I put my current version of OSA online. To refresh your memory, OSA is a spam filter for WordPress. The development precept is to keep in lockstep with WP 1.5 development so that it’s a working solution when 1.5 is complete.
The new version uses a three-strikes-like method of filtering on the common set of criteria. The main things that this filter does that others do not are:
- Provide reasons for what it does with the comment that are easy to view in both the digest-based email reports and the comment management page.
- Use peer-to-peer blacklist distribution so that no central site is attacked for attempting to thwart spam.
- Provides a professional interface for both managing spam moderation and dealing with spammers.
This plugin actually rehashes a lot of what the core WordPress spam stuff does, but provides reporting features that WordPress does not. For instance, WordPress will summarily delete comments that contain entities in the a-z range. This is fine, but I want to know that it happens, and WordPress wil not inform you of this.
WordPress also doesn’t do anything to slow down the submission of comment spam, and the beginnings of that code exists in OSA.
I’m not putting this forward as a complete solution for spam. The blog software is beta and the spam filter is alpha. There are incomplete pieces, notably the granular blacklist editing. Due to the nature of the peer-to-peer blacklists, scanning the blacklists is going to be more important. There should be tools (not included in this distribution) that help manage that.
All of the warnings aside, with relatively infrequent babysitting, the code is performing well. I think I blew through the last of the trackback spam bugs yesterday, and the interface has been revised to reflect the new weighted rating system.
I have imagined a new tactic to combat comment spam- A centralized verification system. Upon receiving a borderline rating on a comment, the spam plugins could forward the user to an external site that would verify that user’s identity for the purposes of keeping their comments from being marked as spam. It would be kind of like TypeKey, but with two exceptions:
- The commenting user would only need to log in after submitting a comment that was judged suspect by a filter.
- The site owner could specify the external security system to use to verify the user's identity as part of the filter options.
The process would be something like:
- User submits borderline comment.
- Blog pings verification server via XMLRPC with comment id and validation URL.
- Blog forwards user to verification server to pass authentication tests.
- Upon the user's completion of the authentication tests, the verification site pings blog via XMLRPC with "passing" or "failing" codes sent in step 3.
- Verification site forwards user back to blog's comment page.
Giving this more thought…
I need more control over Pingbacks in WordPress than I have. I want control over which URLs in my content are pinged. I’ll have to consider this, as well.
