Two-Fisted Tales of Spam Fighting

Over the past few weeks, we’ve been flooded with spam comments—up to 100 per day.  While 100% of it is caught by WordPress’s more-or-less standard Akismet anti-spam plugin, it still ends up in a spam queue that I have to go through and clean on a daily basis.

Most blog maintainers probably just clear their spam queue and move on. Not me, though. Spammers annoy the hell out of me the same way many home owners get pissed at someone tossing beer bottles or candy wrappers into their yard. Yeah, it takes a few seconds to clean up, but the fact that you have to do so because of someone else’s assholery really gets under your skin. If I had an easy avenue to do so, I’d file complaints about these tools to the hosting services hosting the sites they are flogging. The ones I do bother tracking down are, unlike your average penis-pill and “russian girls waiting scam date you” site, seem to actually be hosted in the US or some other place that might be responsive to spam complaints. If someone is looking for a coding project for a WordPress plugin, make one that will let you send off a report of comment spam to the site’s ISP.

Anyhow, I set out to make it as hard as possible for spammers to dump their trash in our back yard. And apparently, for the moment, I seem to have won. It’s still early, but our spam queue has been clean for the last two days. Hopefully there’s no collateral damage (err… more so that there was already, see after the jump). If you see anything weird on the site, post a comment or send a message via the comment form (especially if I managed to break commenting).

How I managed my (Pyhrric?) victory after the jump.

Up until a few days ago, we had a few anti-spam measures in place which obviously were being defeated  regularly. Chief among these was the nigh-ubiquitous Recaptcha. If you don’t know the name, you almost certainly have run across one sometime during your internet travels:

The problem is, somehow, spammers have managed to defeat Recaptcha, judging by the increasing levels of comment spam we have gotten. I’m not sure how they do it… whether it’s just better character recognition APIs, people in third world countries paid $1/hr. to solve captchas, or the apocryphal “porn for captchas” really does work.

We also had Recaptcha on our registration page and on our “Contact us” page. The “contact us” page got my attention a few months back after we started receiving spam through it on a regular basis. Since the contact form gets sent to my primary email address, getting spam on it really pisses me off. Honestly, it seems to me to be a real low percentage way pf spamming. You have to set your spambot up to find and submit contact forms, which may be difficult to locate, only to reach an audience of one, maybe two people. The only companies that seemed up to the task were Indian-based search engine optimization spammers. The crude way I first took care of them was to ban their entire ISP from even browsing our site, which actually seemed to block several cites in India. While it’s a bit draconian to shut out much of India from our site… I really really hate spam. So… if you have friends on the subcontinent who constantly wailing and gnashing their because they aren’t able to read our blog, please apologize on our behalf.

Even after blocking out a large chunk of a very populous country, we still got spam via the contact form, so I rooted around and found a WordPress plugin named Contact Form 7. What’s great about this plugin is that, in addition to doing things the other bazillion contact form plugins do (ask for your name, email address, etc.) it also lets you set up a “quiz” field that asks a question and refuses to submit the form if the answer is wrong. So, I created a set of really simple yes or no questions whose answer should be obvious (“are you a human?” “are you a Nigerian prince with a financial conundrum?”). Easy for a human to answer, not so easy for a spambot.

These measures almost  eliminated all spam through the contact form (anti-shout out to “Vinster Lewis, Business Development Coordinator with MD Inc.” the only douchbag who decided that all of the “don’t spam us” messages on the contact form didn’t apply to him and his crappy-ass marketing pitch. Fuckyouverymuch. By all means please don’t do business with this loser.)

So, back to comment spam, which as I said suddenly increased in volume over the last few weeks. After we  switched over to WordPress last year, we used Akismet and Recaptcha as our only antispam plugins. A few months later, I added NoSpamNX, a plugin that tries to fool spambots into revealing themselves through the use of normally hidden fields.  The fields it adds onto the comment form are hidden to actual humans using actual web browsers. Spambots don’t use browsers to send their spam. They will usually download just the comment form’s HTML code to figure out what the form fields are named so it can send its spam. By putting form fields into the comment form that huans shouldn;t see, the hope is that these spambots would shove their data into any and all fields present. So, if one of those  “hidden” fields actually has something fentered in it, the sender is likely not a human. It’s not perfect, but it has prevented about 5000 spams in the last 6 months.

