Published 12 years, 4 months ago

Matt Mullenweg announced Akismet yesterday.  It’s a comment-spam defense system for WordPress, and I’ve been using it for a few weeks now.  (This is why Gatekeeper disappeared from the site near the beginning of the month.)  It isn’t perfect, but it’s darned close, and it’s been getting better as time has progressed.  That’s one of the promised features: the longer it’s used and the more people who use it, the better it gets.

I don’t pretend to understand all the details of Akismet’s workings, although I have a fairly good idea of how it works.  I have some concerns, mostly in that it seems like spammers could poison the well by injecting tons of false “not spam” data into the service in order to get their messages through.  I also worry about attacks on the service itself.

Furthermore, I have to say it’s a bit frustrating that you have to have a wordpress.com API key, which means you have to have a wordpress.com account, which means it’s not a one-stop plug-and-play solution.  (Especially since getting an account is, currently, an invitation-only sort of thing.)  On the other hand, having to have an account probably confers some control advantages—if an account is found to be consistently marking things as “not spam” when everyone else is marking them spam, it can be kicked out of the service.

Some have raised privacy concerns because every comment submitted to your site gets analyzed by the Akismet service.  This doesn’t bother me, but it might some.

Overall, I’ve been pretty happy with Akismet.  It has let through less spam than Gatekeeper did in the weeks before I disabled it and all my other anti-spam measures to test out Akismet.  You’d think a Gatekeeper setup wouldn’t let anything through, but you’d be wrong; I assume there was a hole in my PHP.  Akismet may not be the end-all solution—after all, if it becomes effective enough, the spammers will have major incentives to defeat it, and will most likely find ways to do so—but it seems to be working very well for now.

  1. […] .com account required for the API key, so the system is invite-only right now. Eric Meyer has this to say: [..] It isn”t perfect, but it”s darned close, and it”s been getting […]

  2. Thanks for testing out Akismet. We have some pretty strong protections against people poisoning the system, both from malicious users with API keys and spammers who sprinkle in legitimate links or content. So far it has held up well. The good news is that as the spammers evolve, and they always will, we can adapt just as quickly. :)

    The WordPress.com API key is pretty central to be able to scale things out and have an identity attached to things in the system. Think of it not as signing up for a blog, but more like getting an account at Yahoo or Google, you might not use it very much but when you do it’s awfully handy.

    Privacy is an issue I’m giving a lot of thought to, we have plain English terms up right now that I hope we can refine with the community before getting the unreadable legalese done.

  3. […] en, die sich mit dem Plugin ein wenig intensiver auseinander gesetzt haben, gibt es von: Eric Meyer Richard Boakes und Ben Gillbanks

    Abgelegt in: Wordpr […]

  4. I don’t see where akismet is any better than Spam Karma. Having Spam Karma already installed and working absolutely wonderfully, what about akismet would convince someone in my situation to switch? There already seem to be to points that are discouraging me from adopting akismet: 1) a central server. Eggs in one basket, so to say. Bad idea in my book. 2) WordPress.com key. Why? The greater objection, I should note, is the centralized server. I can’t object too much to the wp.com key, having a yahoo account for using Adium, an AIM ID, etc.

    I’m a pretty big fan of distributed systems – spreading the workload and allowing for failover should one fail – something exemplified by the open source community and the blogging community. So I naturally have hesitations in seeing a central server required.

    I can be convinced to try it out or to change. If it turns out to be the greatest thing since sliced bread, well, who am I to argue with success?

  5. […] и того, чтобы получить некий “API-key”, который, по словам Эрика Меера может понадобиться при рабо […]

  6. Surprised Matt didn’t mention that all you need to do to get a WordPress.com account is download Flock. Strange, doesn’t seem like much hassle if you ask me.

  7. No, getting a WP.com account is not a big hassle, no, using Flock is not a big hassle. But some of us prefer not to.

    I’m using wordpress on a number of sites, I’ve tested gatekeeper, didn’t work on my server (as noted in the documentation). But SpamKarma and Bad Behaviour have worked perfectly on every site I’ve tried them on.

    I commend Matt for creating better tools, that are widely available, I’m glad Eric’s written all that he has (thoughts & code), but at the end of the day, having a selection of tools to choose from is far better than having a monopoly control our decisions.

  8. Personally I use my own modifications to WordPress: creating a random key (which is passed on as a hidden input field) then making sha1 hashes of that string + some unique identifiers on the end. In wp-comments-post.php I start off by getting the key, then have $_POST[sha1($key . ‘blah’)];

    Couple on top of that the moderate trackbacks and moderate pingbacks plugins, I have what has proved to be over the past 6 month, a completely bullet-proof anti-spam system.

  9. […] ’s tied to a central server somewhere, using data submitted by other people (I share Eric Meyer’s reservation that spammers could try to “poison the well”) 2 […]

  10. Geoffrey, I used to do the same thing, in fact I wrote a plugin to do so called “Spam Stopgap” way back in the day. However it was a matter of weeks before spammers started working around this once more than a few people started using it.

  11. Matt, I think the problem with that is a limitation of WP: You can’t actually change the name attributes of the author, email, url, and comment inputs because the plugins are executed after you’ve checked if they’re empty and you can’t change the trim($_POST[]) to things like trim($_POST[‘blah’]);

    Here’s my suggestion: When you install WP it creates 4 random strings and puts them in wp_options. In the template you have <php wp_get_author_name(); ?> and so on. Then, in wp-comments-post.php just have:
    $comment_author = trim($_POST[get_settings('author_name')]);
    $comment_author_email = trim($_POST[get_settings('email_name')]);
    $comment_author_url = trim($_POST[get_settings('url_name')]);
    $comment_content = trim($_POST[get_settings('content_name')]);

  12. […] bout it, but I know he’s buried in email and that his current choice of speedbump is Akismet. I can consistently reproduce the bug, but have not found a fix. Short version: W […]

  13. I think Akismet is the best automated spam killer that actually gets better as it learns from the whole community marking new spam comments as spam. It just WORKS.

Leave a Comment

Management reserves the right to edit or remove any comment, especially when abusive or irrelevant to the topic at hand. HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <em> <i> <q cite=""> <s> <strong> <pre class=""> <kbd>

Comment Preview

If you're satisfied with what you've written, then go ahead...