Another Approach at Comment Spam

Akismet Comment SpamYet another WordPress experiment, this time, it’s all about fighting spam! We all know and love Akismet but most of you will agree with me that some of those spammish comments still pass through. So how do we get rid of them? We can’t block all comments with links, they might be useful. We can’t block all comments containing spammish words, those spammish words might be the topic of your blog.

What we can do though is get a clearer picture of who’s submitting the comment — human or robot? Captchas work, but we hate them, and our visitors hate them even more. E-mail verification works, but it’s a pain having to go back and forth only to write a “thank you” message. So I was thinking last week..

What’s do spam comments have in common? Well most of the time they contain links, they have a junky e-mail address, sometimes a spammish name and most of the time with no avatar. But exploring all the spam that was stopped and the spam that came through on my blog, I also noticed that spam comments tend to fill in all fields and never miss one. They sometimes even subscribe to the comments by e-mail, which of course they will never receive.

So having that in mind, and looking from the spambot perspective, what do we see? We see a form with a bunch of fields and a submit button. We don’t see the visual side of it, we only see the HTML that’s behind it. So what’s the typical logic of a spam bot? Fill in all the fields and hit the submit button. There might be more intelligent bots out there, but it basically comes down to this.

Now, what if there was another field which is fake. A field that you don’t have to fill in, but the field name is rather tempting, say “website” and labeled “Website URL”, I don’t think that any spambot would want to miss that, right? But the secret sauce is that the field is wrapped into a parent element, which is invisible. Can spambots render CSS and determine if a field is visible or not? I doubt it, but they could. So give them an extra tempting field to fill in with their spammish URLs, and on the back side of it check whether the field was filled in or not.

Akismet Comment Spam

Thinking forward, this could be done with multiple fields, some with a default value perhaps, a checkbox maybe? Just make sure that your checking on the backend is correct. And once you encounter a comment that touched the field invisible to the users, spam!

I wrote a code snippet for WordPress which adds an extra website field that’s invisible with some simple checking upon comment submission, let’s see how it goes. I’m planning to run this for a week along side with Akismet, and then perhaps a week with Akismet turned off. I’ll publish the results and share the code snippets if I get anything positive, otherwise.. Oh well ;)

Thanks for reading, and let me know if you have any further thoughts on this topic. Cheers!

Update: While the mentioned above method worked to some point, it didn’t stop quite a lot of spam comments so I decided to go the “close comments on entries older than 14 days” route which seems to be working fine for the moment.

Removing Comments Author Links

Askimet (the anti-spam plugin for wordpress) is great, but when it comes to readers commenting posts and leaving backlinks to their sites, Askimet doesn’t count that as spam unless the message doesn’t look like one. Yeah, wordpress marks them with a ‘nofollow’ attribute, but search engines aren’t the worst case in this situation. It’s pretty good if readers leave backlinks to sites that are more or less relevant to yours, but what if it’s something about travel and hotel bookings? That would piss me off…

You can manually edit the comments and remove backlinks, but you’ll get annoyed doing that with ~100 comments per day. Anyways, here’s a quick tip of how to remove all author links forever.

Go to your wordpress admin panel, pick the ‘design’ section and click ‘theme editor’. Now, in the list on the right you’ll see some files related to the current theme. You’ll have to find the one that’s ‘driving’ comments. This can vary from theme to theme, but most likely it will be called comments.php.

Then find something similar to:

<?php comment_author_link() ?>

And replace it with:

<?php comment_author() ?>

Voila! And no more author links in comments ;) Good luck!