(If you missed it: How to deal with Comment Spam, Part 1)

Those evil (more educated) comment spammers who look almost real

Lately I’ve been noticing a trend of spammers who look like they have actually read your post, and respond with a somewhat intelligent comment, not full of spam links.  These can be almost more annoying, because they can slip by automated checks, and because they require more work.  Plus, sometimes you’re not even sure if they are really a spammer.  These will be notable by either a really odd name (like “Boys Birthday Cards” or “Best Home Loans”) which link back to their spam site, or they’ll have a normal name (like “Sue Smith” or “Jessica”) but their name links to something like myspammyloansite.com.

Photo credit: Spam by dok1

So what to do about them?  You can just delete them like normal spam.  But what if they’ve asked a relevant question that other people might want to know the answer to?  Or if other commenters have already responded to their comment?  Then I hate to just delete them.  So…

Well, if you have your comments links set to nofollow (more on that below) you could just leave them.  They aren’t getting any page rank juice out of the link anyway.  But (particularly if the name is suspect) I don’t like to look like I didn’t notice the spam, and I don’t want my readers to click on their name and give them any traffic.  Also, what if a real commenter has just a suspect website name, I’d hate to delete them.

If you’re using WordPress, you can delink them, and even change the name.

De-linking a dubious comment

In WordPress, click on the Comments section in your Dashboard Sidebar.  When you hover over the comment, you’ll see the Quick Edit option.

Click that, and the comment will open for editing.  Delete any suspect links in the URL field, and the comment remains, but is no longer linked to the spam site.  If you want, you can also change a suspect name (like “Cheap Home Loans”) to something like “possible spam, link removed”, but that may be going overboard.  I usually just delete those comments instead.

A little about the nofollow attribute

In the comments for Part 1, we talked about what value spammers get out of leaving Comment Spam, and a commenter brought up that they are trying to get search engine page rank juice out of the comment.  Search engines crawling your site will follow the link and help the spammer move up in search engine rankings.

However, most blogs these days (WordPress and Blogger, at least) automatically add the nofollow attribute to any outgoing links in the comments.  The nofollow attribute tells the search engines not to follow or score the link.  More here: http://en.wikipedia.org/wiki/Nofollow. It was created primarily for the purpose of addressing the comment spam issue.

According to the wiki article, Google, Yahoo, and Bing all pay attention to this.  So leaving comment spam SHOULD NOT help the spammer’s pagerank.

So in theory, having the nofollow attribute enabled should cut down on Comment Spam, if the spammer is paying attention to that.  Unfortunately, spam is cheap, so spammers just hit as many sites as they can, without worrying about whether it’s helping them or not.

The problem with nofollow is that your real commenters don’t get any link juice either, so some sites disable this feature by using dofollow instead. There are pros and cons, and I haven’t really done the research to address it here.  If you’re interested, google is your friend.

But, the basic point is that unless you’ve bypassed nofollow, the spammer is basically not getting any value for his or her links.

Blocking IPs using .htaccess, instead of WordPress settings

The Blacklist feature we discussed in part 1 will stop known bad actors comments appear on your site.  The comments just go straight to Spam.  But that can still be a little annoying, if you have your comments emailed to you.  They still exist, so you’ll still be notified via email.  So once you have a nice little list of IPs in your Blacklist, you can block them from your site, period!

You can do this if you host your own blog and have access to the file structure (like most self-hosted WordPress blogs), and have an .htaccess file (I think if you’re running WP on Unix, you have one – it’s where your ‘Pretty Permalinks’ settings are).

Use your FTP program to locate your .htaccess file, in your main directory (may be www).  Save that file down (save an extra copy of the original- just in case you break something – if you have problems after trying this, just copy the original file back up).

Pull it up in a text editor and add something like the following:

order allow,deny
deny from 91.201.66.6
deny from 110.82.142.143
deny from 122.182.10.212
deny from 120.28.179.165
deny from 203.76.116.66
allow from all

Where each ‘deny from’ line is the IP address of your already identified spammer.

Copy your file back up to the server, and enjoy!

Stopping Trackback Spam

Trackbacks are a great way to see who’s linking to a particular post, and are very useful, but spammers have figured out that Trackbacks are useful to them too, and will create links to your blog just to add a trackback (along with lots of lovely spam links).  Some people turn off trackbacks because of this, and that’s a shame, because they are quite easy to stop, at least on WordPress, with a plugin.  I’m sure there are several out there, but I’ve been using Simple Trackback Validation for a while, and it seems to stop them 99% of the time.  (Simple Trackback Validation Plugin official site)

The settings I recommend:

(Click on the image to the right to see configuration screen with the settings I use for Foodwhirl.com)

How to deal with spam trackbacks: [x] Discard Trackback

(I never want to see the spam or deal with it.)

