Category: Comment Spam

Comment spam plugins no longer required!

I have written many posts on my battles with WordPress comment spam but all that appears to be coming to a very satisfactory solution. I am now no longer using any comment spam plugins and I have stopped moderating comments on this blog.

How did I get to this enviable position? Well, it has been a long road and I have learned loads about WordPress along the way.

I started down this road by trying various comment spam plugins with different degrees of success. However, none were really satisfactory. The best one was WP-Hashcash – best in that it was most transparent to the user – but it requires commenters to have Javascript turned on in their browser. So I kept looking for another strategy to eradicate this scourge from my blog.

I upgraded from WordPress 1.2 to WordPress 1.5 (the current version) – WordPress 1.5 has a number of anti spam comment features natively built in.

Of these, I have set the number of links allowed in comments to 3 – any more than that, and the comment is auto-moderated.

I have populated the blacklist with a short list of words (just over 40) – any comments containing these words are automatically deleted – boom! No notification to me, no notification to the commenter.

I have written a custom .htaccess file which blocks a lot of potential spam commenters at the gates. Instructions on how and why I set it up are here.

And finally, I have installed Dr. Dave’s plugin Referrer Karma. I know, I know, I said I didn’t have any comment plugins, but I don’t. Referrer Karma is a referrer spam plugin which just happens to work like my .htaccess file (but much more elegantly) to block the bad guys at the gates.

The combination of these measures has allowed me to turn off moderation on the comments on my blog – and so far (one week later) no comment spam has made it through my defences. I’m not saying the war is over but, so far, I seem to have won this round.

Easy effective control of comment spam

MacManX posted a comment spam strategy on the WordPress Beta discussion site the other day which caught my attention.

In the post he said he uses a plugin called WP-HashCash. The main advantage of this plugin is “it requires no maintenance or intervention on my part, and it’s invisible to my readers”.

He went on to explain:

WP-HashCash uses an encrypted hidden field. You must have javascript enabled to decode the encrypted field (most bots don’t use javascript) and must have entered the comment from the actual post link to generate the correct value for the field. So, if a bot either didn’t have javascript or directly visited wp-comments-post.php, the comment would simply not go through. No deleting, no moderation, it just never existed.

Intrigued at the prospect of a maintenance-free spam solution and taking him at his word on its efficacy, I have installed WP-HashCash and disabled Spam Karma.

I found I was having a couple of niggling issues with Spam Karma and since its developer, Dr. Dave, announced he has frozen development of Spam Karma, the decision to switch wasn’t a hard one.

I am combining this with the blacklist feature of WordPress 1.5 (which will require a little maintenance) and I am moderating comments until I am confident that WP-HashCash is the solution I have been looking for.

Roll on a spam-free blogging experience!

Google fails to implement nofollow on Blogger

FrankP informed me recently that Blogger have updated their comment system so that people without Blogger accounts can leave comments – previously, to do this on a Blogger blog you had to comment anonymously, now it is possible to leave a name and uri.

This overhaul of their comment system was long awaited – and this added functionality now brings Blogger’s comment functionality almost up to par with its competitors but also, possibly, opens Blogger blogs to the scourge of comment spam.

Curiously though, Blogger failed to rollout an implementation of the nofollow attribute which Google themselves proposed recently to help combat comment spam. Blogger is completely owned by Google.

Anyone care to hazard a couple of reasons as to why Blogger didn’t rollout nofollow?

Using .htaccess to minimise comment and referrer spam

I have been using my .htaccess file to stop comment and referrer spam on this site and it has been surprisingly successful (so far!). How do I create a .htaccess file capable of greatly reducing comment and referrer spam?

Firstly, I use Awstats to analyse visits to my site daily and I use Spam Karma to help control comment spam. Both applications give me information on spammers visiting my site.

Awstats gives me a list of the referer sites – this list contains those sites which are trying to spam my referrer logs. I monitor those sites and as new ones appear I add them to my .htaccess list in the form:
RewriteCond %{HTTP_REFERER} \.domain\.tld [NC]
where .domain is the domain trying to spam my site (psxtreme, freakycheats, terashells, and so on) and the .tld is the top level domain the site is registered to (.com, .net, .org, .info, etc.).

So, for instance, in the case of the spammer coming from the domain, I have added the following line to my .htaccess code:
RewriteCond %{HTTP_REFERER} \.smsportali\.net [NC]
This will stop accesses from all subdomains of ( to the site and the NC ensures that this rule is case insensitive.

In the case of comment spam, I have configured Spam Karma to email me every time it deletes a spam comment – this is becoming rarer and rarer as the .htaccess file becomes more and more effective. I have configured Spam Karma to include the server variables and request headers of a comment that is not approved in the email – this is one of the configuration options of this plugin.

Scanning these emails, I can see the User Agents being employed by these spammers – armed with this information, I added the following lines to my .htaccess file:
RewriteCond %{HTTP_USER_AGENT} Indy.Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Crazy\ Browser [NC]
RewriteRule .* – [F]
and this has greatly reduced the amount of comment spam coming through.

