← Home

Report: 30 days with no blog spam on Mephisto!


This little anti-spam trick has been that efficient that I have had no blog comment spam to sort out for months (still counting). I therefore decided to "upgrade" to a slightly more sophisticated version (re-allowing commenters to add an email address) and re-vamped the whole thing as a more distributable Mephisto plugin instead of two shaky patches.

I'm going to put some notes about the new plugin asap. I've added an article about the plugin now: "Inverse Captcha Anti-Comment-Spam Technique: Now A Regular Mephisto Plugin".

You may also want to refer to this page for additional information: Mephisto Inverse Captcha Anti-Comment-Spam Plugin.

The story

flood wave metaphor for massive blog spam Last month (that was about one month after I had switched to Mephisto) I saw myself confronted with the annoying task to review a list of nearly 900 spammy comments. Backed by Akismet Mephisto had diligently sorted these comments aside and piled them up in the admin interface. 900 spam comments were awaiting my attention. Oha.

Actually, this even was a good thing! It meant that Akismet does an outstanding job. It's just been far too much for me to review these one-by-one and thus I came up with two things:

  • a patch for Mephisto to add a filter to the comments list in the admin interface - so that I could sort out the most obvious and prevalent comments quickly by filtering the comments with e.g. "cialis" and then sweeping these in one go.
  • a patch that adds an additional layer to Mephistos spam protection using an "inverse captcha" technique (to the best of my knowledge Damien Katz described this first)

This additional layer is ment to keep out the vast majority of stupid bots. It's clearly not failsafe and as soon as it's targeted by a programmer it's going to be broken in less than a wink. But actually that's not even a problem because everything that gets through this "outer floodgate" will be picked up by Mephistos great Akismet integration anyway.

And that's what I expected to happen this month: that there'd be at least some bots out there that use some kind of rendering engine and parse the markup and CSS. That these would have neutralized the "inverted captcha" technique and would have been able to get to the "inner gate". In other words I expected that I would have seen at least some spam to be picked up by Mephistos Akismet integration and piled in the admin interface.

The results

Well, what can I tell? It didn't happen. Nothing! Yes, literally. NOTHING. Nil, null, nada. No more feeling of being confronted with crapheads dumping their garbage on me every day.

quiet and peaceful beach metaphor for 30 days with no blog spam at all Hurray :)

If your interested in checking this out on your own blog here are some resources:

(Please note that the latter obviously will only apply to my own blog theme - you'll need to tweak this to implement it into your own theme accordingly.)

Alas! If there only where such a simple and effective way to better protect my e-mail inbox. But that's a differnt kind of story, I guess.

The limitation

Of course my present implementation of the "inverse captcha" technique comes with the price of not knowing any commenters email adresses any more. I can think of two situations where this might be a problem:

  • you want to contact somebody who commented on your blog
  • you want to display gravatar images alongside the comments on your blog

I'm therefor planning to extend the current implementation to allow email addresses again but use a differently named field for them. Probably just obfuscating the field name in a simple, configurable way.


What do you think?

PS: For mail servers there's "greylisting" as a relatively new technique. Both techniques have in common that they rely on a missing ability of a spam bot ... which I think is an interesting aspect.