Comment spamming, quater

Six Apart communicates about Comment Spam, at last! They are still working to find a solution, they dismiss registration (upcoming feature but different usage), as well as comment moderation and image comprehension technology, and point to MT-Blacklist as a solution.

I'd like to suggest an additional option: simple comment authentication. It works like this:

  1. a visitor to your weblog leaves a comment along with an email address (mandatory) and an optional URL
  2. the comment is displayed immediately but any URL it contains is either turned into non-clickable text or replaced by a placeholder (like [*]), rendering spam for GoogleRank ineffective
  3. an email is sent to the email address provided, asking the visitor to click on a confirmation link to authenticate the comment and activate URLs (if any)
  4. once the weblog receives the confirmation, it activates any URL present in the comment. The confirmation page may offer to the visitor the option to save a cookie to allow for "One-Click Comment™" ;-)

This system has the following advantages:

  • it provides a comment authentication feature that does not require a complex system nor anything beyond your weblog system
  • it effectively ensures that visitors leave a real email address. One issue though: john.doe@mailinator.com may require a blacklist of names that cannot serve as valid email domains
  • compared to a registration system, it is significantly easier (requires only one click, no name, no password) and less "in your way" (the comment is immediately displayed for the sake of synchronous conversation, just without clickable links)
  • it scales, the (small) burden is entirely left on each visitor commenting
  • it can add bonuses, such as offering the visitor to subscribe to a notification email and receive all other following comments by email (great for keeping trace of comments left on others' weblogs)
  • it can work along with other anti-spam features (such as IP banning, URL blacklists, etc.)

The reasoning beyond this system comes from my quest for simple comments authentication and precisely the fact that, considering that my weblog is not a public space but a personal space that I open to others, and that I do not publish anonymously, I have little or no interest in receiving anonymous comments.

11 Comments

I've closed comments on almost all of my posts after some comment spam a few weeks back. It's very annoying. The solution you discuss sounds very simple and straight forward, if you have or wish to submit an email address.

Anonymous comments can be overwhelmingly trollish, but I've encountered many people outside blogdom -- and there are alot -- who would prefer not to submit an email address to a personal site -- they're not very tech-savvy but tech-scared. How would you deal with people like that? These same people would be annoyed by email notifications and clicking links with cookies etc.

The more barriers there are for entry into a discussion the more sterile it may become. Email authentication is effectively a Whitelist enforced by the user and client. I believe it should be the web-authors responsibility to maintain transparency and ease of use. Hence, we should filter the crap from the comment, with a minimum of fuss for the reader.

I already manually disable comments on all my posts after thirty days. If an effective authentication method becomes available, I will likely use it. I understand all the reasoning that goes into the why I shouldn't camp of thought, but in truth, I simply don't care. If commenting on my weblog is not worth a minimal effort by the comment maker, then I don't really care if I get it anyway. I would rather get one comment from someone who is willing to go the extra step than a hundred from people who weren't.

Gummi, I think that if one explains exactly the commenting and privacy policy to the visitor (for me it would be to make very clear that visitors' email addresses are kept safe and for my eyes only), then it's only a problem for the utterly shy people.

Now, in addition to my contempt for anonymous comments, comment spam is really getting on my nerves. Yesterday, because of the manual cleaning of spam, I really wasted the time it would take me to write one or two posts. What do you prefer, me cleaning after spammers' shit, or writing?

...then it's only a problem for the utterly shy people

I agree with only part of this answer. I started out with anonymous comments, a few of my posts have received quite a few of those i.e. no email address or web url. On the flip side, in some cases people will avoid publically commenting on a post and use email, therefore, they do trust me with an email address, they don't want their views made public. This latter case helps your argument somewhat.

I've enabled anonymous comments, I may not get much spam these days but I've followed Damelon's advice and closed old threads -- that helps. However, if you give readers an additional barrier, clicking links etc. you're still left with inertia. I, for one, would think twice about a comment if I need to authenticate. It's web laziness.

What do you prefer, me cleaning after spammers' shit, or writing?

Well, it seems comment spammers have inspired your writing, a little irony here methinks -- that's sarcasm, I know it's the lowest form of wit.

I would prefer the spammers out of the loop, I don't back their cause. It's your personal site so you are within your rights to do anything you like to prevent this grief. If one were to make analogies, you could look upon the authentication process as a smart way of preventing unfettered comment access from people who would like to make a point, without exposure. In blog/web utopia, creating trusted relationships is seen as a big deal, but it paints all anonymous users as skanky wankers who must be trolls because of their anonymity. Tarring people like that is a little.... harsh. It's a bad beat all round.

"In blog/web utopia, creating trusted relationships is seen as a big deal, but it paints all anonymous users as skanky wankers who must be trolls because of their anonymity. Tarring people like that is a little.... harsh."

Yes, if you think that such a move from me, on this ridiculously small and widely unknown territory of the web, yields to a ban of anonymous comments. There are so many spaces out there where they can shout from within their closet. I understand your points, particularly the concern that anything in a process that gets in one's way is bad, but I am in a trade-off situation. Pondering spammers vs. people who are afraid to give me an email address I can write to vs. people who are not afraid to voice their opinion in their name...

May be "contempt" was too hard. However, I need better arguments to see why I have to let the doors wide open and spend so much time deleting crap on my own site!

And note that my process actually would work pretty much like the current anonymous comments, i.e. you fill in the form exactly as usual and your comment appears immediately. It's only in case there are URLs within your comment that I would require a click from a confirmation email. So, the shy commenter could still comment, but not place links in my sandbox anonymously. That's the beauty of it, and I haven't found something simpler (yet).

Yes, if you think that such a move from me, on this ridiculously small and widely unknown territory of the web, yields to a ban of anonymous comments.

Strictly speaking it does, you're shutting out potential readers -- your perogative, of course. This is a widely unknown territory of the web, however, one single comment from a future user could be enlightening. No? It's a moot point because you openly display your email address, plus, this is all wildly hypothetical with plenty of hand-waving, in other words, bullsh*t.

An aside, if the links are embedded into comments to increase Pagerank, another method to circumvent the problem is to ban all bots. Drop off the radar and provide no incentive. In criticism of this idea, you're already earmarked by the spammers so it wouldn't stop your problem right away. Just a thought.

"one single comment from a future user could be enlightening. No?"

Yes, and I answered that already. You could continue to comment anonymously. I'm targeting spam more than anonymity.

"It's a moot point because you openly display your email address"

Huh? It's encrypted. After almost a year of exposure on the home page, it seems to have escaped the email harvester so far.

"this is all wildly hypothetical with plenty of hand-waving, in other words, bullsh*t."

May be :-) I lack the programming skills, so I'm reduced to wave ideas and hope that they stick.

"another method to circumvent the problem is to ban all bots."

Nope, it does't work. They change all the time, and most of them hide behind normal browser agents. I also received recently a significant amount of spam entered manually, not using bots.

Yes, and I answered that already. You could continue to comment anonymously. I'm targeting spam more than anonymity.

There's still the link clicking inertia, right?

Huh? It's encrypted. After almost a year of exposure on the home page, it seems to have escaped the email harvester so far.

The commentator can contact you outside of the box. That is what I meant.

this is all wildly hypothetical with plenty of hand-waving, in other words, bullsh*t.

Meaning: We are on the hand-waving plain as far as the comments are concerned-- not the post.

Nope, it does't work. They change all the time, and most of them hide behind normal browser agents. I also received recently a significant amount of spam entered manually, not using bots.

I suggest .htaccess controls and log monitors with a honeytrap. Re: manual insertion. WTF! That boggles the mind. Clearly some people have too much time on their hands.

Version 1.5 of MT-Blacklist has just been released.

Why aren't links to comentators' websites just scripted? If Google PageRank is the incentive to spam, just get rid of the incentive. With scripted links, like most forums use, all the usability exists without that little PageRank bonus. Why does it have to be more complicated?

Adrian, I know Simon Willison uses a redirect for all URLs on his weblog, but I've seen at least one argument that it doesn't have any influence on GoogleRank (most likely because the Google bot is smart enough to skip the redirect step transparently). But if a redirect is efficient then it's a good idea that's not hard to implement.

mensuelles Archives

Recent Entries

  • Steve Jobs

    "Remembering that I’ll be dead soon is the most important tool I’ve ever encountered to help me make the big choices in life. Because...

  • Your privacy on MOTOBLUR by Motorola

    After the Nokia Ovi Store carelessness, it's now Motorola who's allowing strangers to get access to your private information on their MOTOBLUR portal. Exactly like...

  • How to resume a broken ADC download

    (I'm documenting this trick for myself to remember, but it can be useful for others…) Apple, on its Apple Developer Connection site, has a bad...

  • WTF is this ‘myEventWatcherDiv’ doing in my web?

    All of a sudden I started to find the following line in most of the web pages I was browsing, including ones I made where...

  • Your privacy on Nokia Ovi Store

    My friend Adam Greenfield recently complained about the over-engineering culture at Nokia: I was given an NFC phone, and told to tap it against the...