Skip to: site navigation/presentation
Skip to: Thoughts From Eric


Matt Mullenweg announced Akismet yesterday.  It’s a comment-spam defense system for WordPress, and I’ve been using it for a few weeks now.  (This is why Gatekeeper disappeared from the site near the beginning of the month.)  It isn’t perfect, but it’s darned close, and it’s been getting better as time has progressed.  That’s one of the promised features: the longer it’s used and the more people who use it, the better it gets.

I don’t pretend to understand all the details of Akismet’s workings, although I have a fairly good idea of how it works.  I have some concerns, mostly in that it seems like spammers could poison the well by injecting tons of false “not spam” data into the service in order to get their messages through.  I also worry about attacks on the service itself.

Furthermore, I have to say it’s a bit frustrating that you have to have a API key, which means you have to have a account, which means it’s not a one-stop plug-and-play solution.  (Especially since getting an account is, currently, an invitation-only sort of thing.)  On the other hand, having to have an account probably confers some control advantages—if an account is found to be consistently marking things as “not spam” when everyone else is marking them spam, it can be kicked out of the service.

Some have raised privacy concerns because every comment submitted to your site gets analyzed by the Akismet service.  This doesn’t bother me, but it might some.

Overall, I’ve been pretty happy with Akismet.  It has let through less spam than Gatekeeper did in the weeks before I disabled it and all my other anti-spam measures to test out Akismet.  You’d think a Gatekeeper setup wouldn’t let anything through, but you’d be wrong; I assume there was a hole in my PHP.  Akismet may not be the end-all solution—after all, if it becomes effective enough, the spammers will have major incentives to defeat it, and will most likely find ways to do so—but it seems to be working very well for now.

13 Responses»

    • #1
    • Pingback
    • Thu 27 Oct 2005
    • 0145
    Received from soeren says » Blog Archive » Akismet — goodbye to comment spam

    […] .com account required for the API key, so the system is invite-only right now. Eric Meyer has this to say: [..] It isn”t perfect, but it”s darned close, and it”s been getting […]

    • #2
    • Comment
    • Thu 27 Oct 2005
    • 0223
    Matt wrote in to say...

    Thanks for testing out Akismet. We have some pretty strong protections against people poisoning the system, both from malicious users with API keys and spammers who sprinkle in legitimate links or content. So far it has held up well. The good news is that as the spammers evolve, and they always will, we can adapt just as quickly. :)

    The API key is pretty central to be able to scale things out and have an identity attached to things in the system. Think of it not as signing up for a blog, but more like getting an account at Yahoo or Google, you might not use it very much but when you do it’s awfully handy.

    Privacy is an issue I’m giving a lot of thought to, we have plain English terms up right now that I hope we can refine with the community before getting the unreadable legalese done.

    • #3
    • Pingback
    • Thu 27 Oct 2005
    • 0432
    Received from rollsroick: roicksBLOG » Akismet.

    […] en, die sich mit dem Plugin ein wenig intensiver auseinander gesetzt haben, gibt es von: Eric Meyer Richard Boakes und Ben Gillbanks

    Abgelegt in: Wordpr […]

    • #4
    • Comment
    • Thu 27 Oct 2005
    • 1204
    elgato wrote in to say...

    I don’t see where akismet is any better than Spam Karma. Having Spam Karma already installed and working absolutely wonderfully, what about akismet would convince someone in my situation to switch? There already seem to be to points that are discouraging me from adopting akismet: 1) a central server. Eggs in one basket, so to say. Bad idea in my book. 2) key. Why? The greater objection, I should note, is the centralized server. I can’t object too much to the key, having a yahoo account for using Adium, an AIM ID, etc.

    I’m a pretty big fan of distributed systems – spreading the workload and allowing for failover should one fail – something exemplified by the open source community and the blogging community. So I naturally have hesitations in seeing a central server required.

    I can be convinced to try it out or to change. If it turns out to be the greatest thing since sliced bread, well, who am I to argue with success?

    • #5
    • Pingback
    • Fri 28 Oct 2005
    • 0748
    Received from UGgallery » Архив журнала » Akismet. Система защиты от спама в комментариях.

