COMMAND LINE WARRIORS

Taking Control of your Own Technology

  • RSS-Button

On Comment Spam

30 December 2008

I noticed an article on Slashdot today called Smart Spam Filtering For Forums and Blogs? where someone asks "Does anyone know of a good system for filtering spam".

In this post I reflect on comment spam and my approach to dealing with it.

Background

On this site I have previously talked about my past approaches to this topic:

  • My original post on the subject was called 'only the penitent man will pass - on captchas and cotton wool', where I explained why I do not go in for 'captchas' or other party games that make it harder for you the reader to leave a comment.
  • My next post was Akismet Blues where I discovered that a third-party comment judging service called Akismet was suddenly blocking everyone, due to the fact that the upstream changes in the service had broken the blog plugin I was using at the time.
  • My third post on the subject was Django FreeComments cleanup script where I shared a command line cleanup script for Django FreeComments, a comments system that appeared in the previous version of Django.

Now I recoded the site to use Django 1.0 (read about that here), I had to make these decisions again.

Principles

The aim of this site is to have a discussion about the topics I raise. The comments are not some optional add on, they are core to what the site is about. Furthermore, my readers are busy people, who take the time out of their busy lives to share their wisdom, thoughts and views by leaving a comment here.

Therefore I respect that very highly. I have 1431 comments, I may not have responded individually to each of them, but I have read them all many times, and I have written SQL to move them each time I have changed blog software, backed them up, reformatted them, and so on.

This is a website about fairly advanced computing, which is aimed at adults. If someone can use a bash recipe or write a Python script, then if the comment spam fighting techniques fail, they have the intellect to handle a Viagra advert in the comments for a few minutes or hours.

Therefore my first principle is that the cost of a false positive is far greater than any number of false negatives. If there are false positives then they must not be permanent, and they must be easy to spot and reverse.

Secondly, as mentioned above, spam fighting should be server-side, it is my problem not yours - I am not into making the reader guess the word, jump through hoops or pin the tail on the donkey while blindfolded and spun around.

What is a spam comment?

The commenting system here is for discussing the topic and communicating with other readers. Linking to a resource that is relevant to the discussion is clearly not spam. Many people, while leaving a relevant comment, will link to their own website as a kind of signature. This is clearly not spam.

A person or script using the comment system to leave links to irrelevant websites for financial gain, with no comment or something extremely generic, is comment spam. So obviously context is important.

Catching by URLs

Most genuine commentators paste the URL in the post directly. Those that want to markup their text use the markup that I have specified.

Meanwhile spam comments have HTML or BBCode marked up links in them, from a few to dozens or hundreds of them. So comments with HTML or BBCode marked up links can be held for moderation. Comments with a large number of URLs can also be held for moderation. These little measures stop the most of the indiscriminate spam scripts sent from zombie machines.

Catching by IP

This leaves the more discriminate spammers, those who probe and test to try to see what goes or up not. These appear to send multiple spams from the same IP Address.

/images/posts/django/sameip.png

In the Image above, you can see the admin panel showing 18 comments held for moderation. Highlighted in red are 16 comments from the same IP Address. I moderate all the comments caught using a new version of my command-line tool. When a comment is confirmed as spam, it is deleted and the originating IP address is blocked, thus stopping repeat offenders.

Extra herbs and spices

I have some other ingredients to my spam fighting recipe, but at the moment they are not being brought into play because the above ingredients seem to do the trick. One advantage of using Django and Soturi is that I can quickly reprogram the site if my spam fighting recipe stops being effective.

Since this approach seems to work, I personally I have no desire to use some third-party service to filter my comments, because I have no easy way of knowing if or how it is likely to make false positives. Also being a technology site, people often write comments involving command line commands or source code which gets flagged easily in these filtering services.

Anyhow, that is my setup, I would be interested to hear what other people find useful.

1 Eion says...

Other than server-side processing of comments, I like to add additional <input>'s and hide them in external css. Most of the time the fields are populated by spam-bots, and if so, they get blocked.

No, not a perfect solution on it's own but just another feather in the cap against comment spam.

Posted at 2:20 a.m. on December 30, 2008


2 Bug says...

Well... Sadly, and I guess you hate me for it, I use captcha. But at least it's not an image, so even if you visit using w3m [yey!] you can comment. I know it's not perfect and it could get annoying... I thought about making a cookie of passing the captcha once grants you captcha-less life for as long as the cookie is alive, but I never got around to it [Along with the setting rewrite mod].

I guess creating your site from scratch has disadvantages [spam], but I still love the advantages, it lets me play around with it as much as I want.

Posted at 6:33 a.m. on December 30, 2008


3 Zeth says...

Hi Eion, Yes that is an interesting approach also. It is the only approach given by default in the stock Django comments module, though it does not stop all comment spam.

Bug, well the simple easy text-based question is not too annoying, and if the question rotates occasionally then it is quite effective.

Posted at 2:30 a.m. on December 31, 2008


4 bug says...

@Zeth: The hidden field does block some. Not perfect, but it does release some weight from the filtering system, as those are 100% false comments.

Acctually, if you would have tried to post comments or my webbie, you'd see that it doesn't change. I didn't see a reason to implant one, because as long as my webbie isn't boing boing or anything, it won't have hand made spam. This magical captcha of mine blocks the automated kind of spam. But if someone does manually code it, yeah. It'd be pain and I'd have to make the question change.