[x] Validate IP Address (yes)

[x] Validate URL (yes)

Strictness:

[x] Any link beginning with the following URL is allowed

(enter your site’s main URL)

[] Moderate in case of errors (no)

[x] Enable Log (yes)

(Since you’re sending all trackbacks that the plugin finds straight to the trash, it’s nice to have them logged.)

Conclusion

Hopefully these tips will help you manage your comment spam, so it’s less of a headache!  If you have tips or other recommended plug ins, leave them in the comments!

-dot

In my other life where I do web design, I’ve helped my blogger friends figure out how to best manage the deluge, and I figured the rest of you might like some of these insights too.  It’s tailored mostly to WordPress blogs/websites, but some of the tips are universal.  As I started writing it, I realized it was getting pretty long, so here’s Part 1… Part 2 will be coming later in the week!

Photo credit: Spam by dok1

We HATE Spam, but love our readers.

As a blogger, you want to make commenting on your posts as easy as possible for your ‘real’ readers.  But as hard as possible for spammers, and it’s a delicate balance.  On one end of the spectrum is registration only sites–sites where you have to sign up, and in some cases even be verified, prior to posting a comment.  Much less likely to get spammers, but you are likely losing out on valuable real people too.  I know I won’t generally go to the effort to comment on a site I have to sign up for.

On the other side of the coin, with no protections at all, it’s easy for your commenters to post, but spammers (both automated bots and humans) will have a field day.  I was working on a new website for a client once (it wasn’t live yet, but it was accessible on the web), and I hadn’t gotten around to installing any spam protection yet on the blog.  Overnight there were hundreds of automated comments on it, as some spam bot had somehow stumbled across it, and went to town.  I deleted them, no harm done, but if that had been a live active site, what a pain it would have been!

Those evil spam-bots

So, minimally you need protection from bots.  Many sites use some form of a Captcha (what is a captcha?), where the commenter must type in a phrase or something to prove they are a human.  Captcha isn’t perfect, and it can be a little bit of a pain to real users, but it’s pretty standard.  There are other methods too… for my WordPress based sites, like this one, I use a plugin called WP-CaptchaFree, which uses some technology tricks to attempt to identify spam bots and stop them.  I’ve been very happy with it.  There’s also Akismet, which tries to guess which comments are spam, and blocks spammers and is provided with WordPress, but I’ve never used it.

Those evil human comment spammers

Must harder to keep out are actual humans who have chosen to be paid to be spammers-usually from other (3rd world) countries where labor is cheap.  Conveniently, being humans they leave manageable amounts of spam, so cleanup is less of a pain that a bot attack.  But since they are human, they can get around captchas and other things that detect bots. They are quite easy for YOU to detect as spammers because their comment makes no sense or has nothing to do with the post!

So what to do about them? Read on…

Comment Moderation

This is particularly for WordPress blogs, but other blog platforms likely have similar settings.

Moderate Everything: Turning on comment moderation on your blog (in WP this is under the Discussion settings) means that every time someone posts a comment it has to be approved before it can be viewed.  While this will ensure you catch spam before it appears on your blog, it also means more work for you.  And you still have to deal with the spam, it just keeps your readers from seeing it.  Plus you have to approve all your good readers comments as well.  I find this more trouble than it’s worth.

Moderate Some Things: There’s a setting (“Before a Comment Appears” in WordPress) that you only send new commenters (ones which have not had a comment approved before) automatically to moderation.  Depending on how many new commenters you have–If most of your commenters are repeat commenters, this might be a helpful alternative.  But if you get lots of legit new commenters, then this may be more trouble that it’s worth to you.

Moderate Likely Spam only: The Comment Moderation section of your Discussion Settings will let you set which items to send to moderation.  For example, items with more than x number of links (I set mine to 2 or more) are automatically sent to moderation.  Also, you can also pick words that show up typically in spam and not typically in your comments.  You can see I few I have set below.  I just added ‘loan’ to the list, because where I can see that a comment could legitimately contain that word, 80% of my spam comments seem to have it these days!

Comment Blacklist

Once you have a spammer post on your site, you can block their IP so they can’t do so again.  You don’t have to deal with it at all, once they are on the blacklist.  This is helpful because they often come back again and again, once they find your site.  In WordPress, this is also done in the Discussion Settings.

Get the IP of your spammer:  In the Comments section of your WP Dashboard, you can see all the details on your spammer. You’ll note in the example below, our scum has left two comments, under 2 different names, but the IP address is the same.  They left the second one a day after the first.  We don’t want to deal with this IP again, so copy it (it’s highlighted in yellow below).

You’ll need to add this IP to the Comment Blacklist section:

Just add the IP to the list, and their comments will never appear, they’ll just go automatically to your Spam folder.  The only downside to this method is that you still may receive email notifications of the comment, even though it never appears on the site.

Coming in part 2…

• Those evil (more educated) comment spammers who look almost real
• De-linking a dubious comment
• Blocking IPs using .htaccess, instead of WordPress settings
• Stopping Trackback Spam

So stay tuned!

(Don’t want to miss anything? Get the RSS Feed)