you're generally better off sticking with what you know. And the third is that sometimes your best investments are the ones you don't make. »» Donald Trump


Victory Over The Comment Spammers

Posted on January 14, 2009
Stumble it!  |  Email This Post Email This Post   |  Print This Post Print This Post   |

Part of the Wonderful WordPress Wednesdays Series - Previous in series         

Welcome to the twelfth installment of my Wonderful WordPress Wednesday series.

With more than 20 blogs to watch over, comment spam has become quite the annoying time killer of late.  With more than 200 Akismet entries to sort through each day it became clear that something else had to be done, so I headed into the ether to find a solution.

My first stop was, of course, the WordPress plugin directory.  Unfortunately, searching on “spam” returns 117 of the 3,870 plugins currently listed there.  Not exactly a bullseye solution to the problem.  So I headed into the WordPress Codex ehere I found their Combating Comment Spam page with the following suggestions-

  • Akismet – Akismet was already keeping the majority o fthe spam off my blog, but I was still forced to sort through it in search of false positive.
  • Settings > Discussion –
    • Here there are multiple options to automatically detect spam: number of links, spam keywords, blacklist.  Alas, when detected, it was just dumped into the Akismet area for me to sort through later.
    • Moderate All Comments – This would create even more work for me, essentially labeling everything as spam.  Not exactly a timesaver and not really user friendly, either, IMO.
    • Pre-approve only “old” commenters- Since I don’t have many ‘regular’ commenters this would still require far too much moderation time.
    • Restrict Comments To Registered Users – not only user-unfriendly, but I really have no desire to have dozens or even hundreds of people with user accounts on my blog(s).
  • Delete wp-comments-post.php and/or wp-trackback.php -Again, not exactly user friendly.  I’m trying to encourage more comments, not remove them all.  Besides isn’t this just giving in to the spammers?  I’d rather let them run rampant than shut out my actual readers.
  • Use rel=”nofollow” – this has never actually been effective in stopping comment spam.  The bots simply don’t care.
  • Deny access with .htaccess – Now that seems interesting!
    • Deny Access to Spammer IPs/Referrer Spammers – Again, too labor intensive what with the need to collate and enter individual IP addresses and referrers.
    • Deny Access to No Referrer Requests – I think we have a winner!

Here’s the relevant section of The Codex-

When your readers comment, the wp-comments-post.php file is accessed, does its thing, and creates the post. The user’s browser will send a “referral” line about this.

When a spam-bot comes in, it hits the file directly and usually does not leave a referrer. This allows for some nifty detection and action direct from the server. If you are not familiar with Apache directives, then write the following in your root directory .htaccess file::

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

This will:
1. Detect when a POST is being made
2. Check to see if the post is on wp-comments-post.php
3. Check if the referrer is in your domain or if no referrer
4. Send the spam-bot BACK to its originating server’s IP address.

After reading that over it seemed to make perfect sense to me.  A simple but elegant solution t ospambots.  Five minutes later I had added the relevant code to my .htaccess file and expected to never hear from comment spammers again.

However, the next morning, my Akismet spam queue was full of over 100 messages again.  The only thing different was that not a single one of them was a false positive or even questionable.  Every single one of them had been left by a spambot.  Clearly this simple but elegant solution wasn’t working.  So I headed off to find another solution.  The worst part, however, was something I didn’t realize until a full two days later: the .htaccess changes were blocking regular comments!  I think this was because I don’t use the normal comments.php, instead using a custom one from a comment plugin, but regardless, it wasn’t helping block the spambots anyway, so I just wiped it clean out and immediately was able to receive comments again.

My next “great find” was Yet Another WordPress Anti Spam Plugin (YAWASP).  Unlike the vast majority of anti-spam plugins out there, YAWASP did not require Javascript or cookies (which many of my visitors have disabled) or a CAPTCHA (which I and many of my visitors hate), but instead, was entirely transparent to the regular user.  Its primary means of spam detecting is to add a “hidden” field that the bots will see (and complete) but is invisible to the human eye on the rendered page.  I use this same type of anti-apam system to keep spammers from registering on the various forums I’ve over the years and it works great.  So I was exited to see it available for WordPress as well. Unfortunately, i couldn’t get it to work.  No matter what I did it kept insisting that every comment was spam because it’s author had somehow entered data into the “hidden” field.  Exceedingly frustrated at this point I removed it and took a nice long break.

