If you’re being tortured by comment spam on your WordPress blog, have a look at Akismet, the plugin from the folks who brought you, well, WordPress.
The secret sauce: cooperation. Akismet relies on clever folks like you and me to help teach it what is and isn’t spam. The more we identify spammy comments (and exonerate legitimate ones), the smarter Akismet gets… and it’s already plenty smart.
It comes as part of the default WordPress 2.0 installation, but you can also download and install the plugin for WordPress 1.5. Using it couldn’t be easier, except for one small quirk: you have to get a key (a randomized string of 12 characters and numbers) to activate it, and you can only get that by setting up a free WordPress.com blog. (Which you can then promptly abandon.)
I enabled Akismet yesterday, at the height of a flurry of spam. Since then, Akismet has flagged 68 comments as spam – and not one of them was legitimate. A single spammy comment got through; when I manually flagged it, I had a pleasant little rush of satisfaction, knowing I was making some small contribution to this ongoing battle.
As of a week ago, Akismet had blocked two million pieces of spam. I’m glad I can’t say the same; Akismet is helping to ensure I never will.
This is actually one of those applications where relying on the so-called wisdom of crowds is not a bad idea. The question “is this comment spam?” is one where there’s a widely-agreed upon and widely-understood answer, and one where legitimate users are almost certainly going to answer honestly as they do not appreciate spam.
This contrasts with some naive ideas, like asking people who they think will be elected in riding X, a question that most respondents will not be able to answer in an informed way, and where the likelihood that the question will not be answered honestly is rather high. (People will give bogus answers for malicious reasons, either to play up their party or muck with the system.) Yes, I thought that the election mashup was a poorly-conceived idea; the energy expended therein would be better spent helping Election Prediction Project, whose track record is far better thanks to the use of human-powered bullshit detection, to improve its appearace and add some features.
The big quesiton is whether Akismet itself has some defences against spam houses flooding its database with false negatives or other sorts of attacks and abuse. If they haven’t sufficiently prepared, and the spammers do poison their data (and past history suggests that they will), then Akismet will become far less useful. If it’s not bogus data, it’s DoS attacks; if it’s not that, it’s something else. Mark Pilgrim’s warnings from 2003 are still apropos.
Here’s a dilemma that applies broadly to security concerns, not just to spam: how do you balance the transparency required for trust with the need to conceal information from potential abusers?
Akismet’s FAQ asks, “What stops the system from being gamed?” and answers,
The proof will have to be in the pudding (to swap food metaphors); you won’t get to read the recipe or assess the ingredients for yourself. That said, you get to see comments before they’re deleted, and have the chance to flag them as “not spam”. The worst that can happen, at least in theory, is that some spam will slip through — in which case human comment moderation comes into play.
Then again, with millions of dollars on the line, spammers are highly motivated to find a way around it (or, as you mention, to poison the well).
Either way, I wish Akismet could find a way to deliver a powerful electrical shock to whoever’s sending me the “Children love Floam!” e-mail. Spam is one area where some dark part of me wants the phrase “killer app” to take on a lethally literal meaning.