Comment Spam discussed at Northern Voice

Maryam and I are at the Northern Voice conference. Today is “MooseCamp” and Matt Mullenweg (the founder of WordPress) is leading a discussion about comment spam. But, coming into the session he mentioned that he already has 90,000 WordPress.com blogs (including mine). That’s very cool, but I heard yesterday from someone who works with MySpace that they are seeing 220,000 new MySpaces opening up EVERY DAY. Whew!

I also asked when his “pro” features are gonna come up (like the ability to change your design) and he said they are coming soon. He said that his service got popular faster than he expected so that he’s behind.

Regarding the spam, by the way, he says he’s seeing a whole new kind of spam. Social hacking spam. Spam that gets the blogger to think it’s a real comment. For instance, some of the comment spam that WordPress is blocking today from getting on my blog is this one: “Do you provide a blog feed subscription for this blog so I can get it via email?”

He says this is actually fooling quite a few of the bloggers on his system (they mark it as “not spam” even though it is). Why? Cause it isn’t obvious spam.

There’s a whole war going on over getting onto bloggers’ comments. It makes me wonder if Russell Beattie doesn’t have the right idea by getting rid of comments altogether.

Matt designed a whole company to stop spam named Akismet. Matt is freaking brilliant. I love how his system blocks spam.

99 thoughts on “Comment Spam discussed at Northern Voice

  1. Like most bloggers, I’ve had waves of trackback, comment, and referrer spam hit my site from time to time. You think you’re cruising free and easy until, wham!, you get blindsided by a thousand little spam entries that need to be deleted by hand, and then you have to go hunting for the perfect solution. Like many here, I’ve found Akismet to be a great solution for comment spam. Only maybe ten false positives and two or three false negatives out of 1,912 spams eaten.

    To combat referrer spam I use referrer karma, but you have to keep a closer eye on RK to prevent legit users from being blocked (RK tests the referrer for a real link to the blog–which can fail if the referring page is behind a login, such as with webmail services).

    For me, for now, turning off comments is simply not an option. Commenting has created relationships that simply wouldn’t have existed without the sense of dialog that forms around posts. And not all commenters have blogs, and not all bloggers know to use trackback links (or care), and not all bloggers feel like turning an aside into a full-blown posts. Comments are a valuable part of the dialog.

    Requiring all “comments” to be blog posts with trackbacks is like saying, “I will address you from my soapbox, and you must be silent. If you wish to speak to me, you must ascend to your own box.”

    When I blogged on a church shooting, the grandchild of one of the victims posted on my site. Then his mother contacted me via private post. When I blogged on Justin Berry, a personal friend of Justin’s commented and contacted me privately. There are a few other examples of connections made and interesting relationships formed just from allowing comments and fomenting dialogue.

    Let the Akismets and Bad Behaviors and Spam Karmas thrive. They are protecting a valuable commodity: dialog.

    Regards,

    Rich
    BlogRodent

  2. Like most bloggers, I’ve had waves of trackback, comment, and referrer spam hit my site from time to time. You think you’re cruising free and easy until, wham!, you get blindsided by a thousand little spam entries that need to be deleted by hand, and then you have to go hunting for the perfect solution. Like many here, I’ve found Akismet to be a great solution for comment spam. Only maybe ten false positives and two or three false negatives out of 1,912 spams eaten.

    To combat referrer spam I use referrer karma, but you have to keep a closer eye on RK to prevent legit users from being blocked (RK tests the referrer for a real link to the blog–which can fail if the referring page is behind a login, such as with webmail services).

    For me, for now, turning off comments is simply not an option. Commenting has created relationships that simply wouldn’t have existed without the sense of dialog that forms around posts. And not all commenters have blogs, and not all bloggers know to use trackback links (or care), and not all bloggers feel like turning an aside into a full-blown posts. Comments are a valuable part of the dialog.

    Requiring all “comments” to be blog posts with trackbacks is like saying, “I will address you from my soapbox, and you must be silent. If you wish to speak to me, you must ascend to your own box.”

    When I blogged on a church shooting, the grandchild of one of the victims posted on my site. Then his mother contacted me via private post. When I blogged on Justin Berry, a personal friend of Justin’s commented and contacted me privately. There are a few other examples of connections made and interesting relationships formed just from allowing comments and fomenting dialogue.

