Report: 30 days with no blog spam on Mephisto!
posted: May 8th, 2007 · by: Sven
I promised to keep you posted with the results of my experimental ”outer spam floodgate” Mephisto extension. Tell you what. I’m super-happy with the results as I haven’t seen any blog spam this month! Yes, right. No spam.
[Update]
This little anti-spam trick has been that efficient that I have had no blog comment spam to sort out for months (still counting). I therefore decided to “upgrade” to a slightly more sophisticated version (re-allowing commenters to add an email address) and re-vamped the whole thing as a more distributable Mephisto plugin instead of two shaky patches.
I’m going to put some notes about the new plugin asap. I’ve added an article about the plugin now: “Inverse Captcha Anti-Comment-Spam Technique: Now A Regular Mephisto Plugin”.
You may also want to refer to this page for additional information: Mephisto Inverse Captcha Anti-Comment-Spam Plugin.
The story
Last month (that was about one month after I had switched to Mephisto) I saw myself confronted with the annoying task to review a list of nearly 900 spammy comments. Backed by Akismet Mephisto had diligently sorted these comments aside and piled them up in the admin interface. 900 spam comments were awaiting my attention. Oha.
Actually, this even was a good thing! It meant that Akismet does an outstanding job. It’s just been far too much for me to review these one-by-one and thus I came up with two things:
- a patch for Mephisto to add a filter to the comments list in the admin interface - so that I could sort out the most obvious and prevalent comments quickly by filtering the comments with e.g. “cialis” and then sweeping these in one go.
- a patch that adds an additional layer to Mephistos spam protection using an “inverse captcha” technique (to the best of my knowledge Damien Katz described this first)
This additional layer is ment to keep out the vast majority of stupid bots. It’s clearly not failsafe and as soon as it’s targeted by a programmer it’s going to be broken in less than a wink. But actually that’s not even a problem because everything that gets through this “outer floodgate” will be picked up by Mephistos great Akismet integration anyway.
And that’s what I expected to happen this month: that there’d be at least some bots out there that use some kind of rendering engine and parse the markup and CSS. That these would have neutralized the “inverted captcha” technique and would have been able to get to the “inner gate”. In other words I expected that I would have seen at least some spam to be picked up by Mephistos Akismet integration and piled in the admin interface.
The results
Well, what can I tell? It didn’t happen. Nothing! Yes, literally. NOTHING. Nil, null, nada. No more feeling of being confronted with crapheads dumping their garbage on me every day.
Hurray :)
If your interested in checking this out on your own blog here are some resources:
(Please note that the latter obviously will only apply to my own blog theme - you’ll need to tweak this to implement it into your own theme accordingly.)
Alas! If there only where such a simple and effective way to better protect my e-mail inbox. But that’s a differnt kind of story, I guess.
The limitation
Of course my present implementation of the “inverse captcha” technique comes with the price of not knowing any commenters email adresses any more. I can think of two situations where this might be a problem:
- you want to contact somebody who commented on your blog
- you want to display gravatar images alongside the comments on your blog
I’m therefor planning to extend the current implementation to allow email addresses again but use a differently named field for them. Probably just obfuscating the field name in a simple, configurable way.
Feedback?
What do you think?
PS: For mail servers there’s “greylisting” as a relatively new technique. Both techniques have in common that they rely on a missing ability of a spam bot … which I think is an interesting aspect.
Saimon Moore said May 8th, 2007 at 09:09 PM ¶
Quick let me add this too….I’m pissed of with having to “delete all comments” all day long.
Thanks for this… :)
Sven said May 8th, 2007 at 11:49 PM ¶
Hey Saimon!
Have fun :) Let me know how things work out for you!
chrisrr said May 13th, 2007 at 08:55 PM ¶
I’ve been running on Typo for a long time which relies on AJAX to accomplish practically the same thing. Your implementation is pretty elegant though compared to that. I like it!