Autarchy of the Private Cave

You may discover, that as your blog gets more visitors and pageviews, your are getting more spam in comments to your posts. They originate as actually comments, pings, and trackbacks.

Fighting spam nowadays is a common task. If you check the statistics of spam-fighting software, installed either on your client machine, or on the servers of your company, you might be surprised by the fact that spam traffic and quantities of letters are higher than non-spam.

One could think that as the spam-problem is fairly well known, there should be reliable methods to get rid of spam. However, the spam problem is like the “weapon-shield” competition: the stronger the weapon, the thicker the shield. Spammers adapt, unfortunately.

Getting down to business. In this post I’ll describe how I am solving the spam problem in my blog.

The first plugin is Comment Policy. It adds a required checkbox below the comment form, which needs to be checked in order to successfully post a comment. Checkbox field name is auto-modified by JavaScript, which means that clients (preferably spam bots) without JavaScript support will be unable to post a comment. Thus, comment policy stops non-JavaScript spam bots.

Note, that this plugin defends only the comments, not pings/trackbacks.

It can be argued that JavaScript requirement might prevent people from posting comments – true, but with all those Ajax interfaces only the tiny percent of visitors would have JS disabled. Visitors with text browsers (lynx, links, etc) would be the only group unable to post… which is bad.

The reason I keep this plugin is the presence of the actual comments policy, which clearly states what kinds of comments will not be allowed. Overkill, I know

Another plugin is email immunizer. It is supposed to protect mailto: links from harvesters. Never tested it, though: I do not post mailto: links. This is a just-in-case measure.

Peter’s Custom Anti-Spam is a Captcha plugin, i.e. it displays some text as a picture, requiring the text be input into the provided field. Evidently, protects only comments. Not 100% efficient, as there are bots able to read images. Fortunately, the majority cannot :). This plugin is only one from many, and I chose it for no specific reasons – except that it is “fresh”, requires no additional accounts hosted somewhere, and is rather small. You can extend the list of captcha words with your own, which can be fun if used properly :).

Simple trackback validation checks if the referring page exists and contains a link to your blog. If it doesn’t – the trackback/ping can be held for moderation, added to the akismet’s spam queue, or simply deleted. This is a good one to have.

WP-ContactForm is not really spam-protection, but it helps you avoid publishing email address in any form, but people can still contact you. Note, that my contact form is protected by a “math captcha”: there is a trivial math question, which requires a single numeric answer. This is also good protection – not a single spam message from the contact form after protection was installed!

Corrections, questions, additions and comments on what you’re using are welcome.

Update: since I started using SpamKarma2 plugin, all other plugins nearly lost their usefulness. SpamKarma2 is excellent – try it! Since mid-late 2007 by Jan 2008 over 100000 spam comments were discarded on my blog by SpamKarma2, which has gone GPL way.