I’ve been getting an increasing amount of comment spam on this blog. You probably haven’t seen any of it since I use the Akismet spam filter, but it’s still a bit annoying to have to check the spam box for false positives (so few comments are made, so I want to keep every single one). I’ve been looking at different plugins for Wordpress that fight spammers in different ways, but they all have the same problem: as soon as they become popular, spammers will upgrade their bots to work around the protection.
I half-heartedly implemented a very simple bot trap earlier today re-using the trap I use for robots not obeying the robots.txt file. The trap consists of a checkbox that the user has to check to be able to submit a comment. That measure alone, to my surprise, fooled most of the bots spamming my blog. To fool the more sophisticated bots, a number of decoy checkboxes are placed in the form that are hidden from the human user so if the bot checks any of the decoys the IP of the bot is banned. At the moment I’m just using static values to try it out. I might make it more variable and tricky to get around if there’s a need for it.
Now, I realize that this kind of protection is super easy to get around. The thing is that as long as I’m the only one using this particular protection it’s not worth it for the spammer to make a workaround that is specific to my site. There’s just too little potential profit. If the spammer comes up with a workaround I could just as easily change how my spam protection works making it a complete waste of time for the spammer.
I think that these kinds of first barriers that spam bots have to get through before they can even post a comment work best if no one else uses the same kind of protection and thereby attacks the spammer’s business model. Spamming is all about volume and the more special cases there are the more work is required for the spammer and the less profitable it becomes.
On the other hand we have (excellent) tools like Akismet where a community providing spam and non-spam for statistical content filtering in many cases can be more effective and is something that you would have to invest more than 15 minutes a Saturday afternoon to program. If the community is big and diverse enough it also provides better protection if you, like me, have a small site with relatively few comments. But for simple “tricks” to fool the spammers, alone is stronger.
As a side note, you don’t have to prove that you can spam my blog after reading this. I believe you can already, so don’t waste your time and in the end no one cares.