Comment spam

Freshness Warning
This article is over 15 years old. It's possible that the information you read below isn't current.

I’ve been getting a fair amount of comment spam recently. Some of it is outright spam with people using bots to post dozens of comments that look just like your typical email spam. Other comments contain only a short, generic message such as “very good” or “I like the site” but then have the spammer’s payload URL in the contact section of the post. I imagine that the point behind the later is to increase their incoming links to affect search engines like Google.

I’ve been deleting these as I come across them, but the volume has increased dramatically in the last few weeks. Instead of one every month or so, I’m getting comment spam almost every day now. In talking to Brad, he pointed out a scary scenario that would have bots crawling looking for sites to send spam trackback pings to.

I’m fed up and want your help in devising a solution that will curtail this. I’ve drawn upon features of BBSs, authentication systems, and forum software for ideas on how to stop this. Please add your feedback and additional ideas.

To prevent automated bots from flooding a site with comments, we could add posting limits to comment and trackback systems. The average person can’t submit more than one comment every few seconds, so comment systems could enforce a minimum time between comments. A single IP address could only post one comment every 30 seconds. If the commenter ignores the limit and keeps trying to post, it’s obviously a bot. So any IP address that tries to post 4 or more comments in 30 seconds is automatically banned for a short period of time. This would also work for TrackBack spam.

  • Allow flexible field names
    Comment systems could allow site owners to easily change field names for their comment forms. Since many of the automated bots are just crawling looking for certain form field names and submission addresses, this would be an easy way to thwart many of them.
  • Require an authentication token
    Each form submission would need to include an authentication token in a hidden field. The token would be the unique entry ID hashed with a secret key. When a comment comes in, take the entry id, hash it with the secret key, and only allow the comment if it matches. This would keep bots from submitting comments without using the actual comment form.
  • Make it easier to delete comments.
    When someone posts a comment, MT automatically sends me an email. That email should include a link to delete the comment and rebuild the entry. Then when a comment does slip through, it’s a simple matter to remove it.

What else could we do? And anyone want to jump in and implement some of this for popular systems?

galiel
September 19, 2003 7:48 AM

I am surprised there has been no follow-up discussion about communal post-ranking systems like Slashdot. No need to censor anyone or deal with accessibility problems, you simply have the community rank comments by merit, with the kind of safeguards against ballot-box-stuffing that Slashdot has built in. Trolls, spammers and freepers, who arguably combine the worst attributes of both, still post, but their posts don't get exposure--anyone who is bothered simply sets their filter to level 3 or whatever, and never see the bottom-feeders. When the community is too small to have a good community filter, you either rank it yourself or appoint a small group of responsible commenters to do the ranking. When the community grows enough, you adopt a Slash-type system. Simple, free-speech-friendly, accessible, non-intrusive, manageable.

Trackback from soundCommons :: weblog ::
October 10, 2003 10:49 AM

Comment Spam

Excerpt: In the past month or so, the blog has become the target of polite comments that seem to have not

Trackback from Reflective Reality
October 10, 2003 11:26 PM

Automated Comment SPAM Solution

Excerpt: I now have a working captcha thanks to James Seng. I really don't care how much of a pain it is on the accessibility front, the spammers have driven me to finding a working solution. The don't allow comments from google searches hack also makes first t...

Trackback from random ruminations
October 11, 2003 9:21 AM

Comment Spam

Excerpt: I've been struck with comment spam three times in the last week. I don't know if this means that, suddenly, my blog has hit the radar screens of whatever search engine spammers use, or if I'm just lucky. Regardless, the first time is was mild, the seco...

Trackback from different strings
October 12, 2003 8:14 PM

More on comment spam

Excerpt: There's a thread over at Making Light about a specific comment spammer who has been posting ads for what is allegedly child pornography. This guy is really obnoxious - one blogger reports having it show up on 89 posts so...

Trackback from Take the First Step
October 16, 2003 7:44 AM

Weblog Software and the Internet Food Chain

Excerpt: it's probably a good thing that TypePad embeds comments and TrackBack pings within the individual entry page. On the other hand, they should expect trackback spam to join the current comment spam. They need to address this before the cure becomes worse...

Richard Rutter
October 16, 2003 8:18 AM

I've started to implement tools to prevent comment spam on my site. So far I've only gone down the blacklist route. I also like the idea of preventing repeat posts within a certain time period - this would also prevent accidental multiple-posting. I figured that you could recognise a repeat post in three ways: 1) same name, email, url 2) same IP address 3) same session ID Could a PHP session ID prevent robot attacks? Or would a robot always get assigned a session ID anyway? I'm thinking no session ID - no comment.

