Just had a spam attack, about 90 comments over the course of two hours I was away from the computer. Not a single one is visible because every one was caught by my filter. How to delete them all? Comments Mass edit mode → Search for IP → Check all → Delete checked. Basically less than five clicks to delete 90 comments. The search could have keyed on any part of the name, email, or comment. It took longer to write this sentence than it took to delete two hours of spammers work. This isn’t a new 1.3 feature, this has been in WordPress for months.
Category Archives: Spam
Spammers Discover Internationalization
Got this in my inbox this morning with a Spam Assassin score of 0.1: “If yöu Ã¥sk yöursëlf “Höw cÃ¥n it bë sö chëåp?”, thë Ã¥nswër is simplë: wë buy hugë quÃ¥ntitiës dirëctly fröm thë möst fÃ¥möust PhÃ¥rmÃ¥cy Pröducërs (whërë pëöplë cÃ¥nnöt buy) thÃ¥n wë chÃ¥rgë just önë cënt për dösë. This wÃ¥y yöu gët thë bëst pricës Ã¥ll övër thë wörld Ã¥nd wë sëll much mörë thÃ¥n öur cömpëtitörs.” I wonder how long it’ll take my bayesian filters to learn this trick. And no, they weren’t using CSS or a punk band.
Email Stats
It looks like the email stats thing was adding over half a second to my front page load time. So it’s temporarily on hiatus while I tweak my queries so it won’t be so slow. Have about seven thousand ham and twelve thousand spam in the database, so that may have been slowing it down.
Weeds in the Garden
Under the Iron has an old interview with Scott Johnson that is a good read. Now scroll down to the comments. Dozens and dozens of spam comments. I see this over and over again on MT and s9y sites. What’s terrible is these pages are just as dangerous as dedicated spam blogs. Think about it: I shouldn’t even be linking to it now.
Alex told me the other day about a new type of comment spam he’s been seeing: comments that link to normal blog entries. Well known blogs like Mozillazine. As advanced as tools like MT Blacklist have become, they’re pretty useless in cases like this. Are you going to blacklist Dave Sifry? Molly.com used to have spam comments on her site all the time. Even though she spent a lot of time and effort dealing with them (a daily chore) they only need to be there long enough for Googlebot to index them for the harm to be done. I’m not dogging on MT here, it’s just that there are tens of thousands of MT blogs out there who don’t have any protection and the spammers are targetting them mercilessly. Domain blacklists don’t scale (spammers can have thousands of domains easily and hijack innocent domains) and centralized registration hasn’t shown to be effective except against people who don’t like centralized registration, a group that doesn’t include spammers.
People used to say that WordPress doesn’t get spam comments because it’s not popular enough. I don’t think this argument holds water anymore. It’s true that MT has three to four times as many blogs as WordPress, but Serendipity has an order of magnitude fewer blogs than WP and is highly targetted by spammers. I think WordPress has, through design and luck, done a lot of things right with regards to comment management in general. First we respond to the problem in the core code quickly. Moderation and blacklisting has been in the core for half a year now. All of the WordPress developers are bloggers as well so we’re pretty sensitive to new techniques in use by the spammers. When early versions of WordPress 1.0 advertised moderation was on spammers instantly adapted to that and started searching for blogs that didn’t have the phrases we used, so in the next nightly build for testers I had changed how that worked so it couldn’t be targeted anymore. Then in 1.2 we expanded the already successful moderation to allow powerful regular expressions and target not just the content but things like number of links in a post. Let’s say that somehow two hundred spam comments did get on your blog, which would never happen in the first place because we’ve had throttling for over a year now, you can easily delete hundreds of spam comments at once in under five clicks. We’re not sitting still either, version 1.3 will have emergent registration based on code originally written by Kitten so there is a type of automatic whitelisting going on that spammers can’t duplicate because it uses email addresses like a secret key and WordPress never reveals your email address. (So Dave and Mark, stop leaving fake ones!) The code will be flexible enough to adapt for GPG signing for the ultra-geeky in the audience.
