The annoyance of comment spam
Those of you with weblogs offering comment features, please ban the 209.210.176.* range of IP addresses from posting comments. Seems that some Ukrainian porn spammer is using that IP range to spam his site on various weblogs; this guy has hit my site three times in the past week, and out of frustration, I’ve gone ahead and blocked the entire class-C IP from posting comments. Sorry to any legitimate posters who happen to have an IP address in that range, but judging from a Google search, it belongs to an ISP commonly used by spammers; besides, what else is the maintainer of a PG-rated weblog to do?
I didn’t mind it so much when the spammers were promoting sites that, while unethical, were still “safe for work”; I could delete the spams when I got around to them, and though I may not have agreed with the usurping of my blog’s comment pages for advertising purposes, I would have at least felt safe linking to the sites had they not been so unscrupulous. The latest batch of spam has gotten quite a bit racier, however, and it’s enough to make me wish there were an easily implemented, accessible solution to the problem of blog comment spam.
I don’t just want to block comments entirely, as there have been some quite useful comments posted in the past. Nor do I want to use those horribly inaccessible “reverse Turing tests” that force you to enter a random string of characters found in a hard-to-read image; not only are such methods completely inaccessible for blind and text-only users, but they may even cause certain problems for certain sighted users. I’m notorious for transposing digits when I enter numbers, so I wouldn’t want to subject anyone else to it (imagine how difficult those things must be for those with relatively severe cases of dyslexia!), and on top of that, I’ll admit that it’s often difficult to correctly identify the characters in those graphical monstrosities.
There’s always the possibility of having users register and making it so that they’re only able to post once they’ve confirmed their registration via e-mail, and unlike the above-mentioned ways of blocking comment spam, I’d feel somewhat more comfortable implementing it. But what about people who don’t have an e-mail address or who are leery about giving it out?
What I think would be the best approach, at least in my case, would be a moderated commenting system. I already receive notification of comments via e-mail, and I receive just the right number of comments on a typical day to make that a viable option– so why not set it up so that I have to accept or deny each comment before it is actually displayed on my blog? It seems like such a simple idea, and it’s a common practice in message forums and mailing lists. And via a quick Google search, I see that someone has already implemented a primitive hack for that purpose, and there’s a more robust moderation script out there as well.
Then again, there’s always the possibility of just using the simplest solution. Blog spammers seem to always hit mt-comments.cgi with no referring page. Why not just rename that CGI script or block accesses to the comment script without a referrer?
I’m still deciding what would be the best solution, but either way: be warned, spammers, because I’m out to get you.
Edited to add: I ended up changing the file name of the mt-comments script (along with all references to it in the templates) and adding some slight hacks to MovableType to make it easier to delete comment spam directly from the notification e-mail. And I’ll probably be mucking with the new MT-Blacklist plugin when it comes out tomorrow…