Lots to say about comment spam today...
Have you noticed the new tactic the spammers are using to get spam onto WordPress sites? They're sending comment spam without any URLs. You think that's a good thing and that the spammers are just crazy? I'll explain why you're being lulled into a false sense of security.
There is a toggle in WordPress (this may be a 1.5-only thing - I haven't checked in 1.2) that sends all comments to moderation unless that user has commented before. There are actually a couple of spam plugins that check this, too, automatically whitelisting anyone who has already left an approved comment. This is a good thing, but you have to be careful not to get duped into approving a spammer's unobtrusive comment.
If you did approve one of the many comments that sound like, "Just found your site, and it's exactly what I wanted," then you're likely in for a surprise. The spammer script will notice that the old ocmment was posted, and it will post another comment using the same email address that actually contains URLs. Sneaky, eh?
On the flip side, spam prevention in WordPress 1.5 seems to be improving. Matt recently announced that he's using only the built-in protections to prevent spam and it seems to be working fine. Well, that's pretty swell, but I wonder if anyone has tried to write anything about "Texas-holdem poker" in his comments.
Looking through the WP 1.5 comment code, it seems that the entire comment is checked for the spam search strings. So unless the search strings are uber-regexes, they're going to detect regular text. This means they have the potential for high false-positives.
Fortunately, most people don't have the need to talk about Texas hold'em in their comments, so this issue isn't frequent, but assuming that spammers get more crafty in wording their comments with frequently used acceptable words then this could pose a problem. The immediate alternative to adding would be to add every spamer IP to the spam wordlist. I'm going to guess that this might cause a bit of inefficiency when posting comments.
Keeping this list up to date can also be a hassle, since - at the last CVS revision I saw - there was no way to automate this process.
My thought is that the integrated stuff is good enough at preventing casual spam, but some additional features are necessary to bring it up to the user-friendly standard at which WordPress usually runs.
Only the most recent CVS has changed the Dashboard to not show spam comments. That's good. I had revised my Dashboard to show a count of spam comments like it does the moderated ones. The link goes to the moderation.php page, but with a special querystring that forces the display of spam comments. This allows me to delete them. I'm not sure if the latest CVS has added a way to review spam posts yet, but being able to approve false positives is the main benefit of keeping spam comments, right? It should do this.
I've also been toying a little with captcha code, and I've encountered the trackback issue. Trackbacks can't use captchas. If' you're protecting your blog exclusively with captchas, and you're not blocking trackbacks, you're wide-open and ripe.
I've been devising a scheme to allow a site to authenticate itself when it creates a trackback. This would use the xmlrpc plugin hook in 1.5. Of course, it would only work on WordPress blogs, but it's a start. The interface would be pretty simple, and although it wouldn't be a solution for preventing initial trackback spam, it would keep people from offending repeatedly. This is an idea still in incubation.
Interestingly, the new OSA code is coming along great. I've added a bunch of new features. The best one of the bunch so far is the peer-distributed spam wordlist. You can point your blog at any other OSA-running blog to update your wordlist from theirs. Every entry is accountable to the person who originally added it and can be authenticated. It's pretty slick and it's currently working. Since the spam list builds itself from OSA, any person running it is liable to have a good wordlist. There will soon be complete administration of the blacklist entries, so you can easily weed out the entries from sites you don't trust.
OSA should augment the built-in spam prevention methods nicely.
« WordPress NoFollow Plugin Got New Spam Tactic Figured Asymptomatic » Got New Spam Tactic Figured berichtet übert ei [...]
The peer-distributing thing sounds really cool. Would like to see that. The reason I'm not using any spam plugins isn't so much that I don't think people need them, but they were causing some problems on my setup and honestly I'd like to be as close as possible to the emerging trends in spam, as my blog is a target I feel the pain, which is good. Hopefully this will lead to better out-of-the-box tools for general comment management.
t is plain clear that this comment was done by a machine. The idea behind is explained by Aysmptomatic: There is a toggle in WordPress (this may be a 1. [...]
I'm using WP 1.5 and no spam plugins, too. I lowered the link count down to 1 (one), so even returning whitelisted commenters who try to place comment spam go right into moderation. The downside is some legitimate comments containing links (well, there usually aren't that many of that kind) go into moderation too.
But as a result I have no comment spam problem.
Hi, I just came across your page, and am not a comment spammer. Does that make me sound suspiciously like a comment spammer? Anyway, I was wondering if you or your readers had any idea *how* the 1.5 whitelist works--i.e., how does it determine that a commenter is the same commenter who was previously approved? Does it go by IP? Registered login? Something else? And can I pre-approve someone?
Thanks in advance,
Jessica
Not surprisingly, your comment slipped right through my comment spam filter, so you must not be a spammer. :)
There is no whitelist in WP1.5 persay, but there is an option on the Options|Discussion page labeled "Comment author must have a previously approved comment". If you check this box, then the only users who will automatically have their comments approved are those who have submitted a comment that was subsequently approved from moderation by you. The user is identified by their email, which, as any WordPress user knows, is not published on the site, so it's difficult for spammers to impersonate another user.
You can pre-approve a person to pass this method only if you sumbit a comment using their email address and then approve it from the comment moderation page.
There may be plugins that allow you to whitelist users without injecting impersonated comments, or may allow you to identify users by criteria other than their submitted email, but I don't know what these are. There are a lot of comment spam plugins out there, some more comprehensive than others.
I'm currently using a custom plugin that I will release as soon as I've tested all of its features. Maybe I'll add a whitelist, too.
Aweome, so it uses email. So I could spoof them, and preapprove that way, which is easy. Seeing as there are only about five people who would ever conceivably comment on my blog. I'm really liking WordPress, especially 1.5 (though I dearly love the 1.2 color scheme, which happens to be my alma mater's colors). Thanks again--and I'll be back to see about an even better comment spam control method, if you're making one. I never got any, interestingly, until just today.