Anti-comment spam alternatives to Akismet

Last week our agency launched a shiny new custom site for an academic think tank. I showed my mom the new site. “It’s so nice Miriam!” said my ever-objective Mom. She dutifully scrolled up and down the home page and clicked through to some articles. And started reading.

“How can they say that?” said my ever-opinionated Mom about one of the articles.

“You should leave a comment!” said I.

“How do I do that?” asked my ever-mystified-by-the-web Mom.

So we scrolled to the bottom of the article of contention, and I showed Mom where to type her opinion (start with something nice, then tell them about how you disagree), which fields to fill in (you don’t need to fill in the website), and when it was all reviewed for potentially embarrassing autocorrects (this all took place on Mom’s iPad), she pressed Submit.

The page refreshed, but nothing else happened. The message that her comment was awaiting moderation didn’t appear, and even stranger, the URL of the page didn’t update to show that a comment had been submitted by adding /#comment-123 to the end of the URL. I looked in the admin of the site, and her comment was nowhere to be seen.

“Thank you Mom!” I exclaimed. “I believe you just spotted a bug in the new site! You’re great at QA.”

Mom didn’t quite get how finding a bug is a good thing and why I was so happy about it, or what exactly QA is, but she smiled graciously and said she was happy to help.

I tried to recreate the bug on my laptop, and was able to on the same post that my mom had been on, but not on others. Hmmm. Was the bug maybe only on posts that had Related Posts under them (we set up the site so the client could manually select related posts to appear, if at all)? Nope, it worked on posts with and without related posts.

The team, who had already tested the comments before launch, wasn’t able to recreate the bug, so I was stumped.

I decided to take a break to try to read some of the articles open in my millions of Chrome tabs, and one of them was this one: Why I Will Never Comment On Your Blog (A.K.A. Die, Akismet, Die). The writer describes how Akismet has been shutting her out of commenting on blogs, but what was most interesting is her description of what happens on the front end of a site when Akismet has identified a submitted comment as spam: the page reloads, no message that the comment is being moderated, and the URL doesn’t change!

I logged in to the admin of the site, and lo and behold, my Mom’s comment and my test comment were both sitting in spam!

It might be time to move on from Akismet

We already know that Akismet can falsely identify good comments as spam, and with our spam box filling up daily with tens of spam comments, there’s no way we’ll ever find them in there, which is kind of a shame. But I always figured it’s worth losing a handful of good comments if we can avoid dealing with hundreds of spammy ones.

However, we’ve been having trouble with Akismet for a while now. For example, spam comments on this site were not being identified as such. We were just leaving hundreds of spam comments in moderation, which was annoying for so many reasons.

Plus, Akismet is now a premium plugin, so you need to pay for it on non-personal sites. That’s fine, I’m all for paying for great plugins, but there are good free alternatives, and it hasn’t been working so well for us anyways.

And if Akismet is identifying my Mom’s well thought-out comment on an academic site as spam, I think that’s a sign of some kind of issue on Akismet’s end for the following reasons:

My Mom ain’t no spammer. She uses her iPad for sharing recipes, emailing with her family, and listening to music; she had never left a comment on a site before in her life so her email couldn’t possibly be connected with spam activity; and the nastiest thing she ever did on the web was get upset at a radio station for playing bad oldies.
Her comment did not have spammy words in it, was intelligent and not aggressive.
The site was fresh out of the box, so no comments had yet been submitted, and therefore the site owners hadn’t yet “told” Akismet what they consider spam by marking comments as spam.

Akismet has been amazingly awesome all these years in predicting the comment spam issue which was to reach epidemic proportions, and helping rid the world of what could have been thousands of comments about cheap Uggs and generic Canadian Viagra. We are indebted to you for that, Akismet and Automattic.

Having said that, for those of you who are also looking for alternatives, here are two very good ones: Growmap Anti Spambot Plugin (GASP), and Block Spam by Math Reloaded

Growmap Anti Spambot Plugin (GASP) – so simple, yet so effective

We’ve tried a bunch of honeypot types of plugins, like Antispam Bee, but it didn’t stop the spam on WPGarage. The post above that originally made me realize that Akismet was blocking my mom’s comment introduced me to a plugin I never heard of: Growmap Anti Spambot Plugin, also known as GASP, created by Andy Bailey. Its premise is so simple, yet genius:

This plugin will add a client side generated checkbox to your comment form asking users to confirm that they are not a spammer. It is a lot less trouble to click a box than it is to enter a captcha and because the box is generated via client side javascript that bots cannot see, it should stop 99% of all automated spam bots.

