Tag: Comment Spam

Akismet 2.0 is a life (and comment) saver

Akismet is the default anti-spam plugin which comes with WordPress and it has saved me from literally hundreds of thousnads of comment spam messages (124,200 last time I looked).

A new version (Akismet 2.0) was released the same time as WordPress 2.1’s release so it’s release was kind of drowned out in the hoopla.

To my mind, the most significant change in Akismet 2.0 is the ability to tell Akismet to automatically delete any comments on posts over a month old.

Akismet configuration

As Matt himself said:

When I was doing some research into false positives I found an interesting statistic: the overwhelming majority (more that 99.99%) of false positives (which is when Akismet marks someone as spam wrongly) occur on new posts. Which makes sense because most real comments happen on new entries.

Typically I used to get >500 comments per day flagged by Akismet. There was no way i could go through those looking for genuine comments accidentally flagged as spam by Akismet.

Today though, having configured Akismet to dump all suspected spam comments on posts over a month old, I now only have to check 20-30 comments per day.

And just this morning, I rescued two comments which had accidentally been marked as spam by Akismet.

Well done to the guys in Automattic again. I love Akismet.

Slow comments in WordPress

In the last couple of weeks commenting on this site was taking longer and longer – sometimes timing out and not letting people comment at all. I was puzzled as to the cause of this and tried turning off various of the plugins I had installed on this blog.

Today though I think I have found what the problem was! I looked into the Akismet anti-spam plugin and found that there were nearly 10,000 spam comments there! I deleted the nuisance comments and now commenting seems to be working much better.

Anyone still having problems commenting here?

Bad Behaviour blocks TechMeme

I noticed recently that none of my posts were appearing on TechMeme so I emailed Gabe Rivera, TechMeme’s founder to ask what the problem was. He responded:

Your Bad Behavior plugin is blocking me, even though my crawler behavior is rather benign.

If you can whitelist my crawler (does BB let you?), it looks like this:
Mozilla/5.0 (compatible; Wazzup1.0.XXXX; …with XXXX varying (long story…).

Or just uninstall it! (What are some alternatives? I’d like to do a post on this…)

Bad Behaviour is an anti-spam plugin that I have written about previously.

As I don’t see a way to whitelist, I have disabled Bad Behaviour and I advise anyone else to do so until this can be sorted.

Thanks for the speedy response Gabe.

UPDATE: – Michael Hampton, Bad Behavior’s developer has contacted me to say it is possible to Whitelist TechMeme by adding its ip address ( to the Whitelist-inc.php file – this fix didn’t work for me but may be worth a try if you do want to use Bad Behavior.

How to block comment spam

Like all bloggers, I find comment spam to be a constant annoyance. There are many ways to mitigate the problems it causes however and using the following techniques means that this site is subject to almost no comment spam.

Use WordPress’ built in comment spam tools –

  • In WordPress Options -> Discussion, fill in the list of common spam words – words in this list automatically cause a comment to go into the moderation queue. I use the following list.
  • Also use the Comment Blacklist field. Populate this very carefully. Any comment containing words in this list are nuked automatically. No notification. No way to get them back. Gone. This is the list of words I have in my blacklist.
  • I have checked the “Comment author must have a previously approved comment” field as well. This is a very simple but very effective tool – regular commenter’s are able to leave comments and see them appear instantly; new commenter’s comments are held for approval and if they are not spam, their comment appears in short order and subsequent comments appear immediately.
  • And I use WordPress’ built in anti-spam plugin – Akismet.

I also have a custom .htaccess file which stops a lot of spamers cold before they reach the site at all. Excercise extreme caution with .htaccess files as they can take your entire site down. If you are not sure what you are doing, I have written a few explanatory articles on .htaccess files previously. If you are still not sure what you are doing, put the .htaccess file down and walk away very slowly!!!

Finally, I use plugins called Referrer Karma and Bad Behaviour which help significantly by stopping bots from accessing your site to leave comment spam.

Having implemented these techniques ensures that my site stays free of comment spam without having to moderate all comments and without having to implement CAPTCHAs. CAPTCHAs are those horrible badly drawn images of combinations of letters and numbers which some people put on their sites to stop spam. CAPTCHA’s are evil*. Stop using them. Now.

* The American Foundation for the blind has written many times about how difficult Captchas make browsing for blind or partially sighted people and the W3C in a report on Captcha’s said:

A common method of limiting access to services made available over the Web is visual verification of a bitmapped image. This presents a major problem to users who are blind, have low vision, or have a learning disability such as dyslexia.

A solution for Robert Scoble?

In a recent comment on Shelley Powers’ site Robert Scoble explained one of his reasons for turning comment moderation on his blog, it has nothing to do with comment spam – he said:

I am seeing more and more anonymous comments and I have been tracking their IPs and see that one person is showing up under a variety of different names

Robert, if someone is posting troll comments under multiple names coming from the same ip address – enter that ip address into your WordPress Options -> Discussion -> Comment Moderation field and then comments from that ip will be moderated – all others will get through.

Be transparent about it – say in a post on your blog that you are moderating posts from that ip because of abuse. People will row in behind you on that.

Moderating all comments seems like taking the lazy way out.

Comment spam run last night

Apologies to anyone who subscribed to comments on this site and was emailed the spam comments which hit this site last night.

The site was hit by over 80 spams overnight – the first spam run to make it through my anti spam defences in over a year.