Finally I decided to see what other long term bloggers were doing and with a little poking aruond in Google Blog Search I finally came across several positive article about the Bad Behavior WordPress Plugin.  Like Akismet and YAWASP, Bad Behavior is transparent to my actual readers.  However, unlike them it was as simple as install and activate.  I haven’t received a spambot comment since!  Regular comments still seem to be getting through and spam that is manually left still shows up (though it tends to get caught by Akismet).  Best of all, in the last 24 hours I’ve only had to clear less than a dozen comments from my various Akismet queues.  Now that is protection.

Yeah, I know that was a long way to go for what could have been a simple single paragraph post.  But I wanted y’all to understand that I share your frustrations.  Now, hopefully, you can avoid all of my pitfalls and wasted time and simply install Bad behavior to begin with.  The only question remaining is why is Akismet distributed with WordPress when Bad Behavior is not?

Reblog this post [with Zemanta]
Part of the Wonderful WordPress Wednesdays Series - Previous in series        
Tags: , , , , , , , , , , , , , , , , , ,
Related Posts: » Filed Under: Blogging, Wonderful WordPress Wednesdays
» Trackback to: Victory Over The Comment Spammers


242 Responses to “Victory Over The Comment Spammers”


 

242 Comments

  1. BigMick on 15.01.2009 at 20:41 (Reply)

    I read on another blog today that they were happy with http:BL.

    They used it in conjunctioin with Akismet and were happy with the reduction of comments appearing in Akismet.

    If your current solution doesn’t work, check it out. I’m not affiliated with it in anyway. Just thought I’d share it with you.

    1. Aahz on 21.01.2009 at 13:56 (Reply)

      I looked at http:BL but Bad Behavior has been pretty much perfect at this point. Should the bots find their way through that’s next on my list.

  2. James on 21.01.2009 at 21:24 (Reply)

    Hi all. Very clever idea with YAWASP, pity it doesn’t work. What principle does Bad Behaviour actually use?

    1. Aahz on 21.01.2009 at 21:46 (Reply)

      Welcome, James. Bad Behavior analyzes the HTTP headers, IP address, and other metadata regarding the request to determine if it is spammy or malicious. Their site has much more detailed information but, frankly, most of it goes over my head. I’m just not that up on how the ‘net actually functions.

      I can tell you this, though… Not having had a single spambot drop a message into my moderation queue or onto my blogs in the last week has been heavenly :)

  3. Loula Papas on 02.02.2009 at 10:15 (Reply)

    Interesting, and while you’re out there looking….you may want to research for a better spellchecker too :)))

    “So I headed into the WordPress Codex ehere I found their Combating Comment Spam page with the following suggestions-”

    …and oh yeah, what’s up (or more like down) with your website dude ????? I could recommend a great place but you seem to have shit all over them!!!

    Loula Lotta Love

  4. Jonathan@Friends&Money on 05.02.2009 at 11:17 (Reply)

    It is also the bain of my life although I have to admit that I don’t get quite as musch spam as you. I’m useing WP BAN which is a nifty word press plugin that allows you to ban specific IP addresses of spammers, quickly and easily without messing around with HT ACCESS directly. Essentially it is easier for those with less technical knowledge. So far it’s reduced spamm by about 40% which I am very pleased about.

  5. Frnklin on 02.11.2009 at 23:32 (Reply)

    Spamming is one of major problem, Can any one tell me here to how to get rid of spamming with out the wastage of time, I would like to know the easiest way. Thanks

  6. Suresh Khanal on 23.04.2012 at 02:08 (Reply)

    Now I’m using GASP to block automated spam comments. This plugin displays a client side generated check box for comment posters to mark before they submit. I guess it is better idea than using complex captcha and cookie method.

    Yet another is ‘Spam Free WordPress’ that generates an anonymous passwords for comment posters to fill in a box. I’ve recently activated it on my blog and studying its effectiveness. Logically the plugin looks great working.

    Thank you for the useful list of plugins to fight against spam comments.

Leave a comment





Google