File Blog Comments Under It seemed like a good idea at the time...

Weblogging is growing up. Oh wait, you thought that would be a good thing? You must still be young. -- Mark Pilgrim
Like most other people working in this medium, I like the idea of open and unfettered comments. Like most sane people, however, I really dislike the reality of over 3,500 comment spams in less than 24 hours.

That was the reality here over the last day and, after spending hours reading about and installing a blacklist and other gizmos Ive concluded that, for now at least, it really isnt worth the aggravation and wasted time.

Until such time as Movabletype comes out with a fix for this, or until such time as some unknown hero develops a killer plugin, or until such time as the comment spammers are located and fed into industrial shredders feet first while ringed with web cams, Im disabling comments here.

SpamCop I am not. Neither am I SpongeBob. The idea of maintaining a page with a big Spam Me! sign printed on it fills me with inertia.

Should you wish to comment on anything posted on may page, please mail it to me at

publisher-at-americandigest.org.

Ill put it in an update.

For those who want to read the article that made up my mind for me, please check Mark Pilgrims take no prisoners article: Weblog Spam .

Hes right, you know.

That was so depressing.

Ditto.

When I built my Dad's MT blog last year and he didn't want to enable comments, I thought he was nuts. Now I think he was just ahead of the curve.

Since forums (phpBB, VBulletin, etc.) can be pretty well defended against spammers, maybe hooking a front-end MT blog to a back-end forum might make sense. But talk about destroying the simple elegance that blog commenting offers.

Here's hoping someone will come up with the killer plug-in to avoid the death knell for blog commenting.

Sniff.

If you think it was depressing to write, imagine seeing 90 to 200 new comment notifications every 10 minutes for hours on end and every one of them for porn or drugs.

Comments... adios.

Mabye it's just me, but I would begrudgingly put up with hundreds of spam comments just to get a few sparkling comments from friends and random strangers. A bit like email, really. Oh well.

Perhaps but which ones will they be? You're going to have to sift through thousands, remember?

Not dozens when comment spamming was manual, but thousands.

The program evidently looks for comment stacks it can post to, then it posts -- quite methodically -- to every single entry you've ever made that has posts allow.

THEN it goes back to the top and does it all over again. And again and again.

Your comments fill up with long tables of meaningless drivel and links for every sort of unsavory site in the world.

Anything like a meaningful comment would come to be buried. And then when others who sincerely want to comment open the popup they are confronted with a long chunk of garbage. Do you think they want to participate.

If they have something scintillating to say, have them email it to you and put it in an update.

Less work and more fulfilling for them.

seems like mt-blacklist's despam feature can clean that up.


comment and trackback popups should not be used.

Right. I personally am not quite ready to knuckle under to this yet.

In fact, I even download all 400+ email spams every day before I filter them, and I'm still excited when I find a real blog comment notification, a comment I've subscribed to, or a receipt for some exciting gadgetory purchase I've impulsively made on the internet.

Agree with you Oscar, but wonder if we'd all be whistling differently if we were the ones doing cleanup on 3,500 spam comments...

i probably would, since despamming is so much fun with mt-blacklist.

I have two ideas as relate to spam comments.

Mind you, I don't even have a blog running yet so I
don't really have any idea of the magnitude of the problem...

Use a database like Razor's spam database, which
is used by programs like SpamAssassin to mark
mail as spam based on CRC checksums.
User's can add items to the database.

Then, the procedure for commenting would be:
check IP blacklist.
check comment CRC database.

I wonder if it would even be possible to adapt a system
like spam assassin to MT ?
Spam assassin uses a "grading" scheme to determine
if stuff is spam. Even better, the new spam assassin
can "learn" by you telling it what is spam.

I used to get 50-100 spams a day and now it's down to
like 3 or 4.

Spam Assassin is written in perl too, btw.
And it has plugs to use Razor's database, etc ...

My other idea is this.
Somebody needs to make a plugin that allows you
to reply to a "comment-email-notification" with the
directive "DELETE THIS CRAP" or something at the top.

This plugin (which could be just a mod of the email-2-blog plugin) will check your inbox for replies with this
directive and then auto-delete the comment.

