Comment Spam

Volume 9, Issue 60; 19 Jun 2006; last modified 08 Oct 2010

It took several years, but the spammers finally launched a successful attack on my comment system.

May you be defeated in every engagement you take part in and in every assembly you attend may you be spat on and reviled.

St. Patrick

I'm confident that St. Patrick wasn't thinking of spammers when he wrote that curse, but it seemed more appropriate than publishing the apoplectic stream of imprecations and profanity that escaped my lips this morning when I discovered nearly 60 spam comments on one of my essays.

The pattern of comment spam has always puzzled me. There are three or four essays on which it has occurred, several times at random intervals. I have always assumed that it was the work of individuals.

But the appearance of 60 spam comments overnight on a single essay suggests that someone's spamming script has grown enough flexibility and heuristic power to work through my “one off” comment system.

That's game over for an open comment system.

So now your comments will be queued up and won't appear until I approve them. I'm sorry. I really am. I'll try to be prompt. I wrote the new system on my flight from BDL to ORD. When I have more time and inclination, maybe I'll try to tie it into some sort of distributed identity service so that at least some commenters can publish without waiting for moderation.

Oh, and by the way, I'm about to install the new system right before leaving on a flight for CDG. This is one of those times when moderation may be delayed.


The moderation system works on my local system. Does it work in production?

—Posted by Norman Walsh on 19 Jun 2006 @ 07:54 UTC #


—Posted by Norman Walsh on 19 Jun 2006 @ 07:54 UTC #

I hate to to say it, but I'm a teeny bit pleased. The identity stuff appears to be a hard problem, but comment spam fixing should be a lot easier. One that really needs a fresh sets of eyes, from someone with a clue.

(Changing the posting uri bought me a good six months on Movable Type, then WordPress, but now I'm not bothered by spam because the UI I've got scares everyone off...)

—Posted by Danny on 19 Jun 2006 @ 10:37 UTC #

Norm says, maybe I'll try to tie it into some sort of distributed identity service

That gave me a funny thought: what about a distributed approval service, where webloggers could pool comments and any peer could approve comments when they're checking. It particularly seems well suited to an "Atom store" where any weblog system could send its comments to the shared storage and poll their own comment-approval feed back. Peer groups could be formed to allow for a level of trust and simple credit system used to make sure people aren't leaving all the work to others.

—Posted by Ken MacLeod on 20 Jun 2006 @ 12:50 UTC #

How about using a CAPTCHA (the system that asks you to type-in a bunch of numbers in a generated image)? It seems easy enough to implement since most of the work is already done for you. It might however disable access to blind users or those with poor vision; but, some of the more complex implementations have already taken care of this issue.

—Posted by Saeed Jahed on 21 Jun 2006 @ 01:45 UTC #

this is a very elegant alternative to visual only CAPTCHA tests - my only concern is that the equations be actual text and not be comprised of, nor constructed of, graphical elements distorted in the manner of today's crudest CAPTCHA implementations - this, i think is a real concern, because, as norman points out, the bots WILL catch up, and the argument will be made that graphical equations provide a "double layer" of protection, when it really only serves to exclude those who cannot visually process the graphics...

—Posted by Gregory J. Rosmaita on 03 Jul 2006 @ 09:50 UTC #