Need someone to lead product management at your software company? I create software for people that create software and I'm looking for my next opportunity. Check out my resume and get in touch.

Comment spam

Freshness Warning
This blog post is over 20 years old. It's possible that the information you read below isn't current and the links no longer work.

I’ve been getting a fair amount of comment spam recently. Some of it is outright spam with people using bots to post dozens of comments that look just like your typical email spam. Other comments contain only a short, generic message such as “very good” or “I like the site” but then have the spammer’s payload URL in the contact section of the post. I imagine that the point behind the later is to increase their incoming links to affect search engines like Google.

I’ve been deleting these as I come across them, but the volume has increased dramatically in the last few weeks. Instead of one every month or so, I’m getting comment spam almost every day now. In talking to Brad, he pointed out a scary scenario that would have bots crawling looking for sites to send spam trackback pings to.

I’m fed up and want your help in devising a solution that will curtail this. I’ve drawn upon features of BBSs, authentication systems, and forum software for ideas on how to stop this. Please add your feedback and additional ideas.

To prevent automated bots from flooding a site with comments, we could add posting limits to comment and trackback systems. The average person can’t submit more than one comment every few seconds, so comment systems could enforce a minimum time between comments. A single IP address could only post one comment every 30 seconds. If the commenter ignores the limit and keeps trying to post, it’s obviously a bot. So any IP address that tries to post 4 or more comments in 30 seconds is automatically banned for a short period of time. This would also work for TrackBack spam.

  • Allow flexible field names
    Comment systems could allow site owners to easily change field names for their comment forms. Since many of the automated bots are just crawling looking for certain form field names and submission addresses, this would be an easy way to thwart many of them.
  • Require an authentication token
    Each form submission would need to include an authentication token in a hidden field. The token would be the unique entry ID hashed with a secret key. When a comment comes in, take the entry id, hash it with the secret key, and only allow the comment if it matches. This would keep bots from submitting comments without using the actual comment form.
  • Make it easier to delete comments.
    When someone posts a comment, MT automatically sends me an email. That email should include a link to delete the comment and rebuild the entry. Then when a comment does slip through, it’s a simple matter to remove it.

What else could we do? And anyone want to jump in and implement some of this for popular systems?

September 19, 2003 7:48 AM

I am surprised there has been no follow-up discussion about communal post-ranking systems like Slashdot. No need to censor anyone or deal with accessibility problems, you simply have the community rank comments by merit, with the kind of safeguards against ballot-box-stuffing that Slashdot has built in. Trolls, spammers and freepers, who arguably combine the worst attributes of both, still post, but their posts don't get exposure--anyone who is bothered simply sets their filter to level 3 or whatever, and never see the bottom-feeders. When the community is too small to have a good community filter, you either rank it yourself or appoint a small group of responsible commenters to do the ranking. When the community grows enough, you adopt a Slash-type system. Simple, free-speech-friendly, accessible, non-intrusive, manageable.

Trackback from soundCommons :: weblog ::
October 10, 2003 10:49 AM

Comment Spam

Excerpt: In the past month or so, the blog has become the target of polite comments that seem to have not

Trackback from Reflective Reality
October 10, 2003 11:26 PM

Automated Comment SPAM Solution

Excerpt: I now have a working captcha thanks to James Seng. I really don't care how much of a pain it is on the accessibility front, the spammers have driven me to finding a working solution. The don't allow comments from google searches hack also makes first t...

Trackback from random ruminations
October 11, 2003 9:21 AM

Comment Spam

Excerpt: I've been struck with comment spam three times in the last week. I don't know if this means that, suddenly, my blog has hit the radar screens of whatever search engine spammers use, or if I'm just lucky. Regardless, the first time is was mild, the seco...

Trackback from different strings
October 12, 2003 8:14 PM

More on comment spam

Excerpt: There's a thread over at Making Light about a specific comment spammer who has been posting ads for what is allegedly child pornography. This guy is really obnoxious - one blogger reports having it show up on 89 posts so...

Trackback from Take the First Step
October 16, 2003 7:44 AM

Weblog Software and the Internet Food Chain

Excerpt: it's probably a good thing that TypePad embeds comments and TrackBack pings within the individual entry page. On the other hand, they should expect trackback spam to join the current comment spam. They need to address this before the cure becomes worse...

Richard Rutter
October 16, 2003 8:18 AM

I've started to implement tools to prevent comment spam on my site. So far I've only gone down the blacklist route. I also like the idea of preventing repeat posts within a certain time period - this would also prevent accidental multiple-posting. I figured that you could recognise a repeat post in three ways: 1) same name, email, url 2) same IP address 3) same session ID Could a PHP session ID prevent robot attacks? Or would a robot always get assigned a session ID anyway? I'm thinking no session ID - no comment.