This could at least speed up deleting the pesky buggers.

Anyways, there are my ideas, I'm not much of a programmer and I'm slammed for time, but I'm good at
comming up w/ ideas.

cheers,
e

with the current trend of crapflooding, ip blacklisting won't work. they're spoofing the ip addresses.


mt-blacklist adds a despam link to comment notifications for easy comment deletion.

my blog isn't 'known' enough to get that much spam, i get about 1-4 comments per entry and about 1 spam a week, perfectly manageable.

but that is up from no spam at all a few months ago.

I would HATE to go without comments or trackbacks, to me comments are part and partial of what blogging is supposed to be. I hate sites that don't allow comments, i want to see the feedback and ideas your words and thoughts generate. Isn't that a large part of what blogging is supposed to about, interaction and connectedness?

losing comments would lose that.

maybe someone will find a way to get rid of spam comments, but then again no one has found a reliable way to get rid of spam email yet.

Charles, that's the problem with people who live in Hawaii...they can't tell the bloody difference between work and fun, since it's always paradise outside...

despamming is so easy to do. how can it not be fun? the flooding scripts i've seen use a small pool of ips, so all you have to do is copy and paste each ip found in your email notifications until all the comment spam is gone.

then again, i'm using something that nobody has seen to block automated floods.

You wanna know what a problem is? Try running an office with a fax machine that shares a line with an answering machine where both receive critical information. I got so much junk fax that I ran out of both paper and toner. So, I just turned the fax machine off, and now my answering machine fills up with pathetic little failed junk fax beeps.

So, see, I can't even decide which is better, hitting the delete key on those babies, or despamming the blog with MT-Blacklist, but I enjoy both robustly.

I know, I know ...


PS (what about the critical faxes? I just tell 'em to give me a call and tell me when they want to send a fax. Heh!)

It's even easier now, since you can use Search and Despam mode to list all of your last n comments or search by an arbitrary text string or regular expression. No longer must something match your blacklist or an IP address to be able to easily sent it's bits exploding into ether...

Allowing anonymous comments is a dangerous thing.

There's a tutorial for integrating phpBB as the MT comment engine (in 23847392 steps) @ http://trikuare.cx/mt/mt-tb.cgi/425 -- it's not as integrated as I'd like, but I'm working on it.

phpBB provides a fairly smooth interface for email verifyication of posters. This eliminates automated SPAMbots. phpBB allows IP blocking, automated email notification of new comments and, with a small hack--new posts, and more.

I've got a tutorial for adding a Comment form so subscribed visitors can enter comments.

There's also a tutorial for adding automated email notification for new MT posts.

The current level of integration is imperfect; the user is redirected to the phpBB forum pages for most operations. However, I'll be working on minimising, even eliminating, this imperfection as time goes on. Assistance from others is appreciated.

[Note: modifying phpBB usually involves hacking the phpBB source -- which really makes me appreciate the foresight and elegance of Six Apart's MT design.

p.

Maybe so, but I am still as yet unwilling to accept this. I feel no immediate danger. The danger is to those bits I will be blowing into the ether!

Yeah, well, I'm definitely of the prevention preferable to cure school. My forums were attacked a while back by peurile perverts who posted the lewdest text and images imaginable.

Imagine you live in a crowded neighbourhood and someone, while you're away on vacation, erects on top of your house a giant billboard describing an obscene act. How uncomfortable is that to come home to? In addition to the simply annoying but banal spam, that's the kind of content attack you're opening your blog to with comments. And there are unsavory communities of people out there (I traced the attack to another forum where the attackers were congratulating eachother on their cleverness) eagerly seeking unprotected sites on which to commit blog gang-rape.

Email verification isn't perfect, by any means, but it's not as readily abused as anonymous commenting.

p.

In 1982, I ran a BBS out of my apartment, at 300 baud, and a single phone line which was tied up 24/7 by the board. I rolled this thing out as a "public place" and planned to allow anyone to post anything they wanted, with a kind of self-policing function.

As you might imagine, this was a disaster, and it went the way of most public places - straight into the toilet.

Pretty soon, I had people submitting their address and phone# for "validation" and after ahwile, they had to do it by mail and send me 5 bucks. THEN, it started to run very smoothly, and was really quite wonderful for a good long time.