A check is made that the checkbox has been checked before the comment is submitted so there’s no chance that a comment will be lost if it’s being submitted by legitimate human user.

How brilliant is that? The plugin also does something else smart: it adds a fake hidden field labeled “email” to throw spambots off. If it’s filled in, it’s a red light.

Hidden email field

However, the plugin does have some weaknesses:

The browser accessing the comments has to be running javascript. What if comment spammers turn off javascript in their browsers? The plugin does address this by displaying a message to javascript-disabled browser users, but that only helps good humans, not evil spammers:
It doesn’t work with Disqus or other third-party comment systems. Which doesn’t bother me because I dislike them anyways.
It either stops all trackback spam, or none at all. You can set the plugin to stop all trackback spam, while using another plugin they recommend to validate trackbacks: Simple Trackback Validation. However, it hasn’t been updated in over two years, so it doesn’t sound like a good idea to use it
The comment spam scripts can learn the checkbox name and automatically tick it. There’s a workaround though: Change the checkbox name value in the settings page to something new (like change the number) so the automated systems don’t know what the checkbox is called any more.

Block Spam by Math Reloaded

For now we are sticking with the math question plugin I mentioned above: Block Spam by Math Reloaded. I am so sick of spam, I don’t want to risk any of the weaknesses mentioned above for GASP. As I said, since we implemented it, it’s cut down automated spam completely. Human submitted spam comments can still get through, but they are so few that it is easy to manage. What’s really good about this plugin is that it also adds a math question to the WordPress login form. The reason this is useful is that it can actually be another step in preventing brute force attempts to log in. If a bot is hammering your login form with username/password combinations, but has to stop to enter a math question for every round, I can imagine that might stop it cold in its tracks.

We’ve been trying to find a good alternative to Akismet for a long time, and I am happy to say that between GASP and Block Spam by Math, there are some good, simple, and effective solutions out there. Die, comment spam, die!

Mom at WordCamp — Mom came to WordCamp Jerusalem to help (wo)man the registration tables and watch my baby. She’s been wearing a WordPress pin on her jacket ever since 🙂

Pics by Deena Levenstein

Ryan Hellyer

Shameless self-promotion … http://wordpress.org/extend/plugins/spam-destroyer/

I’m think of adding some sort of CAPTCHA type system like the Math question as an added level of protection for those that want it and for people without Javascript turned on.

I doubt the “Confirm you are NOT a spammer” checkbox below is actually doing anything for you. If a bot can answer the math question, then they’ll be able to click a checkbox even easier. I’d take that checkbox out if I were you.

Cookies for Comments and WP Hashcash are two of the most effective ways of removing spam without making your users do anything extra. My own plugin uses the techniques of both of these plugins, so don’t use those with mine though.

The simple Math question should stop most bots dead in their tracks, but it’s likely that if a bot maker targets your site directly that they will bypass that fairly easily.
- Miriam Schwab
  
  Well, the above plugins worked like a charm for about a week, and then BAM – we were flooded with spam again. Yuck.
  
  So I installed your plugin, and so far (tfew tfew – the Jewish version of “knock on wood” involves spitting, go figure) no spam! I’m afraid to write a new post mentioning that since spammers might notice and see it as a challenge. Sigh.
  - Ryan Hellyer
    
    Hmmm, well that’s interesting.
    
    I see you are also running the checkbox plugin too.
    
    I’m working on an upgrade at the moment which will let you choose the level of spam protection in the Spam Destroyer plugin, so hopefully if you get inundated again, I’ll have that version ready for you in time 🙂
    
    I also like the idea of making it detect when it’s being inundated with spam and automatically bump up the protection level accordingly. I don’t think I’ll manage to get that implemented any time soon though.
    
    If my plugin stops working, I’m super keen to see some stats on how many wangled their way through and how many were blocked.
    