Lonnon Foster
November 5, 2003 1:31 PM

Jay Allen has an excellent Movable Type plugin for stopping comment spam: MT-Blacklist ( The plugin hits comment spammers where they live: in the URLs they leave behind. Comment spam is actually a little easier to filter than email spam, because it has to point to a specific URL in order to boost that URL's page ranking in search engines. MT-Blacklist looks for known spam URLs (and comes with a default blacklist of over 450), and adding new ones is as easy as clicking a link in MT's new comment notification mail.

November 5, 2003 11:36 PM

convert URLS to a link pointing to ur server which in turns, redirects the link to the orig URL. defeating the purpose of ranking high in search engines

Adam Kalsey
November 6, 2003 9:52 AM

That's an idea that's often floated about. The problem is that spammers would still leave spam, not knowing that your system wasn't giving them Google juice. And this (and Jay Allen's) solution also relies on the concept that spammers leave comment spam solely to increase PageRank. That will change. Spammers will start leaving spam for other reasons as well.

Trackback from Wetware
November 7, 2003 9:08 AM

A New Way to Fight Blog Comment Spam

Excerpt: Spam in blog comments is quite different from email spam and can be fought in a much more direct manner.

Alfred Anderson
November 14, 2003 2:47 PM

You have excellent ideas represented in this BLOG. Many of them could be used by more than just blog but could migrate into email, web page comments, IM and other areas where spamming is frequent. However, while select individual sites can be protected with such advance techniques, do we have an infrastructure that allows such protection to be available on a more global scale? Right now, I sense this is a grass-roots level for which support is needed (perhaps at the standards committee level). Is anyone lobbying the standards bodies for incorporation of such proven ideas? Will the best of these ideas be incorporated in commercial-ware? Unless these ideas reach the average consumer, they are falling far short of their potential. So how can these ideas be marketed?

kaushal parikh
December 17, 2003 8:45 AM

The simple way to do it is to remove all url in comments. No way to steal visitors = no reason to put comment spam on a page... An other way to fight back: Build a link farm where you put a link to all the comment spammer's websites. They will be soon penalysed by google and nobody will find them ;). I like distributed/collaborative approaches to fight spam. For weblog with few comment volume, pre approval of comments may be the answer. If you know that your comment will first be read by a moderator/blog owner, and that you know that it will never be approved why would you want to put a comment spam ? Pre approval via email turn a Comment Spam into a regular spam with smaller audience and regular email spam tool already available could be used... kaushal parikh

Trackback from WWWorker - Sascha Carlin
November 15, 2004 10:12 AM

Secret Tags - An alternative to Captchas?

Excerpt: [11/14/2004] Update: [Adam Kalsey has a piece][adam] from Sep 2003 that includes more or less what I call Secret Tags. Since it's from Sep 2003, the credit goes to him, even I discovered his piece just today. Adam, too, says...

January 9, 2006 6:14 PM

I agree very much with your point about spamming on comments. Why don't you just make sure that the topic is really addressed honestly? If it is addressed legitimately, then you should allow the link. If it's just a short and meaningless comment, then I would delete it. People should be rewarded for their honest interests in specific topics.

These are the last 15 comments. Read all 34 comments here.

This discussion has been closed.

Recently Written

Great prodct managers own the outcomes (May 14)
Being a product manager means never having to say, "that's not my job."
Too Big To Fail (Apr 9)
When a company piles resources on a new product idea, it doesn't have room to fail. That keeps it from succeeding.
Go small (Apr 4)
The strengths of a large organization are the opposite of what makes innovation work. Starting something new requires that you start with a small team.
Start with a Belief (Apr 1)
You can't use data to build products unless you start with a hypothesis.
Mastery doesn’t come from perfect planning (Dec 21)
In a ceramics class, one group focused on a single perfect dish, while another made many with no quality focus. The result? A lesson in the value of practice over perfection.
The Dark Side of Input Metrics (Nov 27)
Using input metrics in the wrong way can cause unexpected behaviors, stifled creativity, and micromanagement.
Reframe How You Think About Users of your Internal Platform (Nov 13)
Changing from "Customers" to "Partners" will give you a better perspective on internal product development.
Measuring Feature success (Oct 17)
You're building features to solve problems. If you don't know what success looks like, how did you decide on that feature at all?


What I'm Reading


Adam Kalsey

+1 916 600 2497


Public Key

© 1999-2024 Adam Kalsey.