on Jul 11, 2007
Akismet, the anti-spam WordPress plugin, has been around since November 2005. In that time, the software has dealt with 2 billion spam messages. What’s really alarming is the shape of the curve. To be fair, some of the curve is the result of more and more people using WordPress, and more of those people getting Akismet, but still.
Such a mammoth waste of everyone’s time and energy for just a tiny bit of money for a miniscule number of people.
The spam solution I’m using is still going strong. It’s been 2 weeks since the last time I saw a spam. It’s been over a month since one slipped by that I had to delete manually. Given the sheer volume of spam I was getting five months ago, and given the fact that this site is several times larger now, I’m very grateful for how well the CAPTCHA is working.
If you look at the problem from the POV of the spam programmer, there are many ways to make his job harder and more annoying. You can’t make it impossible, of course, but the appeal of spam has always been the fact that it is “free” for the spammer. Making it less free might go a long way to making less of it. Given the normal level of lazyness and stupidity of the average spammer, I think that even CAPTCHA are probably overkill.
Most spam scripts go right for the wordpress comment-posting script. Just having this script to have a configuarable name would probably be just as effective as the CAPTCHA solution I’m using now.
Another technique would be to simply insist that comment POSTS are the result of an honest-to-goodness page load. Embed a secret number (which changes automatically) into the form as a hidden field, and make sure incoming form submissions contain the number. The advantage of this would be that it would be seamless and transparent to normal users – they wouldn’t even need to enter a CAPTCHA. The only downside would be if a user loaded the page, and then did something else for a couple of hours, and then came back and left a comment on the open page without reloading it first, then their number would have expired and the system would eat their comment. The disadvantage for the spammer is that they will have to parse all that HTML on the page if they want their comment to get through.
Shamus Young is an old-school OpenGL programmer, author, and composer. He runs this site and if anything is broken you should probably blame him.