Spam Karma 2.0 Feature Requests

First thing: there is now a static page entirely dedicated to Spam Karma. Among other things, it will always contain the current version number as well as links to other relevant piece of information.

Now that we pretty much got Spam Karma 1.x nice and stable, it’s time to get ready for 2.0!

Below is what I have more or less already planned for it, please feel free to add your own wishes, desires and suggestions in the comments.

Improvements:

  • Automatically clean-up captcha graphics (yea, long overdue).
  • Move string and regex matching to SQL (gotta check if that one is really worth it, performance-wise).
  • Log time and date for each deleted spam.
  • Improve Digest presentation (colors, formatting, perhaps some css trickery to hide details by default).

Features:

  • Provide “restore deleted comment” feature.
  • Send realtime blacklist updates back to a central server.
  • Implement some sort of P2P update protocol for the blacklist (huh, that one might be for 3.0)
  • Run check for open-proxy servers on suspicious IPs.
  • Option to appear on the central Spam Karma High Score website.
  • Flash implementation of Space Invaders where you can destroy little spams falling from the sky (just kidding… or am I?).

Filters:

  • Majorly kick spammer’s ass (ban IP etc) if comment is on a non-existing entry ID (should have been done long ago, but I didn’t realize WP 1.2.1 still didn’t fix that exploit).
  • Parse suspected Spam URL target page and look for spam words.
  • Check user-agent (with a new category in the blacklist table).
  • Parse href title and content and check for blacklist matches.

Ok, what else?

24 comments

  1. Huh, what else? That sounds more than enough to me. You’re not only doing a fantastic job here, you declare war to those criminals!

    Today Spam Karma defended my site against the first spam wave I’ve recieved – it still does.
    Awesome! Thank you!

  2. – Restore deleted comment
    – Show version number
    – Add “This comment is spam” to comment notification e-mail for spams that get through. This should blacklist any URIs, and send the spam to a centralized database so you can learn from the spam that gets through.

  3. Ok, a quick update on the feature list: thanks a lot for all your feedbacks so far, keep’em coming…

    I am currently busy (well, as far as holiday schedule lets me) putting together a rather hardcore kinda p2p blacklist system… it’ll probably go into a separate script (not even a plugin, as I’d like to make it blogging-platform independent) and be an important part of the system… Expect a lengthy post on this matter in the next day or so.

    As for all the points mentioned above, they are duly noted and will be placed atop the implementation list. The “Restore deleted”, in particular, seems to be a popular one.
    Two request that probably won’t though, and the reason one:
    1) placing all comments into moderation: is obviously what SK is trying hard to avoid. Getting 1000 moderated comments that you need to sort through and manually delete is hardly an improvement at all.
    2) using a table prefix for the blacklist is a point more open to debate. Basically, this is a purposeful choice, in that it allows many installs to share a common blacklist table. Which after all makes sense. Of course, there’s the issue of someone entering bad stuff in the table, but we’ll go on the assumption that, if they are sharing the DB, you have a minimum of trust in their abilities to not do very stupid things, or you simply do not give them access to SK (could be done by giving them a user-level < 8)... Are there any reason that we shouldn't do this and we would really want to force a prefix? I guess it would be possible to provide a configurable option for that... just wanna know if there are good reasons to.

  4. This plugin is the BEST antispam plugin I’ve ever used. Extra points for ease of install! And now onto the requests portion:

    – some way to share blacklist information with multiple WP sites under my control (FTP upload/download from user specified location)

    – SpamAssassin rules

    – user control over the number of characters shown in the captcha

    God bless and Merry Christmas

  5. I’m not sure how effective IP-based blacklisting is. Can you display a counter for the number of times each blacklisted IP tried to comment, once it’s on the IP blacklist? I’m mostly concerned that some poor dial-up dynamic IP user is getting blocked from commenting because a spammer used a throw-away dial-up account (improbable, but possible).