Curiously, all the spams came from a single ip address ( and that ip is now blocked by my .htaccess file.

Hopefully it will be another year before this happens again!

I see this spammer also visited the Spamhuntress – what a twit! Go get him Ann!

Comment spam plugins no longer required!

I have written many posts on my battles with WordPress comment spam but all that appears to be coming to a very satisfactory solution. I am now no longer using any comment spam plugins and I have stopped moderating comments on this blog.

How did I get to this enviable position? Well, it has been a long road and I have learned loads about WordPress along the way.

I started down this road by trying various comment spam plugins with different degrees of success. However, none were really satisfactory. The best one was WP-Hashcash – best in that it was most transparent to the user – but it requires commenters to have Javascript turned on in their browser. So I kept looking for another strategy to eradicate this scourge from my blog.

I upgraded from WordPress 1.2 to WordPress 1.5 (the current version) – WordPress 1.5 has a number of anti spam comment features natively built in.

Of these, I have set the number of links allowed in comments to 3 – any more than that, and the comment is auto-moderated.

I have populated the blacklist with a short list of words (just over 40) – any comments containing these words are automatically deleted – boom! No notification to me, no notification to the commenter.

I have written a custom .htaccess file which blocks a lot of potential spam commenters at the gates. Instructions on how and why I set it up are here.

And finally, I have installed Dr. Dave’s plugin Referrer Karma. I know, I know, I said I didn’t have any comment plugins, but I don’t. Referrer Karma is a referrer spam plugin which just happens to work like my .htaccess file (but much more elegantly) to block the bad guys at the gates.

The combination of these measures has allowed me to turn off moderation on the comments on my blog – and so far (one week later) no comment spam has made it through my defences. I’m not saying the war is over but, so far, I seem to have won this round.

Easy effective control of comment spam

MacManX posted a comment spam strategy on the WordPress Beta discussion site the other day which caught my attention.

In the post he said he uses a plugin called WP-HashCash. The main advantage of this plugin is “it requires no maintenance or intervention on my part, and it’s invisible to my readers”.

He went on to explain:

WP-HashCash uses an encrypted hidden field. You must have javascript enabled to decode the encrypted field (most bots don’t use javascript) and must have entered the comment from the actual post link to generate the correct value for the field. So, if a bot either didn’t have javascript or directly visited wp-comments-post.php, the comment would simply not go through. No deleting, no moderation, it just never existed.

Intrigued at the prospect of a maintenance-free spam solution and taking him at his word on its efficacy, I have installed WP-HashCash and disabled Spam Karma.

I found I was having a couple of niggling issues with Spam Karma and since its developer, Dr. Dave, announced he has frozen development of Spam Karma, the decision to switch wasn’t a hard one.

I am combining this with the blacklist feature of WordPress 1.5 (which will require a little maintenance) and I am moderating comments until I am confident that WP-HashCash is the solution I have been looking for.

Roll on a spam-free blogging experience!

Using .htaccess to minimise comment and referrer spam

I have been using my .htaccess file to stop comment and referrer spam on this site and it has been surprisingly successful (so far!). How do I create a .htaccess file capable of greatly reducing comment and referrer spam?

Firstly, I use Awstats to analyse visits to my site daily and I use Spam Karma to help control comment spam. Both applications give me information on spammers visiting my site.

Awstats gives me a list of the referer sites – this list contains those sites which are trying to spam my referrer logs. I monitor those sites and as new ones appear I add them to my .htaccess list in the form:
RewriteCond %{HTTP_REFERER} \.domain\.tld [NC]
where .domain is the domain trying to spam my site (psxtreme, freakycheats, terashells, and so on) and the .tld is the top level domain the site is registered to (.com, .net, .org, .info, etc.).

So, for instance, in the case of the spammer coming from the smsportali.net domain, I have added the following line to my .htaccess code:
RewriteCond %{HTTP_REFERER} \.smsportali\.net [NC]
This will stop accesses from all subdomains of smsportali.net (spamterm.smsportali.net) to the site and the NC ensures that this rule is case insensitive.

In the case of comment spam, I have configured Spam Karma to email me every time it deletes a spam comment – this is becoming rarer and rarer as the .htaccess file becomes more and more effective. I have configured Spam Karma to include the server variables and request headers of a comment that is not approved in the email – this is one of the configuration options of this plugin.

Scanning these emails, I can see the User Agents being employed by these spammers – armed with this information, I added the following lines to my .htaccess file:
RewriteCond %{HTTP_USER_AGENT} Indy.Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Crazy\ Browser [NC]
RewriteRule .* – [F]
and this has greatly reduced the amount of comment spam coming through.

Also, Cindy alerted me to the fact that adding:
RewriteCond %{HTTP:VIA} ^.+pinappleproxy [NC]
RewriteRule .* – [F]
Will also catch a lot of the spammers.

I have a copy of my .htaccess file available for review (it is in .txt format).

For each set of rules in your .htaccess file, you need to finish with a RewriteRule – RewriteRule .* – [F] will give a 403 (page forbidden) to the spammers. Your last set of rules should end with RewriteRule .* – [F,L] – the L telling the RewriteEngine that this is the last line and to stop processing the rules here.

the .htaccess file is a very unforgiving file. It has the power to make your entire site unavailable to anyone. It is strongly advised to read up on Regular Expressions and Mod_Rewrite (the Apache module which processes these commands in a .htaccess file) before creating a .htaccess file or modifying an existing one.