To build a community, you need your visitors to comment on your site. Unfortunately when you do that, you open up your site to others who you might not want to come calling – namely spammers, who will leave all sorts of garbage on your (virtual) doorstep. While we probably won’t ever be able to get rid of them, managing spam feedback is a completely bearable process.
Depending on who you ask, you’re likely to get a wide variety of answers on the best avenue to take when it comes to plugins to use or configuration directives to take in the fight against spam. You’ll see names like Akismet or Defensio mentioned, and plugins such as MT-Approval and Tiny Turing thrown into the mix. Some will tell you that you need a CAPTCHA and some will tell you that there’s just no way to win. In the end, you don’t really need much more than a little creativity and some patience.
Direct Access of the Comment Script
The first item up for debate is whether or not the spam-bots will hit your comment script directly (without going to the individual archive entry). While it is possible, after monitoring thousands of spam comments over many months, the answer, at least at this point, is generally that they will not. I think that this is because they need an entry ID, and to get that, it is usually just easiest to submit the form on your individual archive page. Knowing this means that plugins such as CommentChallenge and similar functions offered by MT-Approval are less than worthwhile. You may not want to waste your time looking for something that short-circuits the comment process if not submitted correctly, because it doesn’t happen often.
With that said, where these type of plugins – and CAPTCHAS and Tiny Turing – can come in handy is if they offer a value in the field, and that value can be checked to make sure that the value is correct. In this case, it’s a test to verify that it’s not just a blank being filled in and submitted. At that point, it can help test to make sure it’s not an automated submission. But you also have to consider that your visitors may not like the extra step, and in that case you may want to look at a plugin such as MT-Approval, which can do some of this work behind-the-scenes, without the visitor actually having to enter any data.
Further Considerations of Automated Comment Spam
All that you need to do is change the name of the form action to something that isn’t the valid script. For instance:
<form name="comments_form" action="<$MTBlogURL$>" method="post">
It is interesting to note that even if you use the default script name of mt-comments.cgi, you will see a serious downturn in spam comments. By implementing it on my sites, my junk comment folder dropped in size by a factor of almost five. Pretty incredible. No more changing the name of the file – they just can’t find it any longer, even though it hasn’t moved anywhere! For those who advocate changing the name of your script to avoid detection, this tends to be a bit less than obvious, but it just works.
Some time ago, Mark Carey put out a plugin called MTDisguiseCommentURL that can do this for you. I haven’t tried it, but Mark does a good job on his plugins, so if this doesn’t make sense to you, you may want to try that route instead.
Now We Can Handle the Manual Spam Problem
Once you’ve managed to get rid of all those automated bots, you’re left with manual spammers. Unfortunately, there isn’t a lot that you can do about them. But what you will find is that most of the nonsense postings like “good site” and “thanks for the information” come from automated posting tools that are trying to leave markers that they can search for and come back later, to post other information. When a manual spammer leaves a comment, they want to make the most of their time (since it takes more effort) and they will leave links. Lots of them.
The Plugin Dilemma
You can elect to use something like Akismet or Defensio and block them that way, but you don’t really need to do so. An important factor to keep in mind with plugins is that the more you add, the more it may slow down your system – both with loading the back end of Movable Type and with processing comments. Remember the problem with updating servers for SpamLookup a while back? There are still people who haven’t done that!
In any case, I’ve found that you don’t even need to use the built-in SpamLookup lookup functions. In fact, I’ve had them turned off for months, and only just realized it when I went to look up something for a friend of mine, realizing that I had done this and hadn’t noticed an uptick in spam at all. Are there exceptions? Of course – some people will post a single link, and they will get through. But that’s the exception rather than the rule.
As it turns out, I have most settings in SpamLookup turned off. In the Lookup Settings, I have turned off all lookups, which means that the comment doesn’t even leave my server (which should make privacy advocates happy). Though I could use the lookup whitelist, since I am not using any lookups, it’s rather pointless to do so.
In the Link Settings, I have all options unchecked except for the Link Limits. Under those options, I have chosen to moderate more than 3 links and junk more than 10 (with a score weight of 10). These are the defaults except for the score weight. I do occasionally use junk keywords, but it happens so rarely that I almost never have to worry about it.
All other settings are off and I have no other spam plugins installed, and as I mentioned, after running with these settings for a few weeks, my junk folder is actually at the lowest level that it has been for some time. I only keep 3 days worth of junk, and I have just under 300 comments. Sure, it’s a lot, but when I don’t have to look through the folder for false positives (how often do you get valid comments with 10 links in it) and it’s more than five times less than I was getting previously, I consider that a victory.
With remote servers going offline, and other servers returning false positives, I’m happy to go this route, with settings that catch as much spam as possible without running the risk of killing conversations, while keeping things running as smoothly as possible.
What about you? What are your settings? Which plugins do you use? What sort of results have you seen?