Why then, do I insist on freedom and unrestricted comments for my own site, besides just being a fuzzy-minded idiot? Ummm ... ... well, I haven't worked that out yet ... and I guess when they come and totally trash my yard, I'll cave.

To take it a step further, when a kid pulls his car into my driveway to pick up the au pair for a date, saunters up to my door, and rings the bell with an open beer in his hand, I take him to be signalling me that he wants to be an adult, but hasn't quite got it figured out yet, and is soliciting my help.

I suppose the same is true of these short-sighted internet wreckers. You want us to lock the whole place up into gated communities, where perhaps even you yourself will feel better? Well, *sigh* okay then. So be it.

And, I don't really disagree with anyone's decisions along these lines. It's mostly a matter of taste, and of mission I suppose.

But, you know, I am personally willing to tolerate a fair amount of crime, litter, and noise in the interest of togetherness. I plan to leave the doors open as long as the house is still standing, and I appreciate the efforts of Jay and others to help with this.

Okay, I'm done ... sorry ...

I look at registration in terms of protecting my visitors from the riff-raff. However, it's hardly a gated community.

Your old board, even the hopeful, public, self-policing one, you started with probably required a username and password to logon and read posts. That's actually more of a gated community than my blogs, which anyone can read anonymously (almost anonymously, they do leave an IP trail behind.)

As for commenting...the door's not standing wide-open. However, as Frodo observed to Gandalf, speak "friend" and enter. Everyone's welcome. I've even got a bot standing by to open the door for you, in case I'm not in.

A password isn't much of a barrier when it's given to anyone who'll ask for it. I do realise that not everyone cares to provide an email address just to post a comment (particularly the riff-raff) but I'm willing to live with corresponding with the reduced set folks who don't mind.

ymmv,

btw: It wasn't quite 1982, but I also participated in pre-internet boards. Ours never devolved to the level you're implying (though one fella going by the handle Pariah stirred up some hatred, as self-styled pariahs often do.) There was a level of community to those Fido (etc.) boards that seems to me more difficult to develop on the www. That may be because every now and again we'd throw a party and members from drivable distances would gather in for some face time. Fascinating.

Pariah never showed at any of those gatherings, which is a shame. People often come off better in person than they do in text.

p.

It is. In fact I'm sure there is a highbrow essay lurking somewhere in thinking of some of the specifics of computers and the internet as both a medium for and an expression of our human affiliative needs.

Well, I will look forward to seeing what MT 3.0 has to offer as well for comment registration and security. And then, as people have said, what are we going to do with those email inboxes?!

I don't know if anyone has tried adding this, or has suggested this... but what about adding in one of those obfuscated image verification things where they show you a number thats been manipulated and you must type it in to continue. Doing somthing like that would certainly stop spam cold in its tracks, while preserving whats good about commenting.

Great idea except there is a reason that not everyone is doing it: it also stops many other people cold, like blind people, people whp surf with images off (for bandwidth reasons) and people using text-based browsers...

Thats a good point, but, who is the majority?

I'd feel really bad leaving out blind people, but many of us wont have a blind person in our audience.

People with out images, well, they'll be out of luck. I imagine that most graphical browsers that will block all images will allow certain pictures to be shown on request. People using lynx are out of luck.

The author of Weblog Spam points out (first post in this topic) that such schemes are easily broken by professional spammers with the resources to hire people at third-world wages to unobfuscate the image verification.

Dime-store variety spammers don't tap that market, making it all the more valuable as a target for bigger guns due to lower, umm, spametition. Is it worth it to them to attack a blog with limited readership? Probably not. Then again, we all believe our readership won't be limitied forever...

And you'd be surprised how many surfers are blind or wedded to text-only browsing. This month I've already logged over 200 hits from Lynx and PDA/Phone browsers alone.

p.

And to be honest, I can't be so cavalier about saying "____ people are out of luck". Especially blind people. They didn't choose to be blind and have a hard enough time as it is in all of life. Do they really need to be told that they aren't important enough to read MY site too?

Your choice of course, but I choose 100% accessibility (or at least I try extremely hard to do so).