Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vlad Lasky: Beating SPAM on your Blog or Website

Vlad Lasky: Beating SPAM on your Blog or Website

Most spam today is machine-generated by automated programs or “spambots” that trawl the net, but human spammers still play a part.

Vlad’s slides show how we can reduce the incidence of spam on our WordPress sites without impeding the ability of clients, customers and website visitors to communicate, comment and contribute to your site.

WP Australia

April 28, 2013
Tweet

More Decks by WP Australia

Other Decks in Technology

Transcript

  1. 1
    Beating Spam On Your WordPress Site
    Beating Spam On Your WordPress Site
    Vladimir Lasky
    http://wpexpert.com.au/
    WordCamp Melbourne 2013

    View Slide

  2. 2
    What is Spam?
    What is Spam?
     Unsolicited and often untargeted electronic
    communication
     Persistent phenomena due to the extremely low
    marginal cost of sending it over the Internet
     Even a minuscule response rate from targets
    makes it profitable

    View Slide

  3. 3
    What Do Spammers Want?
    What Do Spammers Want?
     To get recipients of spam emails to purchase
    products and services. Common examples:
    – “Get Rich Quick” schemes
    – Products to enhance reproductive organs or
    reproduction process
    – Weight loss
     To take advantage of the ranking/popularity of
    your site to promote theirs
    – If your site gets many visitors and/or ranks highly in
    search engines, they will receive a portion of your
    traffic

    View Slide

  4. 4
    Why is Spam Evil?
    Why is Spam Evil?
     A parasitic phenomenon
     Wastes owners time in dealing with emails and
    moderating comments
     comments and discussion boards less useful to
    website visitors
     Search Engines lower the rank of websites that
    link to spamblogs and low quality sites
     Increases load on web servers and eats through
    data transfer and storage quotas

    View Slide

  5. 5
    Types of Spam
    Types of Spam
     Types of spam that WordPress site
    owners often encounter include:
    – WordPress Comment spam
    – Trackback spam
    – Contact form spam
    – Email spam

    View Slide

  6. 6
    Comment Spam Example
    Comment Spam Example

    View Slide

  7. 7
    Trackback Spam Example
    Trackback Spam Example

    View Slide

  8. 8
    100% Surefire Plan To Prevent Website Spam
    100% Surefire Plan To Prevent Website Spam
    1. Don’t publish your email address
    2. Don’t have a contact form on your website
    3. Don’t let visitors comment on posts
    4. Disable trackbacks/pingbacks

    View Slide

  9. 9
    Our More Practical Spam Reduction Plan
    Our More Practical Spam Reduction Plan
     Promoting visitor engagement by making it
    easy to communicate, comment or provide
    feedback
     Preventing and Detecting attempts to leave
    spam to the best of our ability using free
    automated tools wherever possible

    View Slide

  10. 10
    Know Your Enemy
    Know Your Enemy
     Spambots
    – Automated computer programs running on
    servers that trawl the internet and post spam
    – The vast bulk of today’s spam
     Human Spammers
    – People who manually post spam, often are paid to
    do this

    View Slide

  11. 11
    Spambots (Machine-Generated Spam)
    Spambots (Machine-Generated Spam)
     Strengths
    – Very fast, can bombard lots of websites in a given
    period of time
     Weaknesses
    – Only can do what they are programmed to do
    – Can only adapt to countermeasures by being
    reprogrammed

    View Slide

  12. 12
    Human Spammers (Human-Generated Spam)
    Human Spammers (Human-Generated Spam)
     Strengths
    – Humans can adapt and work around many anti-spam
    measures
     Weaknesses
    – Slow – usually must visit websites in a browser
    – Expensive for spammers to employ humans
    – People employed to spam often have a limited education
    and can be tricked using intellectual means

    View Slide

  13. 13
    Email Spam
    Email Spam
     Problem:
    – Email harvesting robots trawl the net scanning websites for
    email addresses, which are then sent spam emails
     Common Mitigation:
    – Not publishing email address, relying on contact form
     Side Effects:
    – Not having a visible email address on your website lowers
    response rates

