Here’s a sneak preview of some stuff I’m working on, besides WP Super Cache and WordPress MU.
First of all, there’s my Blog Voyeur plugin. It’s a visitor logging plugin like many other ones, but this one only records hits from users who have left comments here. The screenshot below is what you see in the backend listing page. I took out the names of the users for privacy reasons but so far it’s worked quite well. I’m not sure yet if this plugin will see the light of day. After discussing this with Mark he came up with some possible uses for it. Inventive fellow is he. Comments in brackets by me.
“When I made that post yesterday criticising Matt, I wondered if he would look at it. Well now I know he did… and because he didn’t comment he’s guilty…” (paranoid?)
Match your cookie thing with crazyegg 🙂 (excessive?)
Have a popup – “Hi Matt!” (annoying?)
See returning user, see no comments so send them an email asking for their views on the posts they did not comment on. (obsessive?)
I mentioned this second plugin already. It’s a modified version of Akismet. You can download it yourself if you want to play with it. If someone else wants to take it further feel free to. It’s all GPL code. I’m posting a screenshot because it’s amazing to see so much spam from one IP address in only a few days. Just goes to show what a good job Akismet does.
Blog Voyeur sounds like a cool plug-in. It’s similar to StatCounter’s label feature – but this plug-in pretty much automates the labeling, nice 🙂
It would be very interesting if this second plugin could modify the .htaccess file so that if could block this IPs from ever reaching the comment or trackback pages or even the entire blog. It could block this IPs for a given time span. This would be nice to easy the CPU consumption on the server and also the queries on MySQL.
Is this hard to do? Are there any security issues?
just wondering if your edits to Akismet might use some of the IP information you’ve shown. For example, blacklisting an IP so it just deletes the comments from that IP, rather than leaving it up to me to decide. Also, perhaps it could auto-blacklist an IP after a configurable number of comments that were marked as spam. So we could say, 1,000+ comments from an IP, then blacklist it and auto-delete the comment rather than leaving it for me to delete in akismet.
Hmmm…. Something like this would be brilliant! If I was getting that many comments a day 🙂
I can just imagine myself sitting, refreshing the page, BEGGING someone to comment so that I can just see the page load with some info…
Oh well, one day……
Now, how about blocking those IP’s with over 100 blocked comments from loading the site?
That’ll boost performance a little I think…
I have made a simple PHP script which takes data from Akismet tables and logs IP spamming my site. It also gives me a nice report page from which I just copy text and paste it into my .htaccess file to prevent ‘spamming IPs’ accessing my site. Just “deny from xxx.yyy.zzz.aaa”
Unfortunately, that is not that much effective to prevent spam traffic, but still it helps.
Since that second screenshot was made that IP has sent a further 700 spam comments. Will they never learn?
I’m not too worried about performance as everything is super cached anyway, and those static files are only refreshed when a comment passes the Akismet checks.
An example of the script I mentioned before could be seen at http://ctocopok.ru/blog_spam.html
I hope this message will pass thru spam filters, as it contains a hyper-link, most hated by anti-spam filters thing in a comment =)
I would NOT use AKISMET as my ONLY defence on my blog!
That would be uber-stupid!
We all need several defence walls against spam. First, check, if the commenter IS human or not. This can be done easily – there are a lot of plugins for that purpose, like ‘Simple Math Comment Spam’ and others, even simpler and more user-friendly ones.
Then, basic protection against pingbacks/trackbacks (check URLs, for instance, using a plugin).
Third comes AKISMET, just in case some SPAM was able to break the first two walls, then comment should be put into moderation/spam moderation.
***
If you don’t use the first two walls, then all spam comments hit you with full-force, and then I have to check everyday tons of spam in my AKISMET moderation queue. This should not be the case! 🙂
So first we need to prevent MOST of the comments from spammers from reaching at all our blogs, then comes AKISMET. Also, why waste bandwidth, IDs from the database (each deleted spam comment wastes one free ID), and time to manually check comments, when this time can be reduced a lot by installing a couple of more anti-spam walls between the spammer and your blog?
Cheers, my $0.02:)
Michel – I only use Akismet and 99% of the time it works fine. There are occasional outages but then I moderate any comments by new users so spam very rarely gets to the blog.
The Blog Voyeur plugin is interesting. When will it be available for download?
Donncha, great work. I do agree with Michel though. I use three layers of anti-spam: the Math Comment Spam Protection plugin to stop the bots cold, the Simple Trackback Protection plugin to stop trackback spam, then Askimet to clean up what’s left. Works really well.
Without the trackback plugin, I get an extra 30 or 40 spam messages in Askimet each day, which makes it harder to pick false postives (a couple a week).
If you don’t like Captcha’s use the TanTanNoodles Simple Spam Filter instead of the math plugin. It catches comments where certain words or paterns are used and gets the user to confirm they want to post – this should stop bots which use naughty words without the need for a Captcha.
I’ve had an automated IP blocking system in place for a while now: SpamValve. I have some custom plugin code (plus a patch to Akismet so that it calls out to my tracking routines before it exits spam detection) that monitors for repeated abuse from the same IP address. When a client IP crosses a threshold, I automatically add firewall rules to block that client until their traffic ceases for a certain amount of time. Once that IP is quiet for a set period, I unblock it again.
Unfortunately, most people don’t have the kind of server access needed to put something like this in place. Modifying it to auto-manage .htaccess rules probably wouldn’t be too difficult, but blocking traffic at the firewall level is so much more efficient for the server, because you never even get the CPU hit from Apache having to examine the request.
I run the same setup as Stephen and have very little problem with spam now, Simple TB Validator stops a lot as most spam is from trackbacks with fake endpoints.
The DYPM helps for a simple human test for comment form spam.
And anything that does gets through gets caught by Akismet, which makes looking for false positives a whole lot more pleasant.
As without the measures I can get a few thousand spam comments a day, and trying to find the real ones…is not easy. Especially with Akismet which doesn’t give you any options for sorting or parsing – e.g show any ‘caught’ comments for the most recent 5 posts and ditch the rest.
@Stephen:
Yes, that was my point, Donncha!
AKISMET works!
Yes, it is effective!
But AKISMET doesn’t stop SPAM from reaching your moderation queue! (And that’s good, because there are 1% of false alerts, even with AKISMET).
And once reached the moderation panel in WordPress, SPAM makes two things:
1) ‘Eats’ one ID from the WP database for every deleted spam comment, and
2) ‘Eats’ your part of your time to clean up the mess.
So, what’s the point of having only AKISMET running as SPAM protection for your blog? I don’t see any, except for blogs with very little traffic — usually they don’t receive a lot of spam as well.
Instead of using Math Spam Protection + WP Simple Trackback Validation, you can use some other protection. For example, recently I’ve heard of:
http://wordpress.org/extend/plugins/bcspamblock/
Looks like this could be even a simpler and better way of protecting your WP blog from SPAM. But I didn’t test it, yet.
So for now I use my 3-level protection — and, guess what? I still do receive a spam comment or two in my blog (per week), which are then blocked by AKISMET. I guess, the Math Protection isn’t perfect, either — but anyway, it filters out, together with the SimpleTrackback at least 95% of the SPAM. The rest is for A. to handle:)
Cheers, my $0.02, M.