Neil Turner's Blog

Blogging about technology and randomness since 2002

The spammers are getting smarter

Back in July, I installed Comment Challenge, a plugin for Movable Type which adds an extra question to the comment form for those not using OpenID. Until the past few days, this has blocked around 99.9% of the comment spam I’ve been getting – I’m up to around 1 spam comment every 3 minutes now, but thanks to this plugin all I see is an event in MT’s activity log which just needs purging from time to time.

Recently, more spam has been getting though, though we’re still only talking maybe 0.2% here. It seems that spammers are now taking the time to manually enter spam comments on high-ranking pages, and doing so in a way that makes them look like legitimate comments – they usually refer to the subject of the entry but will have some spammy link as the provided URL. One dude in Pakistan entered around 8 comments over several hours here under various false names – his one mistake was to use the same IP address each time.

I’m still deciding what to do. I may remove the URL field altogether for those who haven’t authenticated through OpenID, using Brad Choate’s URLess plugin. I’m not going down the route of blocking all unauthenticated comments, nor do I have the time to manually approve all authenticated comments (especially as I am going on holiday next week). However, I’d appreciate some feedback.


  1. why not create a safelist?
    When someone posts a comment the URL is stripped out unless the user is on the list.
    You’d have to come up with a way of adding to the list and authorising links. I imagine though that the majority of people who add URLs to their comments are regular users (other bloggers, friends), so after about a week you’d probably have about 90% of people safelisted.

  2. Hi Neil, this happened to me on Movalog too. In fact, the comment spammers went one step higher and seemed to have written scripts to scrape comments of others and submit that mashed with their URLs.
    At one point, I was getting literally tens of comments being posted every few minutes. It was easily fixed by changing the comment challenge question, that’s held the spammers at bay again. Have you tried that?

  3. I tend to use Spam Karma and Peter’s Custom Anti-Spam for spam prevention and combined with Askimit I get very few spam posts making it though (I think it’s only been unsure about 1 spam post in the last 3 months).

  4. Tom: To some extent I’m already doing that – if a URL has already been posted in an approved comment then it gets a boost the next time it appears. I’ll see if I can do the inverse like you suggest with the tools I have already.
    Arvind: That seems to correlate with what I’m getting. I may well change the question and the name of the comment script again and see how that goes.
    Richy: I’m already using Akismet in conjunction with some other plugins that check for bad IPs and spam words, but it’s not been very effective here as the comments look mostly legitimate – it’s just the URLs that are spam.

  5. I posted something similar last night too – for me I thought it was the moving of the site to a new host but I guess not. I’m hoping the combination of mt-challenge AND a captcha will slow the spammers down a bit more.
    Interestingly I just tried to sign in with my openid to your site and got a 406 error telling me to stop doing something the server doesn’t like.

  6. Spammers have been manually posting spam to high ranking sites for years now. Back when my blog was “popular” with Google, I would see at least 20 spam posts a week that were entered manually. I even had spammers attempt to “register” as a user and then post a spam message.
    Now that I am back in obscurity, I don’t get nearly the amount of spammers I had, and they seem to be being caught by either Akismet or WordPress since I don’t allow any comments from someone new without moderation. Once a commenter has posted a valid comment, he can do so again without being moderated.

  7. Why dont you just switch to WordPress?

  8. Tony: Lots of reasons:
    1. I seriously doubt switching to WordPress would solve the spam problem. Any blog, regardless of platform, will get spam, and I’ve spent a lot of time ensuring that my MT installation has good spam resistance. WordPress’s main anti-spam function is Akismet, which I’m already using in MT.
    2. Because of the traffic this site gets, and the resources available on the server, using MT’s static pages makes more sense than WordPress where every page is generated dynamically.
    3. I don’t have the time to re-work the design of this site to fit in with WordPress. I tried it with 1.2 and got reasonably far but I’ve hit walls with later versions.
    4. WordPress doesn’t allow multiple blogs, which is what this site uses, unless you go for WordPress Mu.
    I looked into switching to WordPress some years ago but the fact remains that MT suits me and I feel no need to switch.

  9. Neil: I’ve use the Ccode plug in for a few weeks and it’s been highly effective. Like you, I’ve had a few spam comments which I assume have been entered manually, and nearly all of those have been filtered out by Akismet or by my limit on how many URLs I allow in a post.
    I guess we’ll always have to be on our toes to match the spammers’ latest ruses!

  10. Hi Neil:
    1. Why don’t you integrate this system with user and password. you may find plugin for this otherwise I can design these interfaces for you I you need.
    2. You should use Image Verification (Captcha) plugin for comment instead of text which you update manually. Anyone who can make program can retrieve this information and can submit as many comments as he want with out accessing this page.

  11. I’m not a big fan of image CAPTCHA systems as the current solutions for Movable Type lock out users of screen readers, and tools like PWNtcha can get around them easily anyway.
    And requiring user signups stops some of the ‘drive-by’ comments which are often the most interesting and useful, and restricts it to a small clique of users who can be bothered to sign up.

  12. It amazes me that people with such talents put those talents to such uses. I had no idea that there were tools out there to get past CAPTCHA’s.
    I mean, there just isn’t a need for a tool for no other reasons other than to post comment spam. So, what, do these people make money coming up with these systems? Do they do it for the “fame”?
    Truly amazing!