This blog is retired.
As the most popular blogging platform, WordPress is a target of spammers. If you are an average blogger, your everyday job is to delete spam from you blog, even if you have an anti-spam tool installed.
The default antispam weapon is Akismet. But I dislike it. More rambling follows later, now just google for “akismet sucks”.
What I develop, use myself and highly recommend to everyone is …
A simple, but very effective phpBB antispam tool Textual Confirmation (TC) asks newly registering user a question. If the answer is wrong, TC rejects the registration.
How much questions do you need for the best protection? Hard to say, but definitely not 50.
Earlier or later, a cheap outsourced monkey answers some of your questions and adds the answer into the spammer’s database. As a counteraction, you need to change you question. When you have 50 questions, it’s a tedious task.
In my opinion, 2 or 3 questions is enough.
Many people, including me, believe that security by obscurity gives a false sense of security. Any security tool must be available in source code, even to bad guys. But Advanced Textual Confirmation (ATC) is encoded. Why?
It’s all about the business. If I deliver the tool as is, some “alternatively smart” programmer can copy/paste the code in a few minutes and start selling the clone. This is my worry: “alternatively smart” programmers.
To satisfy those who are against security by obscurity, I’m diclosing the ATC internals is this post. Warning: to understand the text in full, you have to be a web programmer.
True Story:
I became so irritated from using phpBB2 Advanced Visual Confirmation, which ended up causing me more trouble that it was worth, that I finally did something about it.
After thinking that I had wrapped a spammer-proof wall of security around my forum, I discovered that spammers were having an easier time decrypting my captcha images than my authorized members were. In fact, I often ended up having to manually register new users who I thought weren’t smart enough to decipher the image that was sitting right there in front of their face. It was only after I tried (and failed) to register one particular user 5 times that the truth hit me:
When it comes to default captcha decoding skills: Computers win, humans lose.
Someone has asked Google how to bypass Textual Confirmation. Great! The alternative to CAPTCHA is taking off, even spammers noticed it. Now they’ve started to think about bypassing. Would you mind to help them and share ideas?
While poking around the Internet I came across this article about ways to stop PHPBB spam. In it the author talks about 2 tools he believes everyone running a phpBB board needs. What’s nice about the article is that it isn’t a cleverly disguised plug for these products. Instead it’s an independent review so you can be sure these products really work.
(Continued from part 1.) Gather around Generals, I have hot intelligence straight from the high-tech weapons arsenal. The tide of the War Against Forum SPAM is turning.
With CAPTCHA, Spam Blacklists, and other low-grade weapons allowing the front lines of our defenses to be overrun, a new anti-SPAM weapon has hit the battlefield and initial reports are quite favorable.
I’ve just got a complaint from an user who purchased Textual Confirmation (TC). To his dissatisfaction, TC haven’t stopped spam. Investigations revealed that he gets spam in guest postings, which is outside of the scope of TC. To stop such spam, he actually needs Advanced Textual Confirmation. The following is what I’ve answered.
RSS:
|