tags:Spam, WordPress
Akismet – Comment Spam Killer
October 25th, 2005, by Rich.
This website – like any website that allows readers to submit comments – receives comment-spam, usually advertising medicines, gambling, or other vices.
I’ve been trialling a new anti-comment-spam plugin since mid September. It’s called Kismet, it’s from Automattic, (hence Akismet for short) and it’s working very well.
Comment spam is more costly than email spam because it either wastes the time of the website owner, who has to remove it, or it wastes the time of every reader of the website who has to separate the wheat from the chaff.
It’s going to be launched tonight (i.e. Tuesday Afernoon, in Texas).
Effective Comment-Spam Relief
According to Matt Mullenweg, the curator of Automattic, there were “only a dozen or so” active users during the trial that I was involved in, and the system should “become more effective as more people use it”. The basic stats from my trial experience were as follows:
| Message Count | Percentage of Total | Explanation |
|---|---|---|
| 574 | 100% | The total number of comments this site received since the trial began. |
| 425 | 74% | The number of those comments that were spam. |
| 6 | 1.4% | The number of comments that had to be manually marked as spam. |
| 1 | 0.17% | The number of comments incorrectly identified as spam by Akismet (a.k.a. false positives). |
For people whose blog content is predominantly idle chatter, this plugin will remove the need for user moderation, allowing a far more interactive blogging experience between blogger and readers.
How it Works
It’s based on the principle that once a comment spam message is identified by one recipient, and corroborated by others, all similar messages can be marked as spam, reducing the spammer’s potential audience from thousands of people, to the few that report the message when it first arrives. It works, approximately like this…
When a comment is received by a website, it is checked against a worldwide database to see if it matches any messages that are known to be from spammers, this might be based on:
- the IP addresses that the message originated from,
- the web addresses being promoted,
- a string in the content that can be matched by a regular expression,
- or any other number of potential techniques that have not (yet) been disclosed.
Messages that are considered to be spam are automatically separated, and the moderator then has 15 days to check through them (in case there are any false positives) before they are removed forever. Spam comments are never visible on the site and the spam checking interface is very simple to use.
Threats to it’s Effectiveness
I’ve been thinking such a service should exist for a long time, so I’m keeping my fingers crossed that it stays effective. There are, however, several obstacles that may have to be overcome if it is to be a success.
Spam-Run Duration
Services such as this will change the delivery pattern of comment spam.
This will happen because the time window in which spam comments can get through will be drastically reduced to the very short period of time between start of the spam-run and the point when the spam has been identified and corroborated. In the short time before the spam is reported, messages can get through, so it is likely that spam-runs will become short, high volume bursts.
In lieu of this it may eventually be necessary to check each received message more than once, so that spam messages which are not immediately spotted when they are received can still be automatically discarded.
DDoS Target
The central server(s) may become a prime target for DDoS attacks if/when spammers realise that their spamming is no longer effective. The purpose of a DDoS attack would be to disable the automatic checking of comments, perhaps breaking the system and thereby letting their comments through.
It is likely that spammers would have to coordinate such an attack to coincide with a spam run, rather than relying on luck. The good news is that this would elevate the spammer from nuisance to criminal, so there are some very heavy legal books that can be thrown at anyone silly enough to try it.
Privacy
Some people may be concerned about the fact that every message they receive is sent to a third party for analysis. When one considers that these are supposed to be public comments on a public website, the privacy concern fades a little, but some people do still write private information in comments because the web is used by people, and people make mistakes, so it’s a concern that can’t be completely ignored.
One possible solution to both the Privacy and DDoS issues might be to provide replicated access to the Spam Database (probably on a registration only basis) so that there are multiple sites that could provide the service. Privacy concerns could be offset by enabling the website owner to select which service provider is used, or to provide their own service. Another possible solution to some privacy concerns would be the ability to mark some posts for manual checking only, thus ensuring message privacy.