Posted at 7:46 a.m. on December 31, 2008


5 Ryan v. says...

Clever solution Eion. Sort of stumbled across a solution similar to that on my own (accidentally). Seems to be undefeated for the time being...

Posted at 12:03 a.m. on July 24, 2009


6 dahuletam says...

Having good content can only get you so far unless you also provide a good atmosphere to comment in

Posted at 7:43 p.m. on August 29, 2009


7 Sim says...

In relation to spam I think in most cases you need human judgment to decide whether it is a spam or not. I have used Akismet on my wordpress blog after hearing a lot of good things about it but I also think it is too too secure as their spam detecting system seems to be very strict. I don't mind linking to commenter as long as their comment is relevant to the post and is engaging with other commenter but some of these comments seem to be blocked off.

I do believe that many website owners comment for the purpose of building links towards their own sites however it does not necessarily mean they are spamming. As long as they are actually engaging with the blog post itself and with other commenter then it is not a spam.

Posted at 9:51 p.m. on September 15, 2009


8 expifesluse says...

Hi People How are you doing?

Posted at 6:29 p.m. on October 6, 2009


What do you have to say?

Show Editing Help

About

Hello, my name is Zeth, I'll be your host here.

Command Line Warriors is about taking control of your own technology, it looks at our experiences of computing; especially using GNU/Linux, the Python programming language, the command-line and issues such as techno-ethics, best practices and whatever is cool now. If you take control of your technology then you are a Warrior too!

This site is your site too which means that you can contribute and get involved. You can leave comments using the facility provided. For me, the comments and discussions are by far the best part of the site. So please do have your say!

Latest Discussions

Zeth

November 29, 2009
Hi Jordan, yes that URL is gone now. I have a new contact form on this site.
Python CGI contact forms

Jordan

November 29, 2009
Zeth attention! Your form, http://zeth.me.uk/contact/, is not working The explorer says connecting ..but nothing happens Sorry for my poor English: I am Spanish Regards
Python CGI contact forms

Jordan

November 26, 2009
Sorry: tell me , not tellme (I'm spaniard) And http://zeth.me.uk/contact/ don't work
You got the touch, you got the power

David Jones

November 25, 2009
Your mad skillz are too l33t! for me. I specifically switched to Google Reader so that I could show people what blogs I read. But I couldn't work out how ...
How to find the fashionable blogs quickly

Brian R. Hickey

November 20, 2009
Symantec picked it up too.
How to bring down Internet Explorer with six words

Zeth

November 17, 2009
Thanks djm, I am the moose here. Christian, assuming one actually does Internationalise the countries, it should still work I guess, as the gettext stuff will happen before the list ...
Countries in Django

Phillip Temple

November 17, 2009
Good start, but: a) wouldn't I want None back rather than 'ZZ'? b) why not add a 'shortcut' boolean, then prepend flagged fields (plus usual '-----' separator) to the actual ...
Countries in Django

djm

November 17, 2009
Am I being a moose or did you mean: from whatever.countries import CountryField instead of from whatever.countries import CharField ? Good post though, cheers.
Countries in Django

Christian Joergensen

November 17, 2009
Wouldn't the ordering get messed up after i18n?
Countries in Django

Steve - Electronic Cigarettes Fan

November 17, 2009
Very well done. Is your blog just you writing? Nicely done, Steven.
Blogger vs Wordpress

vetetix

November 15, 2009
Sorry to bother you nearly two years after you wrote this blog article, but I can't manage to find how to modify an existing field. I am trying to change ...
Three Useful Python Bindings - ClamAV, Apt and Evolution

Manju

November 4, 2009
I am transferring some files using psftp to other device's FAT partition. But the filestamp of the file being transferred is modified to that of FAT device, after the transfer. ...
PuTTY Series: Using PSFTP

iki

November 2, 2009
or simpler: socket.gethostbyname_ex(socket.gethostname())[2]
How to find out your IP address in Python

iki

November 2, 2009
local_ip = set([ i[4][0] for i in socket.getaddrinfo(socket.gethostname(), None) if i[0] == 2 ])
How to find out your IP address in Python

Fred

November 2, 2009
testing rst ------------- - point 1
An Introduction to ReStructuredText

Ano

October 27, 2009
"You simply found the license of the StumbleUpon Toolbar for Internet Explorer." That's possible. I've got some more interesting information to add. Firstly, go to this page: https://addons.mozilla.org/en-US/firefox/addon/138 - this ...
Are your Firefox extensions proprietary software?

Ken

October 21, 2009
Stumbled in here at lunch. This is the best find of the week. Thanks.
Three classic command line tips

Jim

October 19, 2009
Thanks for the rtsp:// post - that's something that has been bugging me for a while!
Three classic command line tips

Zeth

October 18, 2009
Thanks for the comments guys. Great to see the all the gang are still here!
Three classic command line tips

Bubba

October 18, 2009
Is there any way psftp can return the true transfer rates oberved during the actual transfer?
PuTTY Series: Using PSFTP

Made with Django. Creative Commons License Theme Designers Homepage Valid XHTML 1.0 Strict