    Let the Akismets and Bad Behaviors and Spam Karmas thrive. They are protecting a valuable commodity: dialog.

    Regards,

    Rich
    BlogRodent

  3. Hi,
    we are testing a new free form-protection service (www.cerospam.com.ar), for blogs and for any kind of web site. It is easy to setup each form with this system, and it is very useful for protecting comment forms from spammers.
    It is based on captcha method. Until now it seems to work fine. No matter what kind of blog software you are using, this is not a plugin.
    Please, test it and do not hesitate to send us your comments!
    Thank you.

  4. Hi,
    we are testing a new free form-protection service (www.cerospam.com.ar), for blogs and for any kind of web site. It is easy to setup each form with this system, and it is very useful for protecting comment forms from spammers.
    It is based on captcha method. Until now it seems to work fine. No matter what kind of blog software you are using, this is not a plugin.
    Please, test it and do not hesitate to send us your comments!
    Thank you.

  5. No no no don’t get rid of comments – they are the flavours that linger on the tongue after the wine has been swallowed (lordy but that sounds pretentious – sorry). Really, though, it is the posts with the most comments that draw one in, get one to read more, get one to go off exploring new parts of the web. And they force the blogger / reader to think, I believe, in a way that posts on the readers own blog never would. It is about conversation, not preaching, and a conversation has to be posted in conversational form.

  6. No no no don’t get rid of comments – they are the flavours that linger on the tongue after the wine has been swallowed (lordy but that sounds pretentious – sorry). Really, though, it is the posts with the most comments that draw one in, get one to read more, get one to go off exploring new parts of the web. And they force the blogger / reader to think, I believe, in a way that posts on the readers own blog never would. It is about conversation, not preaching, and a conversation has to be posted in conversational form.

  7. It’s taking me a while to dig through all of this, but you say “Matt designed a whole company to stop spam named Akismet”, but it appears that the “company” is still Automattic, the same “company” that “produces” WordPress. The Akismet web site has a badge that identifies it as “An Automattic Production”, whatever that means. I suspect it means something a little different than “This site powered by WordPress”, but I don’t know that for sure.

    Is it the intent of Automattic that Akismet will eventually be spun off to form an independent company, and *that’s* what is being referred to in this post?

    The related issue is how tightly Akismet will be bound to WordPress. Is it WordPress-specific forever, or only in its initial incarnation? Is it intended that it will be rolled out to TypePad, MoveableType, (Blogger??), etc. users as well?

    Obviously much of that could/should be asked on the Akismet web site/blog, but I’d guess that they wouldn’t mind using this comment list to promote themselves a little more to a wider audience.

    – Jack Krupansky

  8. It’s taking me a while to dig through all of this, but you say “Matt designed a whole company to stop spam named Akismet”, but it appears that the “company” is still Automattic, the same “company” that “produces” WordPress. The Akismet web site has a badge that identifies it as “An Automattic Production”, whatever that means. I suspect it means something a little different than “This site powered by WordPress”, but I don’t know that for sure.

    Is it the intent of Automattic that Akismet will eventually be spun off to form an independent company, and *that’s* what is being referred to in this post?

    The related issue is how tightly Akismet will be bound to WordPress. Is it WordPress-specific forever, or only in its initial incarnation? Is it intended that it will be rolled out to TypePad, MoveableType, (Blogger??), etc. users as well?

    Obviously much of that could/should be asked on the Akismet web site/blog, but I’d guess that they wouldn’t mind using this comment list to promote themselves a little more to a wider audience.

    – Jack Krupansky

  9. Captcha doesn’t work, because anything GENERATED programmatically can be PARSED programmatically. There are entire PHP libraries just for figuring out what the text in a graphic is.

    Blacklists don’t work. They have to be accurate, and they have to respond in minutes to new types of attacks.

    WordPress’s anti-spam rocks. Even just the default setup works wonders.

    And, yeah, the new “your feed doesn’t work” comments are killing me. You just WANT to approve them. And, as far as “just turning off links” or “just turning off comments”, that won’t change anything for the positive. Turning off links doesn’t stop people from trying to leave comments anyways. And turning off comments doesn’t help conversations at all.

    I’m not 100% sold on Akismet yet (largely because we’d be using it commercially), but I love WordPress’s overall anti-spam stuff :)

  10. Captcha doesn’t work, because anything GENERATED programmatically can be PARSED programmatically. There are entire PHP libraries just for figuring out what the text in a graphic is.