Comment Censorship
What the service does, effectively, is silence individuals who are misusing the Web, however, there is potential for this capability to be misused, because it becomes feasible to mount a censorship attack on an individual or company – i.e. If you have the programming skill, it’s not too difficult to create a dummy message, mark it as spam and submit it to the service. If the spam-identification mechanisms are too sensitive or simplistic, then it may be possible to censor someone who hasn’t actually sent any spam.
Download & Installation
If you’re familiar with installing WordPress plugins, it’s all a simple process.
You can get the Akismet plugin already, it’s available from the open source software repository that manages all WordPress plugins.
You can also get it from the Akismet download page.
Installation is simple, just add the php file to your wp-content directory and enable it.
Enabling the plugin gets you 80% there, but you’re not done yet.
In order to protect itself against spammers who, Akismet uses an API key. You must obtain a key before the plugin will begin to work. The mechanism by which you can get your keys is what Automattic will launch later today.
Automattic for The People
As websites and personal publishing have flourished, comment spam propagated by a selfish few has become a significant problem for the masses. Akismet redresses the balance, at least for WordPress users.
By automatically curtailing spam publication, Akismet takes the wheels off the comment-spam gravy train. Hereafter, spammers will have to look for non-WordPress powered blogs to hawk their wares.
Akismet Launches
As akismet has launched, several other testers and early adopters have begin to comment on it, so if you’d like to read a little around the subject perhaps some of these musings will suffice:
- Craig Hartel also tested it.
- As did Michael Hampton.
- Elliott Back asks some good questions of Matt.
- Ben Gillbankshas turned off all other anti-spam measures (FWIW I have too).
- Oskar Syahbana has just installed it prior to going on a break – so any spam that gets through will show up on his blog, a baptism by fire.
- Scott Yang thinks up some good reasons for, and against, using it.
- Tack Mackenzie also immediately mentions the privacy issue.
- Chétan Kunte has just enabled it and had the good sense to ask readers to mention if comments are not getting through
- Eric Setiawan thinks we might be able to forget that spam was ever a problem.
- Aaron Brazell had some misgivings, but these seem to have helped clarify that Akismet really is free.
- N. Godbout was unsure about why it’s relevant to people who don’t blog on wordpress.com.
- Ryan Kennedy wasn’t initially keen on the default 15 day spam retention policy, and highlights the need for a config panel.
Akismet Stops Spam: Some Side Effects
There’s a new spam stopper for Wordpress called Akismet. It works by submitting every comment you get to a centralized comment-checking service, and echoing back a “spam” or “not” response. Hurray. I can identify a few…
A couple of comments:
It’s been my experience that the most interesting interactions on a blog are not between the blog author and the readers, but between the readers themselves. Moderation virtually kills this community-building aspect, and anything that removes the need for moderation is a good thing.
The nature of spam runs will probably change a bit in response to Akismet, though it remains to be seen whether the spammers will win this one or not. In any event, Akismet is not the final solution to blog spam. Akismet combined with Bad Behavior may very well be, however. (Disclaimer: I code for both projects.)
Denial of service attacks against the central server are an issue I hadn’t thought of before. I know that Matt has recently changed the hosting for the service (i.e. within the last day or so) to improve reliability. We’ll all see what happens.
As for privacy, the entire comment, as well as metadata about the request, are sent to the server for analysis, as I noted a few weeks ago. My understanding is that the information is not stored, however, unless the message is judged to be spam. However, private blogs should certainly consider not using Akismet if this is still a concern.
[...] e away to the first one who emails me. IS IT EFFECTIVE? According to figures presented on Boakes.org (who participated in the trial period) 74% of comments received during the trial period were spam. I’d [...]
Great write up, and it’s really nice to see numbers of what it caught and what was supposed to be caught. Definitely valuable information coming from a third party.
(To be fair, what I was unsure of was why the plugin required a WordPress.com account, though it was completely cleared up by Matt.)
