I’ve been testing out a spam plugin that has been very effective. You can get Spambot Stopper on the WordPress support forums. It’s very simple, for more advanced protection check out the Combat Comment Spam page on the Codex.
I’ve been testing out a spam plugin that has been very effective. You can get Spambot Stopper on the WordPress support forums. It’s very simple, for more advanced protection check out the Combat Comment Spam page on the Codex.
Hey,
I usually don’t mind if people use my ideas and stuff, but since this has been extremely effective maybe you can add a little mention to me in the source. Doesn’t even have to include a link, but I think it should be more than appropriate since you did turn my hack into a plugin.
Thanks,
Gene Shepherd
will download the plugin, but wondered if you already had it implemented so we could see it in action?
I should point out that I implemented something similar for MovableType nearly a year ago. Eventually, I wrote up a description of the technique, along with releasing the requisite plugin.
Since then, I’ve seen some indication that there are at least a few spambots about with real HTML parsers. They won’t be stopped, or even slowed down by such simple-minded tricks.
I’m waiting for more data (unfortunately, I don’t get enough comment spam anymore to really test these things properly) before writing up the next step in the arms race: DOM-scripting as an anti-spam measure.
Jacques, that’s the first time I have seen that but yes it is a very simple minded trick, which is why in my original post of this concept I pointed out I Was extremely surprised this wasn’t implemented before now. Your hack is however a bit more complex then mine and I do agree that it won’t stop the bots who actually ‘crawl’ the forms. However it does stop link bots in their tracks.
My hack had a much more ambitious goal: to ensure that the comment POSTed was actually the exact same comment that got run through the Validator (when the user clicked “PREVIEW”). Only incidentally did this turn out to be a random hidden field to trip up spambots.
I’m surprised that, even a year later, the spambots do not seem to have risen significantly in sophistication. I had thought that this trick would have lasted only a couple of months before spambot technology caught up.
Evidently, there’s a lot of low-hanging fruit out there…
Well, it’s simply because the software out there now doesn’t have this type of prevention in place as default. So the new installs simply get pounded. There is no need to improve the technology when the technology is doing fine against the implemented standards. But I do agree, we have had crawling bots technology around for a while now (as far as I can remember) and I am extremely surprised that they are all using link-bot methods to posting the spam.
So the new installs simply get pounded.
Evidently, WordPress has finally “arrived” if new WP installs are routinely getting pounded by comment-spammers.
As I pointed out in my first post on the subject of comment spam, the real problem is software monoculture, where numerous identical software installations present a tempting target to miscreants. A bit of randomness, introduced in the intallation process, would go a long way towards throwing the spammers off-balance.
I agree with your post in that blog. The majority of problem is due to the similar nature of all blogging solutions out there right now. I think however that these solutions are following a working standard and the users are expecting this standard. So unless everyone starts using another type of standard right out I don’t think these spammers will be out of a job any time soon.
It would not be difficult, in WordPress, MovableType, or any other blogging system, to ensure two things in the default install:
1) The local part of the URI to which comments are POSTed is randomly-chosen, rather than fixed (“wp-comments-post.php” or “mt-comments.cgi”).
2) That URI does not appear on any page that is indexed by Google. The only pages on which it appears should have an explicit
to prevent the URI from making its way into Search Engine indices.
Those two step alone are, I can attest by 13 months of personal experience, devastatingly effective against today’s spambots. All the more clever anti-spambot steps are mere icing on the cake (though I quite enjoyed coding them, and they will surely prove important in battling more clever spambots in the future).
I’m surprised that, even today, these basic steps have not been taken.