    […] и того, чтобы получить некий “API-key”, который, по словам Эрика Меера может понадобиться при рабо […]

    • #6
    • Comment
    • Fri 28 Oct 2005
    • 1509
    khaled wrote in to say...

    Surprised Matt didn’t mention that all you need to do to get a account is download Flock. Strange, doesn’t seem like much hassle if you ask me.

    • #7
    • Comment
    • Sat 29 Oct 2005
    • 2325
    Ben Hamilton wrote in to say...

    No, getting a account is not a big hassle, no, using Flock is not a big hassle. But some of us prefer not to.

    I’m using wordpress on a number of sites, I’ve tested gatekeeper, didn’t work on my server (as noted in the documentation). But SpamKarma and Bad Behaviour have worked perfectly on every site I’ve tried them on.

    I commend Matt for creating better tools, that are widely available, I’m glad Eric’s written all that he has (thoughts & code), but at the end of the day, having a selection of tools to choose from is far better than having a monopoly control our decisions.

    • #8
    • Comment
    • Sun 30 Oct 2005
    • 0812
    Geoffrey Sneddon wrote in to say...

    Personally I use my own modifications to WordPress: creating a random key (which is passed on as a hidden input field) then making sha1 hashes of that string + some unique identifiers on the end. In wp-comments-post.php I start off by getting the key, then have $_POST[sha1($key . ‘blah’)];

    Couple on top of that the moderate trackbacks and moderate pingbacks plugins, I have what has proved to be over the past 6 month, a completely bullet-proof anti-spam system.

    • #9
    • Pingback
    • Sun 30 Oct 2005
    • 1332
    Received from The Bangus Supremacy » A Better Spam Trap

    […] ’s tied to a central server somewhere, using data submitted by other people (I share Eric Meyer’s reservation that spammers could try to “poison the well”) 2 […]

    • #10
    • Comment
    • Sun 30 Oct 2005
    • 2308
    Matt wrote in to say...

    Geoffrey, I used to do the same thing, in fact I wrote a plugin to do so called “Spam Stopgap” way back in the day. However it was a matter of weeks before spammers started working around this once more than a few people started using it.

    • #11
    • Comment
    • Mon 31 Oct 2005
    • 1304
    Geoffrey Sneddon wrote in to say...

    Matt, I think the problem with that is a limitation of WP: You can’t actually change the name attributes of the author, email, url, and comment inputs because the plugins are executed after you’ve checked if they’re empty and you can’t change the trim($_POST[]) to things like trim($_POST[‘blah’]);

    Here’s my suggestion: When you install WP it creates 4 random strings and puts them in wp_options. In the template you have <php wp_get_author_name(); ?> and so on. Then, in wp-comments-post.php just have:
    $comment_author = trim($_POST[get_settings('author_name')]);
    $comment_author_email = trim($_POST[get_settings('email_name')]);
    $comment_author_url = trim($_POST[get_settings('url_name')]);
    $comment_content = trim($_POST[get_settings('content_name')]);

    • #12
    • Pingback
    • Fri 4 Nov 2005
    • 2349
    Received from Anabasis » Blog Archive » Details on WP-Gatekeeper 1.5 RC4’s auto-injection bug

    […] bout it, but I know he’s buried in email and that his current choice of speedbump is Akismet. I can consistently reproduce the bug, but have not found a fix. Short version: W […]

    • #13
    • Comment
    • Sun 6 Nov 2005
    • 0831
    Steph_B wrote in to say...

    I think Akismet is the best automated spam killer that actually gets better as it learns from the whole community marking new spam comments as spam. It just WORKS.

Leave a Comment

Line and paragraph breaks automatic, e-mail address required but never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Remember to encode character entities if you're posting markup examples! Management reserves the right to edit or remove any comment—especially those that are abusive, irrelevant to the topic at hand, or made by anonymous posters—although honestly, most edits are a matter of fixing mangled markup. Thus the note about encoding your entities. If you're satisfied with what you've written, then go ahead...

October 2005
September November