Vlad Lasky: Beating SPAM on your Blog or Website

Transcript

1. 1
   Beating Spam On Your WordPress Site
   Beating Spam On Your WordPress Site
   Vladimir Lasky
   http://wpexpert.com.au/
   WordCamp Melbourne 2013
   

   View Slide

2. 2
   What is Spam?
   What is Spam?
    Unsolicited and often untargeted electronic
   communication
    Persistent phenomena due to the extremely low
   marginal cost of sending it over the Internet
    Even a minuscule response rate from targets
   makes it profitable
   

   View Slide

3. 3
   What Do Spammers Want?
   What Do Spammers Want?
    To get recipients of spam emails to purchase
   products and services. Common examples:
   – “Get Rich Quick” schemes
   – Products to enhance reproductive organs or
   reproduction process
   – Weight loss
    To take advantage of the ranking/popularity of
   your site to promote theirs
   – If your site gets many visitors and/or ranks highly in
   search engines, they will receive a portion of your
   traffic
   

   View Slide

4. 4
   Why is Spam Evil?
   Why is Spam Evil?
    A parasitic phenomenon
    Wastes owners time in dealing with emails and
   moderating comments
    comments and discussion boards less useful to
   website visitors
    Search Engines lower the rank of websites that
   link to spamblogs and low quality sites
    Increases load on web servers and eats through
   data transfer and storage quotas
   

   View Slide

5. 5
   Types of Spam
   Types of Spam
    Types of spam that WordPress site
   owners often encounter include:
   – WordPress Comment spam
   – Trackback spam
   – Contact form spam
   – Email spam
   

   View Slide

6. 6
   Comment Spam Example
   Comment Spam Example
   

   View Slide

7. 7
   Trackback Spam Example
   Trackback Spam Example
   

   View Slide

8. 8
   100% Surefire Plan To Prevent Website Spam
   100% Surefire Plan To Prevent Website Spam
   1. Don’t publish your email address
   2. Don’t have a contact form on your website
   3. Don’t let visitors comment on posts
   4. Disable trackbacks/pingbacks
   

   View Slide

9. 9
   Our More Practical Spam Reduction Plan
   Our More Practical Spam Reduction Plan
    Promoting visitor engagement by making it
   easy to communicate, comment or provide
   feedback
    Preventing and Detecting attempts to leave
   spam to the best of our ability using free
   automated tools wherever possible
   

   View Slide

10. 10
    Know Your Enemy
    Know Your Enemy
     Spambots
    – Automated computer programs running on
    servers that trawl the internet and post spam
    – The vast bulk of today’s spam
     Human Spammers
    – People who manually post spam, often are paid to
    do this
    

    View Slide

11. 11
    Spambots (Machine-Generated Spam)
    Spambots (Machine-Generated Spam)
     Strengths
    – Very fast, can bombard lots of websites in a given
    period of time
     Weaknesses
    – Only can do what they are programmed to do
    – Can only adapt to countermeasures by being
    reprogrammed
    

    View Slide

12. 12
    Human Spammers (Human-Generated Spam)
    Human Spammers (Human-Generated Spam)
     Strengths
    – Humans can adapt and work around many anti-spam
    measures
     Weaknesses
    – Slow – usually must visit websites in a browser
    – Expensive for spammers to employ humans
    – People employed to spam often have a limited education
    and can be tricked using intellectual means
    

    View Slide

13. 13
    Email Spam
    Email Spam
     Problem:
    – Email harvesting robots trawl the net scanning websites for
    email addresses, which are then sent spam emails
     Common Mitigation:
    – Not publishing email address, relying on contact form
     Side Effects:
    – Not having a visible email address on your website lowers
    response rates
    

    View Slide

14. 14
    Comment Form Spam
    Comment Form Spam
     Problem:
    – Spammers leave comments on posts
     Common Mitigation:
    1. Not have comments
    2. Require comments to be approved before publication
    3. Use a CAPTCHA
     Side Effects:
    1. No participation
    2. Reduces participation
    3. Moderation time
    

    View Slide

15. 15
    What is a CAPTCHA?
    What is a CAPTCHA?
     A test designed to distinguish between a human visitor
    and a bot (computer program).
    – E.g. Asking the user to type a distorted randomly picked phrase
    contained within an image, difficult for a computer to extract
     When used on a web page, normally placed at the
    bottom of a form, before the submit button.
    

    View Slide

16. 16
    Should You Use CAPTCHAs?
    Should You Use CAPTCHAs?
     No longer recommend
     Legitimate visitors often find image-based
    CAPTCHAs hard to read and annoying
     Increase hesitation and site abandonment
     These types are less annoying:
    – Math CAPTCHAs
    – Classification CAPTCHAs
    

    View Slide

17. 17
    Pingback/Trackback Spam
    Pingback/Trackback Spam
     Pingbacks/Trackbacks are sent to your blog by others that have
    linked to one of your posts. These are listed in the comments and
    contain the URL of the referring site.
     Problem:
    – You may receive trackbacks from spam blogs, or even fake
    trackbacks that point to an arbitrary website
     Common Mitigation:
    – Disable Pingbacks/Trackbacks
     Side Effects:
    – Reduces SEO from legitimate sites
    – Lose information about readership of your posts
    

    View Slide

18. 18
    List of Free Anti-Spam WordPress Plugins
    List of Free Anti-Spam WordPress Plugins
    1. Cookies for Comments
    2. Bad Behavior
    3. Jetpack Comments (part of Jetpack)
    4. Simple Trackback Validation with Topsy Blocker
    5. Minimum Comment Length
    6. Email Address Encoder
    

    View Slide

19. 19
    What About the Akismet Plugin?
    What About the Akismet Plugin?
     Good, but only free for non-commercial sites
    