Any of these things by themself wouldn’t be very effective, and each method I’ve listed has its flaws and weaknesses and I know them. Which brings us to what I think the real reason WordPress, despite its explosion of popularity, still doesn’t get the level of spam other tools do: it’s more trouble than it’s worth. WordPress, to spammers, is an unpredictable and moving target. We’re not resting on our laurels, we have another exciting feature-filled release coming just a few months after the landmark version 1.2. The WordPress moderation system can be be toggled to manual mode, which is 100% effective at catching spam, or triggered only when something is suspicious. We’re committed to keeping the cost high and the reward uncertain for spammers which means you don’t have to wake up every morning to filth on your weblog as well as in your inbox. You can focus on what draws us all to this medium, writing and genuine interaction. Here’s a quote from Molly from a comment she left on Keith’s site:
I wanted open comments. In my situation, MT, despite the wonderful Jay Allen personallyhelping me on an almost daily basis to deal with comment spam, I was a major target. My ISP refused to continue dealing with me because the server molly.com resided on was brought to its knees twice due to spam floods. I was spending up to two hours PER DAY to undo the spam much less post.
Since switching to WP, I’ve had exactly five emails sent to me automagically for moderation. 3 of them were spam, 2 were just enthusiastic posts with multiple links from a reader.
Either way, I had instantaneous access to accept or delete those posts.
That’s the sort of thing that is incredibly rewarding about working on WordPress. Knowing that your work makes it easy for someone else to do what they love is one of the greatest feelings in the world. No amount of money or recognition can ever match that.
Meet the Press
Met with the charming Cathy Matusow from the Houston Press earlier today and we chatted for a while about blogs and blogging and blogbloginess. We’re going to meet again this Saturday to talk some more, and maybe even set her up a blog. Yesterday I talked with Farhad from Salon.com for a good while, but that chat was a lot more technical, things like comment spam, emergent communities, and business-oriented topics. Farhad asked some very challenging questions that I had lots of thoughts on but my replies were scattered, so I’m not sure if I communicated what I wanted to say.
Comment Pay
Kitten’s Comment Pay, lets you present spammers with an option to send money via Paypal. Cool. 🙂
More Casino Spam
I got casino spam in Japanese today. The domain was in english so my moderation filter caught it.
dot-totally
Dot Totally on Pingomatic. We’re addressing the spam problem as it happens.
It’s Over
An address that has never been on the web in text or javascript form has begun receiving large amounts of spam, starting a few days ago. This is not a dictionary attack, it is specifically targetted toward this single address. The address is not guessable or a dictionary word. Luckily the address is disposable.
The only form this address has ever been online is in a PNG screenshot I posted about a year ago.
My Plan for Spam
Well I’ve had more spam getting through my previously perfect Spam Assassin wall so I’ve spent a good part of tonight teaching my personal Bayesian filter about my mail and what I think is spam. I’m feeding it all the good mail right now, because I’ve been deleting all the spam rather than saving it in a folder. In hindsight I should have been holding on, but my emotions got the best of me and that delete button feels so good. In the coming weeks I’m going to be posting a series of essays talking about improving your email, a subject I have given a great deal of thought to. These will be slanted toward average Joe hosted on a shared Cpanel server (like from Spyder Hosting or Blogomania) but they will be universally applicable to anyone technically minded. That said, I’m looking for one or two people to proof the articles and try these things out before I post them, so if you’re interested in taking control of your email and wouldn’t mind helping out, drop me a note and I’ll put you on the list.
Scum
There has been a lot of talk about referrer spamming in blogspace, and while browsing a PHP network query tool I stumbled across this, which looks terrible. What’s even worse is there is some genuinely neat looks scripts on their site, some things that I’ve been meaning to write myself, and it looks like I’m going to have to because I couldn’t support any that sells a product like ReferBomb.
This script will get up to 1000 Google search results for the search term of your choice (we’ve provided a few suggested default search terms), then automatically fetch all of the resulting web pages. What does this do for you? Think “public web stats” or think “blogs who reciprocate referring links!”
Haiku Spam
Wired has an interesting article that discusses a new move to stop spam not through technical means but through using existing copyright laws. Neat!
Marketing Speak
Oh how I like it when they make the spam clever:
Amazon claims they ‘lowered the hurdle’ with their free shipping offer….at Buy.com we just ran that hurdle over with our free-shipping truck.
Strangest spam title
Date: Sat, 29 Jun 2002 14:42:46 -0400
From: Robyn [cpa @xcitemail.oin20.com]
Subject: Matthew, claim your free human body today
Thank goodness it was selling “Princeton Review Bodyworks Version 6.” I really hate spam.