Captchas, Anti-spam services, and Bad Behavior

I run this WordPress blog as well as a Drupal-powered forum site and one of the biggest challenges that any webmaster can have is controlling spam — both in comments and user sign-ups.

I used to rely heavily on captchas, and I’ve gone through several captcha and non-captcha systems to try to find the “ideal” solution: One that cut the spam down to nearly nothing as well as not putting too much of a burden on the legitimate users (as to possibly deter them from participating on the site).

Here’s what I’ve tried, and what I’ve learned in the process:

reCAPTCHA (WordPress, Drupal): This service aims to stop bots and spammers by presenting two words.

Pros: As a side effort, the service also aims to help digitize books by using the legitimate users to correctly identify one of the mangled words provided. Also has a feature called “reCAPTCHA Mail Hide” to hide email addresses behind a captcha to keep them from being harvested by web bots.

Cons: reCAPTCHA has one distinct weakness: Only ONE word needs to be correctly entered to pass the captcha. Additionally, at least one implementation has a weakness making the captcha worthless.

Mollom (WordPress, Drupal, Joomla) : Mollom is a text analysis service with a captcha fallback.

Pros: Aims to be unobtrusive. Does not present the user a captcha unless textual analysis cannot be performed or appears to the service to be a spam submission. Captchas are “cleaner” looking than other services (less visual distortion). Audio captchas.

Cons: Limitations on the free service, and does not scale well. Free service only allows 1,000 legitimate posts per day, then it’s 30 EUR/mo/site. (Around $50 USD). No service uptime guarantee with the free service.

Akismet (WordPress, Drupal) : Akismet is a non-captcha anti-spam service that does textual analysis (similar to Mollom) except completely without the aid of captchas.

Pros: Comes installed on all WordPress.COM blogs by default and needs no configuration. Powered by, and maintained by Automattic, the same team behind WordPress and Gravatar. Suspicious submissions are placed in a moderation queue for the administrator to manually approve, with the option to automatically expire (delete) them after 30 days or so. Easy setup via an API key.

Cons: Akismet weighs input the same across all Akismet-protected sites. This means that someone who submits a comment on an Akismet-protected blog that gets flagged as spam would get the same treatment on an Akismet-protected forum (and every other Akismet-protected site for that matter) until enough comments get marked as false positive for the system to re-learn the user is not a spammer. I had a user that got hit by this false-positive treatment the first day I implemented Akismet on another siteĀ and it became a hassle. When I enabled Akismet on this WordPress site, his comments were still getting flagged as spam. That’s a serious issue for me. (Akismet FAQ)

Defensio (WordPress, Drupal, Facebook) : Similiar to Akismet, weighs each source seperately, and offers Facebook protection as well.

Pros: Defensio is a service similar to Akismet, but weighs content from each website (blog, forum, etc) separately to avoid mistakes. You register each web property you want protected and obtain an API key for each. Slow to learn at first, but avoids false-positive/negative and cross-property disasters like I mentioned above with Akismet. This service is a favorite of mine. Additionally offers profanity / file link protections, as well as customizable filters. (Link)

Cons: Slow to learn at first. Might require you to manually flag content until it learns. Currently free, though they mention possibly charging for the service in the future for commercial users.

Bad Behavior (WordPress, Drupal, Joomla) : Not a captcha or textual analysis service at all, takes a completely different approach

Pros: Filters access at the http level, by blocking proxies, historically abusive IP addresses, suspicious user-agents, and malformed requests. Cuts down on bandwidth, spammers, users who are accessing site content through known proxies, etc. Conserves server bandwidth and resources, as pages are not served up at all when a block is performed. No training required.

Cons: It’s possible that a number of users whose ISPs force proxies may be blocked, but I have not seen evidence that this is happening on my sites.

So there you have it. Personally, I use a combination of Bad Behavior and Defensio on my sites, and I’ve seen a big drop in the amount of spam.

Have experience with one or more of the above? Please share it!

About these ads

, , , , ,

  1. #1 by NMI on June 6, 2010 - 9:18 pm

    Yeah, I constantly kept getting my posts/comments on kirje.org flagged as spam.
    It would have been fine if I was given some eggs to go with that spam, but since I was not and am not a bot, it got annoying.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: