**updated, see below**
Comment spam is Teh 3vil.
Everyone knows that, right?
So I have Akismet running on here, nicely catching all the spam.
And except for one false positive, it worked perfectly. Except for trackback spam. So I disabled trackbacks, and installed a wordpress plugin to catch spam trackbacks. They appear to be gone now. But I get annoyed at having to empty out all the Akismet-caught spam all the time. I know, I can just let it be deleted after 15 days, and I can probably set up Akismet to delete it automatically, but the idea that it’s getting through bothers me. It’s just annoying.
So I embarked on a quest to stop the evil from getting through at all. I’ll leave Akismet as a last line of defense. So I installed this thing called “Bad Behavior” which filters out spam bots through arcane magicks or heuristics or something. Which has helped. And just to be really, really sure, I installed a plugin which basically puts a Turing test on the comment submit page (it asks a basic math question, but without using the real numbers, and then validates the answer, e.g.: “Sum of s1x + s3ven ?”).
I finished setting all this up today. And within three hours, Akismet had caught three spam comments. How!?! I’m fortified, dangit! I don’t understand this. It has to be a bot, right? No human being would sit there all day copy/pasting spam into random, little-read blogs, would they?
I don’t want to require registration, but that may be the next step. Or one of those image-based CAPTCHAs.
Or maybe I’ll just program my own Turing Test web service API & a Wordpress Plugin: Any software can request a challenge to display on an input form. The API will return a test, like a CAPTCHA or a math question or a “Pick the wrong one” type of thing — randomly, and different in every case. Alon with it, it will return a hash and a random identifier. The random identifier and hash will only stick around in the APIs system for a couple minutes. The software that requested the challenge will display it to the usedr (or bot) and get a response back. The response will then be sent, along with the identifier and the hash, to the API, which will then attempt to validate the response. Based on the results of the validation, it will return either true or false, and the software will know if the Turing test was passed or not.
As I’m typing that, I’m thinking that the hash may not be necessary, that the identifier may be sufficient in itself.
Anyway, with such a service, it could be incorporated into any software, as a modification or as a plugin. And with a degree of randomness for the methods used in the challenge/response (differing the method each time), there will be a reduced likelihood of the spambots or spammers cracking the challenge. At least that’s the theory.
That was kinda the theory in the math question plugin too, but some spambot(s) seem(s) to be getting through.
Le sigh.
**update**
Oh, fer cryin’ out loud. In the time it took me to write this post, Akismet caught another spam comment that had slipped through.
