Spam Fighting Revisited

I first started looking at reducing the amount of spam left on my blogs back in March this year. At the time I put a few trials in place. I figured it would be a good time to revisit this and let you know how the past 7.5 months have fared.

I made 3 major changes to the way this site worked.

  1. Change the Comment script filename
  2. Change one of the required form field’s ID/name
  3. Remove the ability for trackbacks

All 3 made a difference however now I only have the first method in place. Details of how to do this can be found on my original post – Zero Comment Spam. I’ll also mention, it hasn’t stayed at Zero but it’s not done too badly! First of all, my reasons for dropping changes 2 and 3. Changing the form field’s name for say the Author field is all very well and good, until you upgrade and forget to change the new comment posting script file! I kept having a habit of doing this so I figured that the first change cut down a reasonable enough amount. Point 3, well despite turning the plugin off for disabling trackbacks (I never used it properly in the first place!), I’ve still not managed to fix my pingbacks/trackbacks. If you’re not concerned over displaying these then it’s worthwhile to have in place, however from my experience, if you change your mind later on, don’t expect to get them working again!

Change the Comment Script Filename!

So back to method 1. Changing the comment script filename. This has worked exceptionally well. To give you an example, in May I changed domains and the server for this site. Because of the way I’ve stored the database I had a few problems copying my AIS site over, so I had to use the import function via a fresh WordPress install instead of using the database backup (it’s a long story!). So my Akismet spam count was reset. Since May (so 5.5 months ago) Akismet has had to catch just 73 spam. Less than 15 per day. Compared to up to 100 per day before I started to use the file rename method, I don’t think that’s too bad going 😉

Whilst slightly busier, spam comments have still slowed down a lot on this blog as well. Perhaps 150-200 since March. At first it killed them dead but of course as time has gone on, spam bots are recoded to know which file to post to, and numbers can start to creep up again. Of course, you can easily combat this by changing the filename to a different one that you’ve used. If you changed it every so often I doubt the bots would have time to keep up.

How and Why?

I know I explained this before but I will again as it really is pretty straightforward and such a great way to combat spam. A spam bot is often programmed to send a Post header to a specified file (in the case of WordPress it would be the wp-comments-post.php file). It knows the fields to send (author, email, url, message) and where to send it. So by simply changing the filename and ensuring your site now posts to the new filename, the spam bots will still be looking for the old filename and get a 404 error or whatever error you set via .htaccess.

Some people at this point may say ‘well Akismet takes care of all of my spam’, or ‘Spam Karma traps everything, I never see it!’, but that wasn’t and isn’t my reason for using this method. Imagine if you used Outlook or Thunderbird to regulate your email spam. Everytime you download emails, the software is checked for signs of spam and filters it off into the junk mail. Sure, you don’t see it, but it’s still there. Even after deleting it, it’s been on your system, and something somewhere knows it was there. For a start off your bandwidth usage would be higher due to the extra spam you’ve downloaded. Wouldn’t it make more sense to log into your email account on the server, and nuke it before it even gets to your own computer? Or use MailWasher, which allows you to view and remove emails directly on the server before downloading them to your offline software.

So it’s the same in this instance. Why even let spam be entered into your database table? Sure, after X days Akismet will automatically delete anything it’s caught, but there is still bandwidth being wasted for a spam bot to submit a comment, for that comment to be saved into the comments table and for Akismet to determine that it’s spam by contacting the central database on WordPress (why else would you have an API key for it?). Okay I could be wrong on the last bit but that’s what I’d imagine happens. Regardless, that’s still too much going on when you could maybe prevent it. Plus, wouldn’t you rather not have comment IDs of 94570 and higher?! Especially when you know less than 1% of those were real! (Just to add on the site I just linked to, in just over 12 hours there were almost 200 spam comments/trackbacks submitted – imagine 400 spams a day going through your site!).

Of course, nothing is 100% certain as I’ve mentioned. I still get a small amount of spam, some bots/scripts are programmed to complete the form so of course it will submit to what ever file you’ve set it to submit to. I’ve also had a few manual spams, clearly people with nothing better to do (although I did tell one guy off for spamming my site and he wrote back with an apology!). However this one simple step will help reduce the load on your server just that little bit extra, and maybe give Akismet a night off once in a while 😉

Just don’t forget to change the comment script filename (wp-comments-post.php in WordPress) with a new upgrade!!

You may also like...

7 Responses

  1. thatedeguy says:

    Thanks for the added info and deep link to your previous post. I’ve implemented the renaming trick and we’ll see how much it reduced the spam load.

    Great tip!

  2. Sarah says:

    Thanks for reminding me to revisit the situation 😉 I’ve seen a few people mentioning it recently and figured it warranted a revisit along with new stats of my own to give a bit more data and info on the matter.

    Would love to know your new stats after a week or two 😉

  3. Andrew says:

    Hi Sarah,

    Thanks for visiting my site regarding the WordPress Security eBook I found.

    I been looking at ways to keep my comment spam as low as possible. I found a simple plugin that asks a simple maths question to verify the human nature of a spam bot, and so far it has worked successfully. The only thing blocked by Akismet was a trackback that appeared to be spam, but once I checked the site out, it turned out to not be spam at all.

  4. Sarah says:

    Hi Andrew, thanks for stopping by 🙂

    The maths plugin can work well as well however I’d rather not be having an extra question for commentators. Also, my original reason on the fighting spam was to try and reduce bandwidth too, and by serving most bots a virtually blank 410 page that’s a lot less than accepting their post, determining their sum is incorrect and returning them back to the comment form thus using up say 50-100kb bandwidth per visit.

    It’s not that bandwidth is an issue, but I don’t like wasting it 😉

  5. Sarah says:

    Seeing as my trackbacks don’t work I thought I’d link to thatedeguy’s follow up post on how his spam fighting has gone – Spamtastic!

  6. thatedeguy says:

    Thanks for the manual trackback! 😉

  7. Sarah says:

    No problem 🙂