Comment spam

Freshness Warning
This article is over 8 years old. It's possible that the information you read below isn't current.

3 Sep 2003

I’ve been getting a fair amount of comment spam recently. Some of it is outright spam with people using bots to post dozens of comments that look just like your typical email spam. Other comments contain only a short, generic message such as “very good” or “I like the site” but then have the spammer’s payload URL in the contact section of the post. I imagine that the point behind the later is to increase their incoming links to affect search engines like Google.

I’ve been deleting these as I come across them, but the volume has increased dramatically in the last few weeks. Instead of one every month or so, I’m getting comment spam almost every day now. In talking to Brad, he pointed out a scary scenario that would have bots crawling looking for sites to send spam trackback pings to.

I’m fed up and want your help in devising a solution that will curtail this. I’ve drawn upon features of BBSs, authentication systems, and forum software for ideas on how to stop this. Please add your feedback and additional ideas.

To prevent automated bots from flooding a site with comments, we could add posting limits to comment and trackback systems. The average person can’t submit more than one comment every few seconds, so comment systems could enforce a minimum time between comments. A single IP address could only post one comment every 30 seconds. If the commenter ignores the limit and keeps trying to post, it’s obviously a bot. So any IP address that tries to post 4 or more comments in 30 seconds is automatically banned for a short period of time. This would also work for TrackBack spam.

  • Allow flexible field names
    Comment systems could allow site owners to easily change field names for their comment forms. Since many of the automated bots are just crawling looking for certain form field names and submission addresses, this would be an easy way to thwart many of them.
  • Require an authentication token
    Each form submission would need to include an authentication token in a hidden field. The token would be the unique entry ID hashed with a secret key. When a comment comes in, take the entry id, hash it with the secret key, and only allow the comment if it matches. This would keep bots from submitting comments without using the actual comment form.
  • Make it easier to delete comments.
    When someone posts a comment, MT automatically sends me an email. That email should include a link to delete the comment and rebuild the entry. Then when a comment does slip through, it’s a simple matter to remove it.

What else could we do? And anyone want to jump in and implement some of this for popular systems?

Trackback from Wetware
November 7, 2003 9:08 AM

A New Way to Fight Blog Comment Spam

Excerpt: Spam in blog comments is quite different from email spam and can be fought in a much more direct manner.

Alfred Anderson
November 14, 2003 2:47 PM

You have excellent ideas represented in this BLOG. Many of them could be used by more than just blog but could migrate into email, web page comments, IM and other areas where spamming is frequent.

However, while select individual sites can be protected with such advance techniques, do we have an infrastructure that allows such protection to be available on a more global scale? Right now, I sense this is a grass-roots level for which support is needed (perhaps at the standards committee level). Is anyone lobbying the standards bodies for incorporation of such proven ideas? Will the best of these ideas be incorporated in commercial-ware? Unless these ideas reach the average consumer, they are falling far short of their potential.

So how can these ideas be marketed?

kaushal parikh
December 17, 2003 8:45 AM

The simple way to do it is to remove all url in comments.

No way to steal visitors = no reason to put comment spam on a page…

An other way to fight back: Build a link farm where you put a link to all the comment spammer’s websites. They will be soon penalysed by google and nobody will find them ;).

I like distributed/collaborative approaches to fight spam.

For weblog with few comment volume, pre approval of comments may be the answer. If you know that your comment will first be read by a moderator/blog owner, and that you know that it will never be approved why would you want to put a comment spam ? Pre approval via email turn a Comment Spam into a regular spam with smaller audience and regular email spam tool already available could be used…

kaushal parikh http://www.kaushalparikh.com

Trackback from WWWorker - Sascha Carlin
November 15, 2004 10:12 AM

Secret Tags - An alternative to Captchas?

Excerpt: [11/14/2004] Update: [Adam Kalsey has a piece][adam] from Sep 2003 that includes more or less what I call Secret Tags. Since it's from Sep 2003, the credit goes to him, even I discovered his piece just today. Adam, too, says...

Mark
January 9, 2006 6:14 PM

I agree very much with your point about spamming on comments. Why don’t you just make sure that the topic is really addressed honestly? If it is addressed legitimately, then you should allow the link. If it’s just a short and meaningless comment, then I would delete it. People should be rewarded for their honest interests in specific topics.

These are the last 15 comments. Read all 34 comments here.

This discussion has been closed.

Follow me on Twitter

Lijit Search

Best Of

  • How not to apply for a job Applying for a job isn't that hard, but it does take some minimal effort and common sense.
  • Rounded corners in CSS There lots of ways to create rounded corners with CSS, but they always require lots of complex HTML and CSS. This is simpler.
  • The best of 2006 I wrote a lot of drivel in 2006. Here's the things that are less crappy than the rest.
  • Pitching Bloggers Forget what you learned in your PR classes. Start acting like a human instead of a marketer, and the humans behind the blogs will respond.
  • Where do the RSS ad startups fit in? Yahoo's RSS advertising service could spell trouble for pure-play RSS advertising services unless they adapt their business model.
  • More of the best »

Recently Read

Get More

Subscribe | Archives

8

Recently

invisible Fence (Mar 22)
The New York Times has a paywall now. Sorta. If you don't choose to ignore it.
Black status icon for Chrometa (Mar 17)
Replacing the status icon of Chrometa
Using Google Voice as your voicemail on AT&T (Oct 26)
How I set up my iPhone to use Google Voice as it's voicemail system.
Don Mattingly forced to make coaching change (Sep 17)
New LA Dodgers coach starts to wonder if he knows the rules of baseball at all.
In which Vonage pretends their prices haven't changed (Apr 12)
Translating what Vonage marketing says about their price increase into plain English.
Twitter app competition (Apr 12)
Life as a Twitter app developer is far from over.
Twitter app competition (Apr 12)
Life as a Twitter app developer is far from over.
The rest of the world is not like you (Apr 5)
Normal people are different. Keep that in mind when creating or marketing a product.

Subscribe to this site's feed.

Elsewhere

IMified
Build instant messaging applications. (My company)
SacStarts
The Sacramento technology startup community.
Pinewood Freak
Pinewood Derby tips and tricks

Contact

Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

AIM or Skype: akalsey

Resume

PGP Key

©1999-2012 Adam Kalsey.
Content management by Movable Type.