Stop blog spam with these top techniques
written by Craig, 16 July 2008
Like most people, I receive a fair amount of spam email. But it’s nothing compared to having a blog!
If you’ve got a blog that’s even slightly successful, you will receive spam in huge quantities. I’ve only been monitoring it for around a year, but it’s now exceed 15,000 messages, with around a third of those coming in the last couple of months.
The latest spammer trick appears to target trackbacks. They post a message to an insecure system which features their links and links to legitimate blogger sites. The trackback is picked up by the blog software and automatically added to the comments list for that message. The result is that the spammer ends up with multiple links to their original message. It must be working – I’m getting dozens a day, so I’m sure many others are too.
Blog spam filtering
If running a blog is core to your business, then you need spam filtering. Fortunately, most blog software have spam plug-ins but, if yours doesn’t, then it may not be the right solution for you.
First, consider whether comments, trackbacks and pings are really required on your blog. They’re great to have, but if you’re only publishing industry news or don’t have the facilities to manage the blog on a daily basis, then it may be best to disable it altogether.
Next, I’d recommend that you disable automatic comment, ping, and trackback posts. Spam will have a tough time getting through if you’re manually checking all the messages that appear on your blog.
Now install spam filtering software so you’re not alerted every time a spam message comes through. The most well known is Akismet. It’s primarily aimed at WordPress, but is available for around 20 other platforms. Akismet is great and catches 99% of all my spam.
Finally, you can modify your comment form to ensure only humans are permitted. Many forms use CAPTCHAS; I’m not particularly keen on them because it makes the form longer and tougher for real people. Personally, I prefer sneakier ways to catch the spambots without affecting real users. A combination of techniques can be implemented, e.g.
- validate everything
- ensure the post comes from the correct referring form
- ensure the IP address and user agent is valid and used the correct form
- check that JavaScript is available (spambots won’t have this and the 5% of users who disable it can be offered a CAPTCHA or something similar)
- timing the post back – humans will take several seconds, spambots will not
- checking for links – spambots will always post one or more links, but that’s more unlikely for real users
- using hidden form fields that should not be completed – but spambots won’t know that
- always rejecting the first post with an intermediate page, e.g. “are you sure you want to submit your message XXXXX?”
None of these techniques will stop the spammers trying, but they certainly give them a far tougher time and reduce your comment administration.