    View Slide

20. 20
    Plugin: Cookies for Comments
    Plugin: Cookies for Comments
     Action:
    – Reduces comment spam
     Mechanism:
    1. Each visitor to your site will be issued with a tracking
    cookie
    2. If they try to leave a comment without having the cookie, it
    will be blocked. Most spambots do not accept cookies
    3. Option setting: If an attempt is made to leave a comment
    without having spent some time on your site, it will be
    blocked
    

    View Slide

21. 21
    Plugin: Bad Behavior - I
    Plugin: Bad Behavior - I
     Action:
    – Reduces all types of spam
     Mechanism (in standalone mode):
    – Uses various indicators (e.g. User agent, HTTP headers, contents
    of URL) to identify requests from clients that are known to be or
    likely to be spambots
    – These visitors will receive a 403 Forbidden error message and
    won’t be able to see your site
     Limitations
    – Plugin may not be aware of newly created spambots and could
    inadvertently block legitimate search engines on occasion
    – Updates should address these issues
    

    View Slide

22. 22
    Plugin: Bad Behavior - II
    Plugin: Bad Behavior - II
     Mechanism (combined with Project Honey Pot):
    1. Project Honey Pot operates a network of websites designed to attract
    spammers, in order to record their IP addresses
    2. WordPress owner obtains a free http:BL key from Project Honeypot and
    configures Bad Behavior to use it
    3. Every website visitor will be checked against Project Honey Pot’s
    database to see if significant amount of spam has been detected from
    their IP
    4. If so, Bad Behavior will block them
     Limitations:
    – Small overhead when checking Honey Pot database
    – Spammer must have already spammed the Honey Pot websites
    

    View Slide

23. 23
    Plugin: Jetpack Comments - I
    Plugin: Jetpack Comments - I
     Action
    – Indirectly reduces comment spam from spambots
     Mechanism
    – Replaces your existing comment form with one hosted on
    WordPress.com, embedded within HTML iframe
    – Most spambots will not find a comment form on your site
    

    View Slide

24. 24
    Plugin: Jetpack Comments - II
    Plugin: Jetpack Comments - II
     Limitations
    – Requires a modern theme that calls the comment_form() function
    (introduced in WordPress 3.0)
    – Incompatible themes require modification by a PHP developer
    – Will change the look of your comment form
     Configuration Note
    – If using this together with the Bad Behaviour plugin, enable the
    Bad Behavior setting:
    • Security->Allow form postings from other web sites
    

    View Slide

25. 25
    Plugin: Minimum Comment Length
    Plugin: Minimum Comment Length
     Action
    – Indirectly reduces comment spam
     Mechanism
    – Rejects comments that are shorter than a specified minimum
    length, e.g. 15 characters
    – Many spambots/spammers leave a token comment with a URL of
    their website
     Limitations
    – Antispam benefit is small, but also discourages humans from
    leaving useless comments like “Great Post!” or “I agree”
    

    View Slide

26. 26
    Plugin: Simple Trackback Validation w/Topsy Blocker
    Plugin: Simple Trackback Validation w/Topsy Blocker
     Action
    – Reduces Trackback Spam
     Mechanism
    – Confirms that the IP address of trackback sender matches
    the IP address of the site the trackback URL points to
    – Accesses the trackback URL and confirms that the content
    contains a link to your post
     Limitations
    – Some trackback spam will still pass both those tests
    

    View Slide

27. 27
    Plugin: Email Address Encoder
    Plugin: Email Address Encoder
     Action
    – Reduces Email Spam
     Mechanism
    – Encodes email addresses in your WordPress site content
    and widgets and into decimal and hexadecimal HTML
    entities, foiling the majority of email harvesting spambots
     Limitation
    – It is possible for a spambot to be developed that can deal
    with this sort of encoding
    

    View Slide

28. 28
    Other Spam Reduction Tips
    Other Spam Reduction Tips
    

    View Slide

29. 29
    Disable User Registrations
    Disable User Registrations
     Only authors or members should have accounts on
    your site.
     In WordPress admin, uncheck the following:
    – Settings->General->Anyone can register
    

    View Slide

30. 30
    Authenticate Commenters
    Authenticate Commenters
     Jetpack Comments and other plugins allow commenters to
    authenticate using their facebook, twitter and other social
    sharing accounts without requiring an account on your
    WordPress site
    

    View Slide

31. 31
    Comment Moderation Tips
    Comment Moderation Tips
     Recommend approving comments before they’re
    published (if you have the time)
     If you have a crowd of regular fans/commenters,
    enabling the following will save you time:
    – In Settings->Discussion Settings->Before a Comment
    appears, check the box “Comment author must have a
    previously approved comment”
    

    View Slide

32. 32
    To Disable Pingbacks & Trackbacks
    To Disable Pingbacks & Trackbacks
     In Settings->Discussion->Default article settings,
    unselect the following:
    – Allow link notifications from other blogs (pingbacks and
    trackbacks)
    

    View Slide

33. 33
    Dealing with Human Email/Contact Spam
    Dealing with Human Email/Contact Spam
     Most common human-generated spam is for Search
    Engine Optimisation services.
     If these are a problem, try the following:
    – Publish an email address for SEO and Ranking enquiries
    – Have an “SEO/Ranking” department on contact forms
     This may help separate those enquiries from all
    others
    

    View Slide

34. 34
    Conclusion
    Conclusion
     Project Honey Pot:
    – http://www.projecthoneypot.org/
    – Provides http:BL key to use with Bad Behaviour plugin
    – You can also contribute by joining their network of honey pots
     Questions and Comments:
    – http://wpexpert.com.au/contact-us/
    

    View Slide