Lonnon Foster
November 5, 2003 1:31 PM

Jay Allen has an excellent Movable Type plugin for stopping comment spam: MT-Blacklist (http://www.jayallen.org/projects/mt-blacklist/). The plugin hits comment spammers where they live: in the URLs they leave behind. Comment spam is actually a little easier to filter than email spam, because it has to point to a specific URL in order to boost that URL's page ranking in search engines. MT-Blacklist looks for known spam URLs (and comes with a default blacklist of over 450), and adding new ones is as easy as clicking a link in MT's new comment notification mail.

stephen
November 5, 2003 11:36 PM

convert URLS to a link pointing to ur server which in turns, redirects the link to the orig URL. defeating the purpose of ranking high in search engines

Adam Kalsey
November 6, 2003 9:52 AM

That's an idea that's often floated about. The problem is that spammers would still leave spam, not knowing that your system wasn't giving them Google juice. And this (and Jay Allen's) solution also relies on the concept that spammers leave comment spam solely to increase PageRank. That will change. Spammers will start leaving spam for other reasons as well.

Trackback from Wetware
November 7, 2003 9:08 AM

A New Way to Fight Blog Comment Spam

Excerpt: Spam in blog comments is quite different from email spam and can be fought in a much more direct manner.

Alfred Anderson
November 14, 2003 2:47 PM

You have excellent ideas represented in this BLOG. Many of them could be used by more than just blog but could migrate into email, web page comments, IM and other areas where spamming is frequent. However, while select individual sites can be protected with such advance techniques, do we have an infrastructure that allows such protection to be available on a more global scale? Right now, I sense this is a grass-roots level for which support is needed (perhaps at the standards committee level). Is anyone lobbying the standards bodies for incorporation of such proven ideas? Will the best of these ideas be incorporated in commercial-ware? Unless these ideas reach the average consumer, they are falling far short of their potential. So how can these ideas be marketed?

kaushal parikh
December 17, 2003 8:45 AM

The simple way to do it is to remove all url in comments. No way to steal visitors = no reason to put comment spam on a page... An other way to fight back: Build a link farm where you put a link to all the comment spammer's websites. They will be soon penalysed by google and nobody will find them ;). I like distributed/collaborative approaches to fight spam. For weblog with few comment volume, pre approval of comments may be the answer. If you know that your comment will first be read by a moderator/blog owner, and that you know that it will never be approved why would you want to put a comment spam ? Pre approval via email turn a Comment Spam into a regular spam with smaller audience and regular email spam tool already available could be used... kaushal parikh http://www.kaushalparikh.com

Trackback from WWWorker - Sascha Carlin
November 15, 2004 10:12 AM

Secret Tags - An alternative to Captchas?

Excerpt: [11/14/2004] Update: [Adam Kalsey has a piece][adam] from Sep 2003 that includes more or less what I call Secret Tags. Since it's from Sep 2003, the credit goes to him, even I discovered his piece just today. Adam, too, says...

Mark
January 9, 2006 6:14 PM

I agree very much with your point about spamming on comments. Why don't you just make sure that the topic is really addressed honestly? If it is addressed legitimately, then you should allow the link. If it's just a short and meaningless comment, then I would delete it. People should be rewarded for their honest interests in specific topics.

These are the last 15 comments. Read all 34 comments here.

This discussion has been closed.

Follow me on Twitter

Best Of

  • How not to apply for a job Applying for a job isn't that hard, but it does take some minimal effort and common sense.
  • Movie marketing on a budget Mark Cuban's looking for more cost effective ways to market movies.
  • California State Fair The California State Fair lets you buy tickets in advance from their Web site. That's good. But the site is a horror house of usability problems.
  • Customer reference questions. Sample questions to ask customer references when choosing a software vendor.
  • Comment Spam Manifesto Spammers are hereby put on notice. Your comments are not welcome. If the purpose behind your comment is to advertise yourself, your Web site, or a product that you are affiliated with, that comment is spam and will not be tolerated. We will hit you where it hurts by attacking your source of income.
  • More of the best »

Recently Read

Get More

Subscribe | Archives

Recently

Assumptions and project planning (Feb 18)
When your assumptions change, it's reasonable that your project plans and needs change as well. But too many managers are afraid to go back and re-work a plan that they've already agreed to.
Feature voting is harmful to your product (Feb 7)
There's a lot of problems with using feature voting to drive your product.
Encouraging 1:1s from other managers in your organization (Jan 4)
If you’re managing other managers, encourage them to hold their own 1:1s. It’s such an important tool for managing and leading that everyone needs to be holding them.
One on One Meetings - a collection of posts about 1:1s (Jan 2)
A collection of all my writing on 1:1s
Are 1:1s confidential? (Jan 2)
Is the discussion that occurs in a 1:1 confidential, even if no agreed in the meeting to keep it so?
Skip-level 1:1s are your hidden superpower (Jan 1)
Holding 1:1s with peers and with people far below you on the reporting chain will open your eyes up to what’s really going on in your business.
Do you need a 1:1 if you’re regularly communicating with your team? (Dec 28)
You’re simply not having deep meaningful conversation about the process of work in hallway conversations or in your chat apps.
What agenda items should a manager bring to a 1:1? (Dec 23)
At least 80% of a 1:1 agenda should be driven by your report, but if you also to use this time to work on things with them, then you’ll have better meetings.

Subscribe to this site's feed.

Contact

Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

Twitter, etc: akalsey

Resume

PGP Key

©1999-2019 Adam Kalsey.