    Blacklists don’t work. They have to be accurate, and they have to respond in minutes to new types of attacks.

    WordPress’s anti-spam rocks. Even just the default setup works wonders.

    And, yeah, the new “your feed doesn’t work” comments are killing me. You just WANT to approve them. And, as far as “just turning off links” or “just turning off comments”, that won’t change anything for the positive. Turning off links doesn’t stop people from trying to leave comments anyways. And turning off comments doesn’t help conversations at all.

    I’m not 100% sold on Akismet yet (largely because we’d be using it commercially), but I love WordPress’s overall anti-spam stuff :)

  11. I think this is one of those arguments for more software diversity. Windows is popular and thus a frequent victim of bad acts. Easy to do because, as with all other things on computers, you only have to do it once to do it a million times.

    Consider that I write a different bit of blog software – something that looks like wordpress externally but is implemented with completely different technology.

    What are the odds I’ll get auto-spammed? Pretty much zero (this is a lot of why I eschew Windows and other mainstream products – usually I just write my own – its about as much work as installing the popular stuff and much safer).

    Hey – different is good.

  12. I think this is one of those arguments for more software diversity. Windows is popular and thus a frequent victim of bad acts. Easy to do because, as with all other things on computers, you only have to do it once to do it a million times.

    Consider that I write a different bit of blog software – something that looks like wordpress externally but is implemented with completely different technology.

    What are the odds I’ll get auto-spammed? Pretty much zero (this is a lot of why I eschew Windows and other mainstream products – usually I just write my own – its about as much work as installing the popular stuff and much safer).

    Hey – different is good.

  13. Ahhh, but the solution to everything, doesn’t end in “blog”. Not for me.

    Sorry, I guess you are right, your blog, free to do what want. And I should just change the channel if I don’t like. Just all like a one-hit-wonder played over and over, like weather in Southern Florida, need not even pay attention, know it already. I know what I will get going in, so nary a complaint needed. I guess for culture, will read the other Scoble. ;)

  14. Ahhh, but the solution to everything, doesn’t end in “blog”. Not for me.

    Sorry, I guess you are right, your blog, free to do what want. And I should just change the channel if I don’t like. Just all like a one-hit-wonder played over and over, like weather in Southern Florida, need not even pay attention, know it already. I know what I will get going in, so nary a complaint needed. I guess for culture, will read the other Scoble. ;)

  15. Steph: thanks, I removed that.

    Christopher: yes, I do (went to a play in Ireland, for instance) but I don’t care to be read for my interest in movies or plays or sporting events or other non-geeky pursuits.

    Maybe you should start your own blog and write about those things?

  16. Steph: thanks, I removed that.

    Christopher: yes, I do (went to a play in Ireland, for instance) but I don’t care to be read for my interest in movies or plays or sporting events or other non-geeky pursuits.

    Maybe you should start your own blog and write about those things?

  17. Jaseone:

    Regarding Spam Karma 2 (SK2): it’s long been WP2 compatible now. As long as you use SK2.1 or up (SK2.2 is in final beta stage and should be out any day now), you’ll be fine.

  18. Jaseone:

    Regarding Spam Karma 2 (SK2): it’s long been WP2 compatible now. As long as you use SK2.1 or up (SK2.2 is in final beta stage and should be out any day now), you’ll be fine.

  19. I used Spam Karma on my 1.5 blog and it worked really well. Akismet hasn’t let anything through (if I recall correctly) but it has stopped at least 2-3 legitimate comments from being posted.

    I guess you have the choice between two evils when designing spam-stoppers:

    a) make it tight enough that it won’t let any spam go through, but risk it will stop a small number of real comments
    b) guarantee that it will not stop any real comments, but run the risk some spam might make it to the blog.

    I think the solution is diversity. We need more than one anti-spam system. If everybody uses the same one, that makes us vulnerable if the spammers find their way around it (think “biological diversity”).

    I’d say the strength of Akismet is its centralisation: what one blog learns, another benefits from. (It can also be a weakness, of course.) Spam Karma is nice in the way that it is also a framework for which one can design custom-made anti-spam plugins (SK is a plugin made of plugins) and therefore leaves quite a bit of flexibility to the user about how it’s going to stop spam. It makes the spam filter easy to be designed by the “collective intelligence” out there.