    View Slide

  14. 14
    Comment Form Spam
    Comment Form Spam
     Problem:
    – Spammers leave comments on posts
     Common Mitigation:
    1. Not have comments
    2. Require comments to be approved before publication
    3. Use a CAPTCHA
     Side Effects:
    1. No participation
    2. Reduces participation
    3. Moderation time

    View Slide

  15. 15
    What is a CAPTCHA?
    What is a CAPTCHA?
     A test designed to distinguish between a human visitor
    and a bot (computer program).
    – E.g. Asking the user to type a distorted randomly picked phrase
    contained within an image, difficult for a computer to extract
     When used on a web page, normally placed at the
    bottom of a form, before the submit button.

    View Slide

  16. 16
    Should You Use CAPTCHAs?
    Should You Use CAPTCHAs?
     No longer recommend
     Legitimate visitors often find image-based
    CAPTCHAs hard to read and annoying
     Increase hesitation and site abandonment
     These types are less annoying:
    – Math CAPTCHAs
    – Classification CAPTCHAs

    View Slide

  17. 17
    Pingback/Trackback Spam
    Pingback/Trackback Spam
     Pingbacks/Trackbacks are sent to your blog by others that have
    linked to one of your posts. These are listed in the comments and
    contain the URL of the referring site.
     Problem:
    – You may receive trackbacks from spam blogs, or even fake
    trackbacks that point to an arbitrary website
     Common Mitigation:
    – Disable Pingbacks/Trackbacks
     Side Effects:
    – Reduces SEO from legitimate sites
    – Lose information about readership of your posts

    View Slide

  18. 18
    List of Free Anti-Spam WordPress Plugins
    List of Free Anti-Spam WordPress Plugins
    1. Cookies for Comments
    2. Bad Behavior
    3. Jetpack Comments (part of Jetpack)
    4. Simple Trackback Validation with Topsy Blocker
    5. Minimum Comment Length
    6. Email Address Encoder

    View Slide

  19. 19
    What About the Akismet Plugin?
    What About the Akismet Plugin?
     Good, but only free for non-commercial sites

    View Slide

  20. 20
    Plugin: Cookies for Comments
    Plugin: Cookies for Comments
     Action:
    – Reduces comment spam
     Mechanism:
    1. Each visitor to your site will be issued with a tracking
    cookie
    2. If they try to leave a comment without having the cookie, it
    will be blocked. Most spambots do not accept cookies
    3. Option setting: If an attempt is made to leave a comment
    without having spent some time on your site, it will be
    blocked

    View Slide

  21. 21
    Plugin: Bad Behavior - I
    Plugin: Bad Behavior - I
     Action:
    – Reduces all types of spam
     Mechanism (in standalone mode):
    – Uses various indicators (e.g. User agent, HTTP headers, contents
    of URL) to identify requests from clients that are known to be or
    likely to be spambots
    – These visitors will receive a 403 Forbidden error message and
    won’t be able to see your site
     Limitations
    – Plugin may not be aware of newly created spambots and could
    inadvertently block legitimate search engines on occasion
    – Updates should address these issues

    View Slide

  22. 22
    Plugin: Bad Behavior - II
    Plugin: Bad Behavior - II
     Mechanism (combined with Project Honey Pot):
    1. Project Honey Pot operates a network of websites designed to attract
    spammers, in order to record their IP addresses
    2. WordPress owner obtains a free http:BL key from Project Honeypot and
    configures Bad Behavior to use it
    3. Every website visitor will be checked against Project Honey Pot’s
    database to see if significant amount of spam has been detected from
    their IP
    4. If so, Bad Behavior will block them
     Limitations:
    – Small overhead when checking Honey Pot database
    – Spammer must have already spammed the Honey Pot websites

