Blog Spam Wars Escalate
For the past year or two, I’ve kept weblog spam comments at bay with a custom hack that blacklists common spam phrases and URLs. Every month or two, a new spam format seems to evade the filter, and it’s usually easy enough to identify a unique phrase that is unlikely to appear in a legitimate comment and add it to the blacklist. (Most of these unique phrases are not appropriate for general audience consumption—suffice it to say that they often relate to unorthodox sexual activities). If I receive more than three or four spam comments from a particular IP address, I blacklist that IP address from commenting.
This approach has been fairly low maintenance, and while rather crude, has very few false negative and false positive results.
Just recently, however, my friend Jamie reports that he is getting “spam” comments on his blog that actually don’t point to any spam sites. In fact, there’s nothing in the comment or the URLs that is spam, other than the fact that the comments have nothing to do with the blog entry.
This phenomenon is apparently becoming widespread—for example, see this poor guy, who appears to have a totally legitimate blog which is now the “target” of many of these quasi-spam comments.
My guess is that these faux spams are designed to trigger automatic blacklists and thus poison the blacklists with “good” sites and presumably ruin the whole system. It’s not really effective against my technique, which involves manually blacklisting sites, but it is certainly annoying. So far none of these have hit me, but I’m sure it won’t be long.
I’m loathe to implement a captcha or login requirement on my blog—one of the great things about the blogosphere is the low barrier to entry for participation—but that may be the only choice. Any other ideas?
Mick Jan 28
Why are U “loathe to implement a captcha” requirement?
The only problem I’ve found with that, is it requires cookies to be enabled.
Adam Rosi-Kessel Jan 28
I’d rather avoid a captcha because they generally don’t work on text-only browsers like w3m; aren’t usable by blind people; and add an extra step/complexity to something that should be really simple. If it’s the only option, I guess I’ll do it, although I understand the spammers have already developed techniques to get around captchas.
Jamie Jan 28
Here’s a captcha plugin for blosxom that someone wrote: http://bill.wards.net/blosxom/computers/blosxom/colophon/captcha-plugin.html. Maybe captcha should be extended to include “audio captchas” for blind people. Take an audio file of speech, warble it up a bit so speech-recognition software can’t parse it, and then ask the person to type in what they hear. Of course this still wouldn’t work in text-only browsers, but at least blind people would be happy.
Carlos Jan 28
Good point, Adam, I always thought captcha was the best anti-spam system out there (if you need one). But I had never thought of your arguments.
I wonder if there’s a captcha system that can be used by blind people…
Steve McIntyre Jan 28
I’ve hacked a simple captcha-like system into my own copy of blosxom too, but just using text and a simple question that should be difficult for spambots to cope with. I’m loath to mention more details here…
Zeno Jan 28
You could try delayed comments, or a function where you have to mark comments by non-registered users as valid before they are published.
Mick Jan 28
Hmm, how about multiple text entry boxes to fake out the spambots?
Brian Ewins Jan 28
captchas that ask for the solution to a simple arithmetic question are quite common, they’ll work in text-only browsers. Not text-browser friendly, but also interesting, are javascript hashcash techniques: http://elliottback.com/wp/archives/2005/05/11/wordpress-hashcash-20/
Marc ‘Zugschlus’ Haber Jan 28
Do the spammers come in with a specific referrer? Maybe they’re trying to deliver their spam to a web statistics page which lists the referrer URLs?
Adam Rosi-Kessel Jan 28
Marc: good suggestion; however, these spammers have no referrer at all.
Soumyadip Modak Jan 28
You could put in a link below the captcha that let’s people with visual disability, and people with text browsers to mail you their comments, which you can then put up manually in your comments section. Just be careful you use a spare mail account. :)