Why do I get comment spam even with Akismet and Captcha?

I’m a bit perplexed why I keep getting so many spam comments …

alt text

Read More

Even though I use both the Akismet and WP-reCAPTCHA plugins on my WordPress blog!

  • WP-reCAPTCHA should stop machine entered spam, but I understand spam entered by human beings will still get through — and there are more and more human being spam farms, it is true.

  • Akismet (which is built in to WordPress!) should match any common spam URLs in something like real time plus or minus four hours, right? It’s a collaborative world-wide URL blacklist.

I verified that both Akismet and WP-reCAPTCHA are set up, enabled, and have valid API keys. Am I doing something wrong? Do I misunderstand how WordPress works?

Related posts

Leave a Reply

9 comments

  1. On the Akismet side, a few things to note. First, in wp-admin under ‘Plugins -> Akismet Configuration’ is everything green? You mentioned that you confirmed the API key is correct. Did you check the ‘Server Connectivity’ section? All of the IP addresses listed should be green. If not then you server isn’t able to make the needed requests to akismet.com to determine if a comment is spam or not.

    The second, as Nakodari noted, make sure that you mark any comments that Akismet missed as spam. This allows Akismet to learn. If spam comments have been missed, or marked by some other plugin as legit then you may be throwing off Akismet’s results for your site.

    Third, are there any other plugins on the site that could be interfering with Akismet? You mentioned WP-reCAPTCHA. Have you confirmed that WP-reCAPTCHA and/or any other plugins on the site are not preventing Akismet from doing its job?

    As always you are welcome to drop us a line – http://akismet.com/contact/ – for Akismet related items.

  2. WP-reCAPTCHA should stop machine
    entered spam

    Sorry Jeff, there are any number of nefarious sites out there that provide easy programatic API’s for breaking CAPTCHA’s. Sadly, a lot of these are done by people in real time, but to a bot that is just an implementation detail.

    Here is one: http://www.kourkouta.com/service.php

    A while back I wrote an automated program to play Mob Wars (lame I know) for me on Facebook using Selenium RC. Eventually the guy started introducing CAPTCHA’s and I ventured into the dark side. I found some shady off-shore company that offered a FREE web service you could upload CAPTCHA images to and get the result. I integrated that into my program, and it never missed a beat.

    Anyway, just saying that most CAPTCHA’s are little more than a digital nuisance that bots will go sailing past.

    And didn’t you write a blog entry once upon a time telling bloggers the most effective way to deal with Spam was to just read your comments and delete the spam 😉 I think you may have even used a gardening metaphor. But I suppose it is a different world for you now… economies of scale and all.

    UPDATE:

    Here is the quote and the citation you requested:

    I’ve had plenty of experience with
    blacklists. A miniscule percentage of
    spammers have the resources to bypass
    my naive CAPTCHA. They hire human
    workers to enter spam comments. That’s
    why I enter URLs into a blacklist
    every week on this very site. It’s an
    ugly, thankless little thing, but it’s
    necessary. I scrutinize every comment,
    and I remove a tiny percentage of
    them: they might be outright spam,
    patently off-topic, or just plain
    mean. I like to refer to this as
    weeding my web garden.
    It’s a
    productivity tax you pay if you want
    to grow a bumper crop of comments,
    which, despite what Joel says, often
    bear such wonderful fruit. The labor
    can be minimized with improved
    equipment, but it’s always there in
    some form. And I’m OK with that. The
    myriad benefits of a robust comment
    ecosystem outweighs the minor
    maintenance effort.

  3. Welcome to the greater Internet! WP-reCAPTCHA can do nothing because most creative spams are human generated. Akismet should be able to catch them but they cannot do it unless their database is updated which I believe is updated every month or week, not sure.

    One way I have found to eliminate such spams is to MARK them as Spam. WordPress provides this option for a reason. I have noticed that once I mark these comments as SPAM in the latest version of WordPress, they never come back. The next time a similar comment is found, it automatically gets added in the “Spam Comments” section.

    I hope this helps!

  4. I think the amount of people doing data entry commenting (see hundreds of jobs out there…: http://www.freelancer.com/projects/by-job/Forum-Posting.html ) will defeat the purpose here of a spam checker. They are used on many different workplaces and each time “new jobs” are offered to other people.

    I think it is best to in the first place remove the websites they drop and all href tags so even if it succeeds it is useless.

    Maybe some new global indicator “you can not post links here” is needed which they can check by a giant logo and that will leave your site alone 🙂

    p.s. these job boards learn me lots of new terminology e.g. ” need 500 Web 2.0 style profile pages created using the Angela/Paul/Terry Kyle Profile link building method. If you dont know what this is please dont bid.” WTF is a Angela/Paul Terry Kyle profile??

  5. “…spam entered by human beings will still get through — and there are more and more human being spam farms, it is true…”

    This is the price of success.

    There are indeed “farms” out there, esp. in third-world countries, that hire folks for pennies per hour to copy/paste/post comments and links in popular blogs.

    Unfortunately your best option to eliminating these as much as possible is to require some kind of authentication (OpenID, Facebook Connect etc.).

  6. The other way to stop bots is through the ‘hidden input field’ – i.e. a field that is hidden from view and is made obvious for screen readers that it shouldn’t be used, but if it is filled out then the comment is ignored.

    wpmu.org have a good review of the Spam Destroyer plugin by Ryan Hellyer which should do just that as well as using a cookie.