How to Avoid Comment Spam?
I’m sure you’ve seen them before, these mindbreaking questions you need to answer or decipher just to comment on an article. After 5 try-outs the horrible thing finally agrees to what you’ve typed down. As a webmaster you don’t want to spend too much time deciding whether the comment was made by a automated bot or not.
As a visitor you don’t want to spend your time solving a stupid question in order to contribute to an article. In this article I’ll show you some of the most common solutions to avoid comment spam.
A good option is to hard-code some level of security yourself, which is not that much work if you are using wordpress as CMS. You can simply disable html tags in the comments textfield to avoid a great deal of spam. Jon Blackburn wrote an interesting piece about it, in where he explains how to disable the html tags.
A second solution is the CAPTCHA (completely automated public turingtest to tell computers and humans apart), which is a reactiontest composed out of numerous randomized characters which need to be reproduced by the user. Some CAPTCHA’s have been broken by OCR programs (optical character recognition), but most of them are still standing ground.
Although the CAPTCHA-image does work, it is burden for the user because the generated images can be hard to read and sometimes need several tries. It’s hard enough to encourage people to leave comments on a blog as it is without forcing them to decipher an image sequence. If you’re still thinking about integrating this into your system, maybe you can have a look at the fancy ajax plugin where you need to drag and drop a certain icon to prove you’re human. John Willis made a summary of 10 examples on how not to integrate it.
Another possibility is to implement a wide variety of questions into the form, which needs to be answered by the visitor. Eric Meyer wrote an article at WP-gatekeeper about this. He suggested to ask simple questions, eg. “what is Eric’s first name?”
It seems innocent and not difficult to answer so this might be a good solution, but it will encounter a problem in the long run: the answers can be put into a database, which spambots can use… it looks far fetched but some people have nothing else to do.
Dzine blog and Problog Design are using this kind of solution on the contact page.
While these last two solutions work ’till a certain degree, they still acquire interaction from the visitor. This doesn’t make the whole story user-friendly. Visitors shouldn’t be victimized by the web designer in their own fight against spam. Instead of asking the user to prove he’s human, you can trick the spam bot into revealing it’s a bot.
Form-filling bots first read the form and then have the tendency to fill out the form as thoroughly as possible, just because they don’t know any better. These bots can be stopped by including a textfield on the form which is invisible to people (this can be done with simple css) and should be empty. These fields are called honeypots and are validated when the form data is posted. If they contain any text, then the submitter must be some kind of bot, and the submission is discarded.
Bots do not process CSS and Javascript in the form that often, and therefore can’t distinguish invisible fields from visible ones. Neat little trick which can be accomplished with some coding. The coding needs to be done on server side, reason is that bots don’t care about javascript (client side) so they will pass the form anyway. That is why you can only check this when the form has actual been sent and not when someone or something clicked on the submit button.
If you are running your website with wordpress as CMS, we have some interesting plugins which are highly recommendable in order to minimize comment spam. The first plugin is Akismet, which is already pre-installed for you. In order to activate it, you’ll need to signup for a wordpress.com account. You receive the API-key by email. It works great, ’till now the plugin blocked all spam-comments and I didn’t do anything so far.
The next plugin is called ‘math comment spam protection‘ and is similar to the “what is Eric’s first name” question, but instead it will ask you to answer a simple mathematical question, e.g. 9 + 2 = ?? . It’s a simple and quick solution and is not that irritating as the CAPTCHA’s but it still need’s special attention from the user.
If you’re not interested in installing plugins, you should definitely change something in the settings of wordpress (if you’re using wordpress that is). Under Settings – Discussion you have some options regarding comments. “An administrator must always approve the comment” gives you the ability to withhold any comments made on the blog. Although this seems a great option, it does give you a lot of work as well. I prefer the option “Comment author must have a previously approved comment”, this way you only need to check if the author is human or a bot once.
Blocking all spam comment is very difficult, if not impossible. The ultimate solution need to be a perfect balance between usability and security, without passing the responsibility to the users (so preferably non-interactive). In my opinion Akismet is highly effective at reducing the amount of spam and fore sure kept my comments free from spam ’till now.
In future who knows what is possible. Maybe the verification can be done by scanning your fingerprint on a mobile phone with touchscreen or the application can check for brainwaves. Of course, you can also drive discussion with a good user experience. But whatever solution you choose, in the end you can only reduce the spam and not block it.
This is timely and very informative considering we are all but in the holiday season. I had not thought about the ‘honeypot’ solution. This seems like an excellent way to pare down spam.
Many people, including me are having a problem with WordPress notification for new comments. I have always used the “Comment author must have a previously approved comment“ until the last version of WordPress. I cannot find the answer to this, but suspect it is a server side issue.
Thanks for the info.
@Hal Brown: Thank you for the reply. I’ve noticed that I had to approve your comment, although this wasn’t your first contribution to the blog. Maybe it is because you used Hal last time instead of Hal Brown now?
Paul,
Very informative, and a nice follow up. Thanks for the mention!
-Jon
There is also text CAPTCHA.
http://textcaptcha.com/
@Rene: Thank you for the comment Rene. I think the text CAPTCHA is similar to Eric Meyer’s solution, asking random questions. I must say that i’m impressed with the amount of questions they provide: 157.500.799. Compared to the image CAPTCHA, this version has 3 strong pluspoints:
First of all it is not readable by ocr programs which is a big plus. Secondly, the combination of a unique API key and the hashed answers make this a save solution for now. A last point is that the visually impaired people have less difficulties with a logic question than with a scrambled image.
As stated on the website, it also has a minor setback: what about the non-english speaking people? It would be nice that some other languages are supported as well.
All in all, it is a nice trail and I do hope they continue to work on this.
This is very useful post for bloggers who encountered many spam comments like me. Thanks!
Image Captcha is just pure evil. I often find myself with my nose pressed up against the computer monitor trying to figure out what the actual characters are. Not only does this help prevent spam but it also prevents actual users from contributing to a site.