    Also, I’ve noticed that many spammers are now including gibberish in their URLs. I suspect it’s an attemtp to overflow the blacklists and keep the burden of processing on our side. Can you include an “invert all” option like WP does, so that I can quickly uncheck all the gibberish URLs? The same for the list of IPs to insert into the database would be helpful, too.

  6. Spammers like to use poor splelling and extended ascii characters. Perhaps rules such that

    – unless 90% of the words in comments are other than dictionary words it will be considered spam (captcha test)

    – extended ascii = spam (captcha test)

    – N# words without punctuation = spam (captcha test)

    Also how about an option to render the captcha in flash as opposed to a raster graphic?

    $0.03

  7. Installed SK a couple of days ago. It stopped comment spam DEAD! One of my buddies tried different hits to see how bad his post had to be and finally got to a CAPTCHA block. I am very happy with SK!

    BUT ( you knew this was coming ) today I’m being attacked for the first time with trackback spam. I do hope your new SK will have a bit heftier weapons against this aggravation.

    Thanks for the work!

  8. Although SK catches 100% of the spam posted to my websites, there seems to be one form of protection that could make it even better. Hash Cash (already available as a WP plugin). How about adding this type of protection to SK, although it might need to be disabled by default as it won’t allow users with javascipt turned off to post…

    Keep up the good work!

  9. My website uses 5 WP “blogs” and three of them allow comments, and Spam-Karma is installed on them all. I’m quite happy to have a non-prefixed table, so the blacklisting goes across my sites, and the updates don’t need to be duplicated either. The only possible concern with multiple sites sharing the database is if there is some sort of race condition where two of them are modifying the table at the same time. (And I’ve not seen any sign of problems yet)

    Overall, GREAT job–you’re solving my comment spam problems. (If only referrer spam could go away too…oh well, I’m just resigned to not getting useful data from my logs there anymore….it never was really useful, just fun)

  10. First I love your plugin. One suggestion to allow people to tailor their installation without too much coding work would be to allow users to change the weightings for failing various tests. So for example next to
    ‘Penalize HTML entities’ you could have a box to change the default of 1
    and next to
    ‘Take in account moderation criteria set on the Discussion page ‘ a box to change the default of 3
    This would allow users to tailor their specific installation and help keep ’em guessing because the rules are more variable. This makes spam karma more difficult to work around.

  11. How about an option to publish your own blacklist? That would make sharing the list a tad easier. You would be able to share with multiple wp installs by using your local blacklist url. Also have the ability to add multiple source blacklists, so you can use the central blacklist db, as well as a couple belonging to your friends.

  12. Apparently I have been added to this spam list, i get told this when i try and post on niteowls website, hat is going on some one please help, I know for a fact I have never spammed in my life.

  13. First of all, thanks for this powerful plugin 🙂
    And now, for the feature request:

    I suffer flood attacks, instead of spam attacks. Spam Karma does not protect a particular, mostly forgotten, easily floodable feature of most sites: the “request new password” page.

    My site has been used by a malicious user to flood the mails of my commenters by targeting an script that request hundreds of new passwords for them, flooding my registered visitors’ mailboxes… yes, bad thing…

    The “SnowBall effect” could be adapted to protect those requests, and other similar unprotected areas, as the registering form.

  14. Thanks for your work on this, Dave. Spam Karma rules.

    I know that you’ve stopped development for now, but I’ll add this feature request for “posterity”:

    I would love to have an option that puts trackbacks from my own site in the moderation queue.

    Right now, every time I include a link to one of my own posts, it shows up as a trackback; that’s not a huge problem, but since I edit my posts often, I waste a lot of time going back and re-deleting those trackbacks after I’m done.

    That would just be gravy on what is the plugin to end all plugins (and all spam).

  15. I’m sending a directed donation – please do your best to add a feature to deliver a small, strategically placed electric shock to the spammer when you trap their messages for me. I understand there will probably be a few false-positives, which I can live with. And, if you could include a SK plugin hook for hacking the severity of the shock (add a disclaimer if you need to), I would gladly send ANOTHER $15 for that.

    Excellent work!

    Chris

Leave a Reply