I noticed an article on Slashdot today called Smart Spam Filtering For Forums and Blogs? where someone asks "Does anyone know of a good system for filtering spam".

In this post I reflect on comment spam and my approach to dealing with it.

Background

On this site I have previously talked about my past approaches to this topic:

• My original post on the subject was called 'only the penitent man will pass - on captchas and cotton wool', where I explained why I do not go in for 'captchas' or other party games that make it harder for you the reader to leave a comment.
• My next post was Akismet Blues where I discovered that a third-party comment judging service called Akismet was suddenly blocking everyone, due to the fact that the upstream changes in the service had broken the blog plugin I was using at the time.
• My third post on the subject was Django FreeComments cleanup script where I shared a command line cleanup script for Django FreeComments, a comments system that appeared in the previous version of Django.

Now I recoded the site to use Django 1.0 (read about that here), I had to make these decisions again.

Principles

The aim of this site is to have a discussion about the topics I raise. The comments are not some optional add on, they are core to what the site is about. Furthermore, my readers are busy people, who take the time out of their busy lives to share their wisdom, thoughts and views by leaving a comment here.

Therefore I respect that very highly. I have 1431 comments, I may not have responded individually to each of them, but I have read them all many times, and I have written SQL to move them each time I have changed blog software, backed them up, reformatted them, and so on.

This is a website about fairly advanced computing, which is aimed at adults. If someone can use a bash recipe or write a Python script, then if the comment spam fighting techniques fail, they have the intellect to handle a Viagra advert in the comments for a few minutes or hours.

Therefore my first principle is that the cost of a false positive is far greater than any number of false negatives. If there are false positives then they must not be permanent, and they must be easy to spot and reverse.

Secondly, as mentioned above, spam fighting should be server-side, it is my problem not yours - I am not into making the reader guess the word, jump through hoops or pin the tail on the donkey while blindfolded and spun around.

What is a spam comment?

The commenting system here is for discussing the topic and communicating with other readers. Linking to a resource that is relevant to the discussion is clearly not spam. Many people, while leaving a relevant comment, will link to their own website as a kind of signature. This is clearly not spam.

A person or script using the comment system to leave links to irrelevant websites for financial gain, with no comment or something extremely generic, is comment spam. So obviously context is important.

Catching by URLs

Most genuine commentators paste the URL in the post directly. Those that want to markup their text use the markup that I have specified.

Meanwhile spam comments have HTML or BBCode marked up links in them, from a few to dozens or hundreds of them. So comments with HTML or BBCode marked up links can be held for moderation. Comments with a large number of URLs can also be held for moderation. These little measures stop the most of the indiscriminate spam scripts sent from zombie machines.

Catching by IP

This leaves the more discriminate spammers, those who probe and test to try to see what goes or up not. These appear to send multiple spams from the same IP Address.

In the Image above, you can see the admin panel showing 18 comments held for moderation. Highlighted in red are 16 comments from the same IP Address. I moderate all the comments caught using a new version of my command-line tool. When a comment is confirmed as spam, it is deleted and the originating IP address is blocked, thus stopping repeat offenders.

Extra herbs and spices

I have some other ingredients to my spam fighting recipe, but at the moment they are not being brought into play because the above ingredients seem to do the trick. One advantage of using Django and Soturi is that I can quickly reprogram the site if my spam fighting recipe stops being effective.

Since this approach seems to work, I personally I have no desire to use some third-party service to filter my comments, because I have no easy way of knowing if or how it is likely to make false positives. Also being a technology site, people often write comments involving command line commands or source code which gets flagged easily in these filtering services.

Anyhow, that is my setup, I would be interested to hear what other people find useful.