    View Slide

  23. 23
    Plugin: Jetpack Comments - I
    Plugin: Jetpack Comments - I
     Action
    – Indirectly reduces comment spam from spambots
     Mechanism
    – Replaces your existing comment form with one hosted on
    WordPress.com, embedded within HTML iframe
    – Most spambots will not find a comment form on your site

    View Slide

  24. 24
    Plugin: Jetpack Comments - II
    Plugin: Jetpack Comments - II
     Limitations
    – Requires a modern theme that calls the comment_form() function
    (introduced in WordPress 3.0)
    – Incompatible themes require modification by a PHP developer
    – Will change the look of your comment form
     Configuration Note
    – If using this together with the Bad Behaviour plugin, enable the
    Bad Behavior setting:
    • Security->Allow form postings from other web sites

    View Slide

  25. 25
    Plugin: Minimum Comment Length
    Plugin: Minimum Comment Length
     Action
    – Indirectly reduces comment spam
     Mechanism
    – Rejects comments that are shorter than a specified minimum
    length, e.g. 15 characters
    – Many spambots/spammers leave a token comment with a URL of
    their website
     Limitations
    – Antispam benefit is small, but also discourages humans from
    leaving useless comments like “Great Post!” or “I agree”

    View Slide

  26. 26
    Plugin: Simple Trackback Validation w/Topsy Blocker
    Plugin: Simple Trackback Validation w/Topsy Blocker
     Action
    – Reduces Trackback Spam
     Mechanism
    – Confirms that the IP address of trackback sender matches
    the IP address of the site the trackback URL points to
    – Accesses the trackback URL and confirms that the content
    contains a link to your post
     Limitations
    – Some trackback spam will still pass both those tests

    View Slide

  27. 27
    Plugin: Email Address Encoder
    Plugin: Email Address Encoder
     Action
    – Reduces Email Spam
     Mechanism
    – Encodes email addresses in your WordPress site content
    and widgets and into decimal and hexadecimal HTML
    entities, foiling the majority of email harvesting spambots
     Limitation
    – It is possible for a spambot to be developed that can deal
    with this sort of encoding

    View Slide

  28. 28
    Other Spam Reduction Tips
    Other Spam Reduction Tips

    View Slide

  29. 29
    Disable User Registrations
    Disable User Registrations
     Only authors or members should have accounts on
    your site.
     In WordPress admin, uncheck the following:
    – Settings->General->Anyone can register

    View Slide

  30. 30
    Authenticate Commenters
    Authenticate Commenters
     Jetpack Comments and other plugins allow commenters to
    authenticate using their facebook, twitter and other social
    sharing accounts without requiring an account on your
    WordPress site

    View Slide

  31. 31
    Comment Moderation Tips
    Comment Moderation Tips
     Recommend approving comments before they’re
    published (if you have the time)
     If you have a crowd of regular fans/commenters,
    enabling the following will save you time:
    – In Settings->Discussion Settings->Before a Comment
    appears, check the box “Comment author must have a
    previously approved comment”

    View Slide

  32. 32
    To Disable Pingbacks & Trackbacks
    To Disable Pingbacks & Trackbacks
     In Settings->Discussion->Default article settings,
    unselect the following:
    – Allow link notifications from other blogs (pingbacks and
    trackbacks)

    View Slide

  33. 33
    Dealing with Human Email/Contact Spam
    Dealing with Human Email/Contact Spam
     Most common human-generated spam is for Search
    Engine Optimisation services.
     If these are a problem, try the following:
    – Publish an email address for SEO and Ranking enquiries
    – Have an “SEO/Ranking” department on contact forms
     This may help separate those enquiries from all
    others

    View Slide

  34. 34
    Conclusion
    Conclusion
     Project Honey Pot:
    – http://www.projecthoneypot.org/
    – Provides http:BL key to use with Bad Behaviour plugin
    – You can also contribute by joining their network of honey pots
     Questions and Comments:
    – http://wpexpert.com.au/contact-us/

    View Slide