Tuesday, March 27, 2007

[Tech + Spam] Captcha + alternatives

Hi all,

We're publishing using WordPress, and we've had great success with Akismet for spam-comment filtering. But a handful of spam comments slip through each day, and I worry about the implications of having close to 60,000 comments in our database (even though 99.9% of them are tagged as spam). At this rate/capacity I fear we're taxing the limits of what WordPress was designed to handle.

I've shied away from Captcha and other verification methods in the past, because I don't want to put up any barriers for our readers to comment. But I'm sick to death of dealing with the spam comments, and I realize more and more that nearly every site where I comment has some form of user validation in place. Maybe my readers won't balk as much as I fear?

I'd love to hear from any of you who've added Captcha to your site about how it affected your (legitimate) comment rates. And also, any Captcha alternatives that you've used and liked -- I know I've seen sites that ask commenters to enter a simple check-phrase, but I can't seem to remember where.

Thanks!
~A


This Post was written by Anita from Married... with Dinner

7 comments:

Anonymous said...

I use Expression Engine, but have employed the Askimet spam plug in recently. I love it, it's doing a great job.

I also have CAPTCHA on my site, but I don't use it most of the time. When I notice a large spate of spam coming in, I'll turn it on for a couple of days and then turn it back off. It seems to foil the spam bots for a while.

Also, I notice that the spam comes in on only one or two different posts (like they've put that one on a list or something), so I'll close comments on that post for a couple of weeks. They're usually posts that are older than two months, so I don't think it's that much of a problem for my readers.

There are other validation systems as well. One involves putting in a javascript that verifies that the page is being loaded in a browser window and not being filled in via some botform. (I had that for a while but it was increasing the page load size, which was going to push me over my bandwidth allotment.)

Another is forcing comment preview, which is another way of putting a step in that is troublesome to the robots but not too much of an issue for the humans.

That's all I can think of off the top of my head. There are a couple of WordPress forums out there where you might find more WP-specific help.

Anita (Married... with dinner) said...

I love Akismet, but it doesn't block spam from being entered -- it just keeps it from becoming public. And, because I stupidly chose the numeric URL option when I set up the blog, we often get thousands of spam comments a day.

Just to be clear: Akismet does a fine job, but when the numbers are that high, even a 0.5% failure rate means I am manually flagging a few comments a day, which pisses me off. :D

cookiecrumb said...

Oh, come on! It's perfectly OK to make us commenters go through a little effort to talk to you.
In fact, whenever I visit a blog with no word verification trick on comments, I say to myself, "Aw, this blogger must not get very many visitors."
Put us through boot camp! It's worth it.

Anonymous said...

There are a few things you can do to make your like a little easier. Although some depend on how much access you have to your server.

One thing that made a huge difference to me was simply renaming my comments page.

So rename wp-comments-post.php to
wp-comments-blah.php or whatever you want, and then reflect that change in the form in comments page for your theme.

Spam got so bad for me at one point that it was basically like a Denial of Service attack on my site... so Akismet was useless in that sense as it has to do a lookup on every single comment that comes in, and at the rate they were arriving it was too much for my little server to handle.

So I renamed my comments page and blocked all attempts to access the "wp-comments-page.php" file directly using mod_security in Apache, and the number of attempts that even got through dropped to a basically negligible amount. This was because 99% of my spam was automated to simply hit the comments post page and thats it. Other spammers will scan your page to find the comments form itself, but you can always rename the page again, or use a plugin like the excellent Spam Karma 2 or Bad Behaviour to cut all those ones out.

Currently I've renamed my comments page twice in the last 6 months or so, and I get around 20 or so spam comments a day that are picked up by Akismet or Spam Karma 2.

Plus you shouldn't have 60,000 comments in your database if you're deleting them all from the Akismet page... it just keeps a record so you know how many it's caught.

If all that sounds like hassles, then you can still go down the captcha-esque road... there is a plugin called "Did you pass math?" (http://www.herod.net/dypm/) that presents a simple maths question (4 + 5 = ? ) that must be solved for the comment to get posted...

Hope some/any of that is useful :)

Cheers,
Matt

Anonymous said...

Try to use smart captcha from PWF
http://www.protectwebform.com/smartcaptcha
they do have WP plugin:
http://www.protectwebform.com/plugin_wordpress

Scott at Real Epicurean said...

Matt,
great tip about renaming the wp-comments-post file - I've renamed mine and tweaked the theme a little, so we'll wait and see if it works. Should do!

Anonymous said...

One more vote for Akismet. I resisted using Akismet for Brownie Points for a long time, and tried all the alternatives. Many of them helped, but the increasing swarm of spam grew faster than I could keep up with the other solutions.

In my experience CAPTCHA will drive away legitimate comments but it is very very hard to collect data to quantify it.

We used to have a math challenge, as suggested by others, but I turned it off after we started using Akismet with no negative repercussions.

The only other thing I recommend is the renaming of the wp-comments-post.php script, just make the appropriate change in your theme.