Last week, when it became apparent that spammers were upping their game, and were able to get around Recaptcha with ease, I did some more research into anti-spam measures. First off, I wanted to get rid of Recaptcha. There’s zero reason to make people squint at barely readable text to comment if spambots are just as good as they at solving it. So, we’ve dumped recaptchas. In its place, I have:

  • Growmap Anti Spambot Plugin (GASP), which uses JavaScript to add a checkbox to the comment field. The theory here is that, as mentioned earlier, spambots don’t use a browser… they instead download HTML source to figure out what form fields to dump their crap in.  Since they don’t use a browser, they won’t have JavaScript running, and so they won’t see a checkbox that they must click to submit the comment form.  This also works on other forms, such as the registration form.
  • Block Spam By Math Reloaded, which adds a simple math question to the comment form. Simple for a human, tough for a spambot.
  • Nonce, Please!, which adds a small automatically-generated hidden field to the comment form. This plugin is aimed spambots that don’t even bother downloading the form, and just try to send form results to WordPress. If the form doesn’t have that hidden field on it, or if the value in that field has expired, the form is rejected. Now that I think of it, though, I bet this plugin is mooted by GASP, which essentially does the same thing.

Between these three plugins, we have now reached 0 comment spam for the last 2 days.

I do have misgivings about GASP… I’m not sure if screen reading software for the visually impared run JavaScript. I would think they would need to, these days. If they don’t, I guess I’ll need to look into some alternative, or some way that to have the plugin gracefully degrade. Now, I believe if you don’t have JavaScript it tells you you cannot post. Pretty harsh.

There was also some  collateral damage caused by GASP. It  automatically adds itself to every form you have… including the login form. I highly customized or login form, so GASP’s checkbox doesn’t appear on it. Even though the checkbox didn’t appear, the plugin still prevented  This locked out one of our contributors for a while, until she asked if her password was messed up.  (Sorry Helen!).  One of WordPress’s many flaws is that it doesn’t automatically take you to the settings page after activating a new plugin. And, plugins can stick their settings page in one of several places in the WordPress interface… making finding and choosing settings for a newly installed plugin a real pain in the butt.

I will mention a few other plugins that I found didn’t work for one reason or another:

  • Pti’s Text-Math Antispam for comment had layout issues for me. The test box appeared above the form field label, making things messy an confusing.  For that matter, Block Spam By Math Reloaded also has some formatting issues, but not enough to make it unusable.
  • WP Captcha Free sounds sounds like it works somewhat like Nonce, Please! but seemed to block all comments to the blog, claiming there were hash issues. I didn;t feel like digging into it, so I switched to Nonce, Please!

How long will these plugins thwart spam? Who knows. I bet the math questions will be defeated rather easily… it’s just a matter for a spammer to get all of the semantics of everyone’s “Add these two number” fields down. It would be harder to beat the quiz questions, since you would need a measure of artificial intelligence to parse and answer the questions we have on the contact form. I didn’t find a plugin that seemed to work that would add a quiz question to the comment field, but I’ll look into that of spambots seem to be defeating the math question.

I suspect eventually spammers will up their game and have their spambots actually render pages, JavaScript and all. After all, a lot of them are running their spambots on botnets… who cares if some poor moron’s computer gets even slower?

Till then, I’ll bask in my zero spam count.


One Comment

  1. You can mitigate like mad by closing comments on all posts older than X. You can thwart many by putting certain quirks of their spam on the block list. It isn’t limited to ISP blocking. I got pretty darn good at it when moderating for a popular blog. Also, I managed to shave off hundreds of spams that were there before I was by searching key words and variations. You are dear to endure your spam folder because many innocent commenters get shoved in there by Akismet for no discernible reason. Anyway, I am yours in spam hatred, 100%.

Comments are closed