With the recent rash of Trackback spam, I finally bit the bullet and am now experimenting with Akismet in addition to Spam Karma. I’m not sure how well they work together, or, at this point, which plugin processes the comment first. Update: I’m trying Akismet on its own for now. Or, more precisely, Akismet as the sole second line of defense. Bad Behavior is still holding the front line.

Update (Feb 14): I’m now back to using Spam Karma 2, but with a plugin that uses Akismet as one of the score components. This seems to be working well, as SK is able to block the ridiculous stuff (100 porn links in one comment, etc.), and Akismet is able to catch the trackback spam that’s been passing SK2 by temporarily including an inbound link.

The big problem I had with Akismet was that aside from the age of the target post, the blocked comments weren’t sorted or filtered in the admin interface. I was having to look through ~30 comments a day for false positives. Spam Karma will show only the borderline comments by default, and uses a table structure that makes it easier to skim.

This way, though, I get the proverbial best of both worlds.

Bad Behavior and Spam Karma do a good job of fighting most of the spam that hits this site, but over the last few weeks I’ve seen a (relatively) new kind that seems to require manual intervention: pingback spam.

It took a long time for spammers to really start abusing pingbacks, because of two things: First, pingbacks require the remote site to link to your site before they can get you to link to theirs. Second, it was just so much easier to abuse trackbacks and ordinary comments. I guess those have gotten locked down enough that it’s worth the effort to target pingbacks now. Continue reading

I’m surprised it took so long, but trackback spammers seem to have finally figured out that they can sail past the simplest check against trackback spam—does the calling page actually link to the page being trackbacked?–by temporarily adding that link.

Or maybe they have for a while, and they’ve only just started getting past my other layers of defense (namely Bad Behavior and other checks by Spam Karma).

*sigh*

I recently stumbled across an archived mailing list post of mine from the days before spammers started targeting WordPress. Someone had remarked that their spam problem had disappeared when they switched from Movable Type to WordPress, and I responded:

Oh, they hit us WordPress users too, just not as often as MT. Having it automatically moderate comments with certain keywords or more than X number of links helps cut it down, and the ability to (a) see all the latest comments and (b) mass-delete comments reduces the pain of cleanup. But they do target WP blogs from time to time.

I tend to get a pair of comments sent to the moderation queue every few weeks (presumably they figure if the first two didn’t show up, they won’t waste their time with more), but just this morning I had to delete a spam comment that came in last night and didn’t trip the moderation rules. (One of those with the generic “I like your site” messages and the author’s URL being the spamvertized site.)

That was September 2004. How things have changed! All WordPress blogs come with Akismet as an anti-spam measure, but I still prefer to use Bad Behavior, which has blocked ~2900 hits to this site in the past week alone, and Spam Karma, which has collected over 17,000 comment spams.

And with all those counter-measures in place, I get a couple of comments landing in the moderation queue each week. And just this morning I had to delete a spam comment that came in last night and didn’t trip either layer of defense (it was a generic piece targeting keywords found in a post). The filters are just barely keeping pace with the increased volume.