    At the moment I have no reliable data on exactly how well it’s working other than that it is working almost flawlessly on my own site. So to get some accurate data I’m also building in a (opt-in) stats collection system, so in future I’ll be able to see exactly how well it is working on most of the sites which are using it.
  - Miriam Schwab
    
    I’m only running the checkbox plugin because I didn’t disable it yet. But it wasn’t stopping spam, and since I installed your plugin the spam has really stopped!
    
    I’m happy to share data about how well your plugin is working if I can – anything I can tell you that would be helpful?
  - Ryan Hellyer
    
    Thanks Miriam 🙂
    
    The data I’m keen to see is …
    
    Time period
    Number of spam messages not caught
    Number of spam messages caught
Ryan Hellyer

One more tip … all of these plugins work quite well in concert with Akismet. The other plugins block the bulk of the spam, then Akismet can be used as a back stop for anything that may slip through those other systems. Since it works on a totally different system, the combination can be used to obliterate spam. The other plugins also plummet the number of requests your site makes to the Akismet servers, hence making it a lot cheaper to use Akismet.
Ana Hoffman

Glad you hear that your mom’s comment finally saw the light of day, Miriam – we need to take care of our biggest fans. 🙂

And so glad you found my post!
redwall_hp

Well, “Traffic Generation Cafe” sounds spammy as hell. I’m really not surprised.

And “It’s so nice Miriam!” falls right in with the spam—which I get a ton of—that consists of a plain complement on the post or site. When millions of comments consisting of nothing but a platitude are reported as spam, Akismet’s filters decide that anything following that pattern must be spam.

Akismet is supposed to be based on a Bayesian classifier, like spam filters for email. Every time a comment is reported as spam, it helps the filter “learn” what a spam comment looks like. The filter produces a statistic of the probability that a given comment is “similar” to what is considered spam by the collective users of Akismet. It works really well in my experience, shielding my blogs from thousands of spam comments each month. If anything, it lets spam through more often than I would like.

I can see some serious problems with both of the suggested plugins. Either is trivial for a bot to bypass, if they proved popular enough for spammers to adjust their scripts. GASP would be easily defeated by checking the DOM for a pattern that matches its modifications to the comment form and simply ignoring the inserted field. The math plugin is equally trivial. Simply scape the plain-text security question and add the numbers together before passing them to the appropriate POST field. It doesn’t take any time at all for a computer to add two numbers—we’re talking millionths of a second—it’s what they’re designed for!

The most effective antispam plugins, aside from Akismet—are probably Cookies for Comments and Bad Behavior. But it’s hard to beat Bayesian statistics.
Eric

I’ve had that happen with a few sites I’ve left a comment on and what’s weird is, sometimes I’ll hit the back button and everything shows up just fine.

Technology can mislead us all at times.
Mathew Porter

I must say that Akismet saves me so much time in managing spam comments on my site, but it does sometimes as you experienced mark genuine comments as spam… Might also be worth me taking a look at something else.
- Miriam Schwab
  
  Mathew, since I wrote this post, the above plugins stopped working and spam was getting through in droves. So I implemented Ryan’s plugin: http://wordpress.org/extend/plugins/spam-destroyer/ and it works like a charm (so far). All spam is going into the spam box, and real comments, like yours, are getting through. I highly recommend it.
  - Ryan Hellyer
    
    That’s awesome to hear 🙂
IT support Cavan

Have had this problem on a few occasion can be very frustrating
Robin Jennings

I’m selling really nice XYZ shoes you must buy. Only kidding!

I’ve been looking for some Akismet replacements for a while now especially working with so many community groups that have a budget of zero to fight spam.

Thanks for pointing out some alternatives.
- Miriam Schwab
  
  I’d love to hear about those XYZ shoes. They sound so cool and unique.
  
  🙂

How Akismet prevented my Mom from leaving her first WordPress comment, and some anti-spam alternatives

It might be time to move on from Akismet

Growmap Anti Spambot Plugin (GASP) – so simple, yet so effective

Block Spam by Math Reloaded

Author: Miriam Schwab

Read previous post:

GenerateWP: Code on the go with reliable code for WordPress Custom Post Types, Taxonomies and more