Eagle's Path: Thwarting blog spammers (2004-01-31)

For a while now, I've been getting a low level of blog spammers, people who would show up and post five or ten comments, usually on one entry or two, with links to their porn, gambling, or similar dirty commercial activities. This has been a nuisance, but not a particularly huge problem. I've been blocking entire IP blocks whenever one of these bottom feeding low-lifes shows up.

This morning, however, someone decided to script posting a comment to every single entry in my journal. So, enough of that.

I've now disabled HTML in comments (so no links) and modified the templates so that neither the URL nor the e-mail address given in comments is displayed (although I still see them). This will make spamming this journal fairly pointless, since Google won't care and won't raise the page rank of any of the sites to which the spammer is linking.

We'll see if that is enough discouragement to make the spammers go away. If not, I'm going to reluctantly start requiring authentication for comments. (Yes, I know there are various MT plugins that make it harder to spam, but I don't really have either the time nor the inclination to get involved in an arms race, and my journal doesn't get very many comments.)

Ook?

I can understand how authenticating in order to comment would keep the spammers at bay, but _please_ don't implement something that requires e-mail verification. One of those weird text in a picture things, where you have to enter the sequence that only a human can figure out, that would be fine. It's when you start making it a bigger hassle for someone to comment than it is to just not say anything.

I love MT sites because the comments _don't_ make me login and/or register. Once it becomes a chore to comment....

Posted by Ian at 2004-01-31 15:13

*ouch*. i really, really, really dislike authentication for comments. i mean, it wouldn't be a big deal to do it for you, but it's one of those solutions that doesn't scale for me personally -- if i had to do it for every blog i read and to which i comment, i'd instead not say anything at all.

IP banning is basically no solution at all because it's too crude to ban entire ranges, and it comes after the fact anyway (and doing it by hand is part of the arms race). i started doing that, but as soon as the scriptjobs came, that was the end of it.

i do recommend looking at the blacklist plugin, combined with comment throttling. AFAIK one can automate the updating, so there really isn't anything left to do after installation and setup. it's been working real nice for me (i haven't automated it yet); i love looking at the activity log and seeing those bloody spammer bots foiled.

i doubt that disallowing html will do anything -- do they even check? i didn't want to do that because i allowed it in the first place because legitimate commenters to my journal saw a need for it. i'll be damned if i inconvenience real people i like to foil spammers, i really rather put a bit more effort into it behind the scenes.

Posted by piranha at 2004-02-07 16:34

Right, the comments just aren't as important to me, since that's not the point of my journal. I think it's a nice feature so long as it doesn't involve too much work, but push comes to shove, people can send me e-mail. For me, it's more a place to put notes that people might be interested in with a very low-effort publishing mechanism. That means that I'm not going to devote a lot of time to preserving the comments.

Disallowing HTML gives me the satisfaction of knowing that even if they spam my journal, it's doing them precisely no good whatsoever, which means a lot to me whether it actually stops them or not. I'm quite willing to go back and edit legitimate comments to activate links, and people don't use comments to link to much stuff in my journal to date.

I'll look at the blacklist plugin before I go to authentication. I do understand how people feel about that, although honestly with a modern browser it's not that big of a deal any more. One only ever has to authenticate once and tell the browser to remember and then you forget that the authentication even exists. (And no, I'm not going to require any sort of e-mail verification or anything if I go that route; it will be some simple password I'll let people know about. I haven't figured out exactly how yet; hopefully it won't come up.)

So far, no spammers since I turned off HTML in comments and links for comment posters.

Posted by eagle at 2004-02-07 17:39