  20. I used Spam Karma on my 1.5 blog and it worked really well. Akismet hasn’t let anything through (if I recall correctly) but it has stopped at least 2-3 legitimate comments from being posted.

    I guess you have the choice between two evils when designing spam-stoppers:

    a) make it tight enough that it won’t let any spam go through, but risk it will stop a small number of real comments
    b) guarantee that it will not stop any real comments, but run the risk some spam might make it to the blog.

    I think the solution is diversity. We need more than one anti-spam system. If everybody uses the same one, that makes us vulnerable if the spammers find their way around it (think “biological diversity”).

    I’d say the strength of Akismet is its centralisation: what one blog learns, another benefits from. (It can also be a weakness, of course.) Spam Karma is nice in the way that it is also a framework for which one can design custom-made anti-spam plugins (SK is a plugin made of plugins) and therefore leaves quite a bit of flexibility to the user about how it’s going to stop spam. It makes the spam filter easy to be designed by the “collective intelligence” out there.

  21. Do you ever once goto something, ungeeky? Like maybe a Lecture Series/Academic Conference, Film Festival, Literary Event, Theater/Stage/Ballet/Dance? It’s all bloggers conferences, blogger dinners, romps with Dave, techie conferences, Chris Prillio-styled parties, and junket book tours and start-up party spree’s and inside-baseball techie power-chats. Frankly, it’s just not all that interesting. Maybe if you’d partake of some culture sometime…or do something beyond showing your total ignorance for the world beyond the Seattle and Silicon Valley corridor.

    With all your power and access. You could be interesting. Could be.

  22. Do you ever once goto something, ungeeky? Like maybe a Lecture Series/Academic Conference, Film Festival, Literary Event, Theater/Stage/Ballet/Dance? It’s all bloggers conferences, blogger dinners, romps with Dave, techie conferences, Chris Prillio-styled parties, and junket book tours and start-up party spree’s and inside-baseball techie power-chats. Frankly, it’s just not all that interesting. Maybe if you’d partake of some culture sometime…or do something beyond showing your total ignorance for the world beyond the Seattle and Silicon Valley corridor.

    With all your power and access. You could be interesting. Could be.

  23. As I said here, I think cancelling comments means you are tired of learning from your readers (shades of Dan Gillmor). While you are on my site you can check my comments with text entry verification (or mini Turing test) and threaded comments, which is the best things… well, since comments!

  24. As I said here, I think cancelling comments means you are tired of learning from your readers (shades of Dan Gillmor). While you are on my site you can check my comments with text entry verification (or mini Turing test) and threaded comments, which is the best things… well, since comments!

  25. Jack, even if you have captcha, there are weblog communication methods such as Trackback and Pingback which are DESIGNED for machine-to-machine communication, so anything like captcha would be useless for them.

    I really do have blind friends, and I get emails from blind users of WordPress whenever we break something.

    Also, anything like a math test or a “magic word” works fine as a one-off, but as soon as it becomes widespread enough to become a target it’ll be defeated. The Akismet system scales (and improves) the more people use it.

  26. Jack, even if you have captcha, there are weblog communication methods such as Trackback and Pingback which are DESIGNED for machine-to-machine communication, so anything like captcha would be useless for them.

    I really do have blind friends, and I get emails from blind users of WordPress whenever we break something.

    Also, anything like a math test or a “magic word” works fine as a one-off, but as soon as it becomes widespread enough to become a target it’ll be defeated. The Akismet system scales (and improves) the more people use it.

  27. Scoble says… “Matt explained why: he has blind friends and even he can’t read them a lot.”

    I’m sorry, but the word “lame”, “lame”, “lame”, … keeps echoing in my head.

    Ever heard of something called Section 508?

    For the blind: just have a link next to the graphic labeled “Speak the code word”. Granted, that won’t help those who are blind *and* deaf, but they can’t use text-to-speech aids anyway, right?

    Uhm for text-to-speech to work there would have to be some text and well that would kind of defeat the point of having a captcha…

    Face it, this is one area where even Blogger is *superior* to WordPress. [Sorry, I just had to say it

    Well at least I am able to post this comment here first go unlike on your blogger site where it took me several times for it to load the comments page without throwing an error.

    Captchas are old, VERY OLD technology and are just annoying more than anything else.

Comments are closed.