[...] the superb SK2 to give Akismet a fair crack. Reading a couple of posts a few hours ago, at http://boakes.org the mention is made of the spammers hammering the server(s) that the Akismet lives on in an effort to [...]
[...] agra” in it.) If you would like to know more about how Akismet works, there’s an excellent write-up by Richard Boakes here.
Tags: wordpress, blogging, spam, akismet Entry Filed [...]
[...] The reviews are starting to come in. Here’s some one with stats (from when the service was still in development). [...]
[...]mit dem Plugin ein wenig intensiver auseinander gesetzt haben, gibt es von: Eric Meyer Richard Boakes und Ben Gillbanks[...]
Cool. I was waiting for some hard evidence. I’ll also test it and post my findings.
Just some comments regarding Akismet. Well, I’ve tried this for several days and it runs smoothly just as expected. However, how do we know when there’s a false positive? I don’t see this option on akismet’s website. Is there a way?
Hi Ozzie, take a look at the image above. It shows the messages that have been marked as spam by Akismet – if something sis not spam, you can ‘tick’ it, then click the “Not Spam” button.
[...] an Akismet. Pilih Spam Karma 2 atau Akismet? lihat lagi cara kerja Spam Karma 2 dan lihat review Akismet, baru tentukan pilihan anda Popularity: 1% October 29, 2005 @ 5:31 am [...]
[...] sual run of plugins and the like. More importantly, it seemed simple to implement, and the numbers looked good.
There was just one catch: I needed a WordPress.com account. A golden ticket arrived in my email [...]
I made a couple of changes to my blog – Akismet, WordPress 1.5.2 and web polls!
I’ve been trying quite hard to find where I go to open an account on wordpress.com and thus get my API key. Am I missing something completely obvious or is this actually a difficult thing to do?
I host an installation of wordpress on my own server but would like to use Akismet. Is this even possible or is a wordpress.com account required?
There are three options.
[...] ng Want Akismet? Then download Flock. Huh? On Boakes you can read some more details about how Akismet is working. [...]
[...] problems of the Akismet approach have already been mentioned here and there (and see also this comprehensive post). I have to say so far I haven’t found a more efficient and neater product than WP-Morph. [...]
I’m struggling with akismet and have in fact disabled it, as it took against one of my regular commenters, and despite me marking her comments not spam, kept insisting that they were. Given that you can’t see all the spam that akismet is dealing with, this is not a good situation. However, getting feedback from the programmers on this appears to be difficult
One of your links is broken btw – Aaron Brazell has moved his article http://www.technosailor.com/wordpress-misunderstanding-updated-title/
I think a false positive means that sometimes akismet just thinks that one thing isnt spam, when it actually is…thats why I use Spam Karma 2, then the Akismet plugin, which means that its a near perfect defense against spam, and I only had one comment that I had to moderate, otherwise, over 50 spam caught.
I guess thats why I use Spam Karma 2, then the Akismet plugin, which means that its a near perfect defense against spam, and I only had one comment that I had to moderate, otherwise, over 50 spam caught.
[...] Por su parte el plugin mostrará en el Panel de Administración una simple lÃnea en la que se informa del número de comentarios bloqueados y si se quieren eliminar de una vez por todas. Aqui teneis un test de rendimiento. [...]
[...] The set up isn’t hard. All you need to do is to upload the plugin and enter the WordPress.com API key. And you’re on. Actually, the WordPress.com API is the hardest part. Read more about Akismet. [...]
[...] Spam Karma 2 atau Akismet? lihat lagi cara kerja Spam Karma 2 dan lihat review Akismet, baru tentukan pilihan [...]
[...] — Rich Boakes [...]
[...] — Rich Boakes [...]
[...] news, Akismet is working nicely. I have no idea what the name actually means (According to this, it takes its name because the program is Kismet by Automattic), but Akismet is a program that [...]