Comment Spam Stuff

Yes, I had read that yesterday, and I was really excited until I read the update about page-rank persisting across redirects.
The development team has been discussing how to handle comment spam, and we have some ideas that we’ll be fleshing out soon.

is the team also considering comment registration validation (just like in pmachine)?

I’m seeing users of Mt who use the MT_Blacklist plugin written by Jay Allen, although I am more interested in the “security code authentication” used in some sites. It’s faster and more painless, at least for the comments. See this entry as an example. I’m not sure if this would make trackbacks remain compatible across different CMSs, you guys know the architecture more than I do. Just another method to consider, that’s all

An ironic thing in my case was that I missed the first viagra spam comment post because spamassassin flagged the message from my blog as spam, and I deleted it without really looking. I didn’t notice the viagra comment post until someone else posted another spam comment.
So my suggestion is, if you are considering a comment approval system, perhaps it would be better not to include the body of the post in the email to the admin. That way SA or other mail filters won’t flag that email.
Garth
https://www.garth.org

You could always try configuring SA to whitelist emails from WordPress…. I don’t know how to do that off the top of my head, though. I use a combination of SpamAssassin, SpamBouncer, and a customized procmail whitelist, so I just whitelist things in my procmail rules.

Interesting idea over at https://feedster.com/blog/ (today’s entry.) Basically, he wonders if the spammers aren’t simply targeting file names with ‘comments’ in name, and suggesting that simply randomly renaming the files (e.g. wpcomments.php to 34kfak23.php) might solve the problem.
Any thoughts?

I just started getting these, too. Looking over the access logs, all 3 comment spams have one thing in common: no referrer. I think I’m going to hack the comment handler to drop anything not referred by my base URL. Maybe it should be even more stringent and drop comments not referred by the parent post’s comment URL.
Raising the bar…

Rantor, did you figure out the hack?

Rantor’s idea certainly sounds rather nice actually. Clean and simple ?? I Like it. It’s not Bayesian spam filtering for blog comments, but it might be rather effecticve, for a time at least.

Referers are something that easily can be faked by SpamBots. There are a lot of indications actually that the Bots are parsing forms and stuff, so they most probably have to hit the post itself and then send the comment using the form on the page.
Referrer checking will raise the bar for the moment, but will be useless as soon as a reasonable number of blogs use that.

he he Bayesian filtering for blog bomments (on MT).
I don’t really have anything else constructive to add to this discussion, although I will mention (again) the extreme unusability of captch-style blocking, and the impracticality of ‘moderated’ comments.
On second thought, I have two ideas ??
First thought: treat commenters as ‘users’ and submit for moderation only comments by first-time users only. Once you’ve approved a comment from a given user (a combination of name/email/url), all futur comments from that user would be automatically approved. I’m assuming that spammers don’t care enough to figure this out, or having figured it out, to go through the process of posting a real comment just so they can get the right to post spam.
Another idea would be a kind of ‘registration’ requirement for blog posting … where non-registered users would get an email when they posted a comment, and would just click a link in the email. Actually, you could bypass their having to click, if you just embed an image in the email … then they could validate their comment by either:
a) they get the email, and it loads an image: https://myurl.com/commentvalidation.php?comment=commentID … which shows up in the browser as a graphic that says something along the lines of “By viewing this image you have verified your identity and your comment has been accepted”
b) they get the email in a text-only email client (or with images disabled) and they have to click the link at the bottom (which goes to the same location)

I like that first-time only moderation.

@jaykul: Personally I don’t like the idea to have a registration for each blog I want to put a quick comment in. I agree that spammers wouldn’t bother to figure out how to pass this by this “bar”… as long as they find enough blogs that are completely open for comments. As soon as a critical mass of blogs have introduced spam countermeasures, they will take the time to figure out how they can resume their “job”. Writing up a bot that visits each link that is mentioned in an e-mail they fetch from a faked mailbox is trivial – so that won’t help for long, I fear. And another problem this method will have: how will you treat trackbacks/pingbacks?
I think that not the legitimate users should suffer from the spam countermeasures, but the spammers. It should still be possible to have anonymous comments, it should still be possible to quickly drop a line without having to hazzle with a registration procedure. This is what makes blogging as interesting as it is.

If the first post was a very minimal registration (email address/name) then as long as they used the same name and email address, they’d be good and there wouldn’t be any more of a registration hassle then most of the blogs I visit already have in requireing an email address. We’d be able to keep it open and usable, but provide a light layer of control over who blogs. Not much, but we don’t want/need much.

Where is the problem in creating tons of e-mail accounts? It’s not. Of course we could start filtering email addresses, but that’s just another step that has to be taken. I think there are better methods with less side effects.