Also, Cindy alerted me to the fact that adding:
RewriteCond %{HTTP:VIA} ^.+pinappleproxy [NC]
RewriteRule .* – [F]
Will also catch a lot of the spammers.

I have a copy of my .htaccess file available for review (it is in .txt format).

For each set of rules in your .htaccess file, you need to finish with a RewriteRule – RewriteRule .* – [F] will give a 403 (page forbidden) to the spammers. Your last set of rules should end with RewriteRule .* – [F,L] – the L telling the RewriteEngine that this is the last line and to stop processing the rules here.

the .htaccess file is a very unforgiving file. It has the power to make your entire site unavailable to anyone. It is strongly advised to read up on Regular Expressions and Mod_Rewrite (the Apache module which processes these commands in a .htaccess file) before creating a .htaccess file or modifying an existing one.

Trackback spam explained

I posted about Trackback Spam previously but it was brought to my attention that I didn’t explain it properly, so I am now going to attempt to rectify that.

If you are using a blogging application, like WordPress, there is a facility called Trackback, whereby, when you are making a post in your blog, and you refer to a post someone else made in their blog, you can add in the trackback uri of their post (normally displayed at the end of their post) to your blogging software, and it will send a notification (called a trackback) to them.

When their blogging software receives this notification (Trackback), it displays the relevant part of the post in the comments section of the site.

Spammers are recently starting to post faked trackbacks directly to people’s blogging software, pretending someone has posted about one of your posts, hoping your blogging software will automatically display their spam on your site (thinking it is a legitimate comment).

The reason they do this is to get links from external sites to their sites, thereby pushing up their all-important Google Page Rank.

Installed Spam karma instead of Spaminator

I had installed Spaminator (version: 1.0rc7) on this site to stop Comment Spam but Spaminator was deleting genuine comments (it deleted 2 of the last 3 genuine comments). The author didn’t respond to this issue – which, in fairness, is
as likely to be an issue with my system as the plugin.

However, I came across another plugin called Spam Karma which has received good reviews.

I have installed Spam Karma now and hopefully this will kill the comment spam but allow legitimate comments through.

Spaminator install

I followed Niall’s example and installed Spaminator on my blog – I have turned off the AuthImage plugin to make commenting easier for people.

Spaminator seems quite good at catching spam comments but it deleted a comment today which was genuine so I am a little concerned that it will require monitoring – that comment was deleted and there is no way to get it back that I am aware of.

We’ll see how it goes.

Combatting WordPress Trackback Spam

I have blogged with boring regularity about my battles with WordPress comment spam and my ultimate defeat of it using the Authimage plugin.

This morning I was hit by a new plague (new to me anyway!), trackback spam. TrackBack spam is very similar to comment spam. The spammer sends TrackBack pings to this site, they are listed in the comments area, and they direct readers to a totally unrelated URL. Also, if listed, they increase the target site’s Google Page Rank (PR).

My first response has been to rename the wp-trackback.php file to see if this will stop this scourge. To ensure genuine trackbacks can still get through, I had to edit the reference to wp-trackback.php in the template-functions-comment.php file. This is not a foolproof solution, I realise, but I will re-assess the situation over the coming weeks and see if more drastic measures need to be taken.

Why do I have a horrible sense of foreboding?

Comments fixed! – AuthImage 2.0.4 breaks AuthImage addressing.

Well, it serves me right. After crowing about how good AuthImage is to everyone, I forgot to check it after getting my hosting company to “rebuild php with the required modules“. It was still broken on this site, meaning no-one could comment!

This time, when I accessed the authimage.php file directly asking for an image (i.e. authimage.php?type=image), I was served up the image, no problem. So I knew, now that the error was elsewhere. A quick trawl of my log files showed a lot of 404’s for /wordpress/wordpress/…/authimage.php – the duplication of the wordpress folders was incorrect so now I knew there was an error in addressing the image.

Addressing takes place in the wp-comments.php file so I corrected the error there.

Interestingly this was the reverse of an error I had corrected previously. It seems that my upgrade to Authimage 2.0.4 ‘fixed’ this error, causing my earlier correction to fail!

All’s well now anyway, so comment away mad!

Google acts to halt comment spam

Google have announced a new tag that should remove the motive for content spamming.

From now on, when Google MSN, and Yahoo! see the attribute (rel=”nofollow”) on hyperlinks, they will now no longer index any such links.

Keith McDuffee – the author of the very excellent AuthImage – a Captcha comment spam blocking WordPress plugin has published code to implement the new nofollow tag in WordPress.

Be aware that there is a typo in the published code – I have commented on Keith’s site to make him aware of this but just in case you miss that, remove the space in the first line before the ?PHP if one exists – if there is no space there, Keith has probably fixed it.

This nofollow tag won’t be a quick solution to this problem, as it won’t be implemented in all blogs for quite some time, so the incentive to spam will still exist. Spammers are not going to go the trouble of trying to see which blogs have implemented this, so don’t expect a dramatic fall off in the amount of spam in the next couple of days or even weeks!