At least you are honest! I take it the Bombay Saphire is fueling your brain cells … so nothing wrong with that in my book! Thinking of how much time and grief SK saved me (well, and the time and grief it cost me back in Fiji) a donation is in order.

[...] If you do, go to dr Dave’s blog, read all about the “State of Spam” and then click the donate button. As you can see in the footer of this blog, SK2 has killed 5276 spams. If it took me 1 second to kill one of those spams, then dr Dave’s code has saved me 87 minutes of deleting those spams (that doesn’t sound much – but do you really want to spend an hour and a half doing it ?). Adding into that the fact that readers here have not had to see the absolute crap that the spammers churn out then I think a donation is very much in order. Blogging may well be free but we sometimes need to say Thank You to those that help make this experience a more pleasant one. And today is that day. Go click the Donate button, hand over some cash and say Thank You. ¤ Read (1) [...]

[...] Dave, the author of Spam Karma 2 (SK2), has written an interesting essay on his take on comment spam entitled The State of Spam [Karma]. It’s a good read if you’re into this sort of thing. SK2 was one of the first really advanced scripts put together to combat spam, and you can see on our development page someone has actually created code that combines Akismet with SK2, which sounds pretty groovy to us. [...]

I wish I could use my paypal account . Keep up the good work dude .. I love your masterpiece.

Thanks for all the details, and I’m a little disheartened to hear that spammers are evaluating JS. Like you, I’m surprised it took this long, and it’s a day I’ve sort of feared, but it was bound to hapen eventually.

I was wondering what you think about non-image CAPTCHAs, like WP-Gatekeeper. Yes, I wrote it, but I’m interested in your honest assessment. I’m an Akismet boy right now, and ironically don’t even use WP-Gatekeeper any more, but others (like The Blog Herald) have recently used it with great success. I’m just wondering if the success is temporary, or if that approach has legs.

[...] Damn comment spam is on the up again from this IP address 195.225.177.80 Thank goodness for Dr Dave’s Sk2 we don’t have to worry to much. Go read The state of spam(karma) that Dr Dave has written. If like me you use Sk2 then give the guy a donation, after all he is our saviour. Thanks for Sk2. [...]

[...] Dr. Dave, author of the excellent Spam Karma plugin for WordPress, has posted The State of Spam [Karma] in response to a new breed of spambots. (These sneaky %#@!ers hit this site on Friday, so I installed the 2.2 beta. They seem to have stopped trying over the weekend.) Anyway, Dr. Dave is holding a donation drive to help cover future versions of Spam Karma. I think it’s worth at least a few bucks. [...]

[...] Via Spam Karma’s author, Dr. Dave, I found this posting to be a worrying read.   [link] [...]

[...] Here is the link: Michael Hampton’s Blog Here is the link: Akismet: Spam Karma State -John Havlik [...]

[...] The State of Spam [Karma] 01/30 18:01, 2006 簡單的說: 1. 有新的 Spambot, 而 SK2 無力招架. 2. 身為全職學生, 沒啥時間推出強而有力的 SK3 3. … 所以各位好心的大爺們賞點錢吧, 2 塊不嫌少, 10 塊不算多, 如果能捐 666 就更讚啦. [...]

[...] und Spam Karma findet Ihr >>HIER< [...]

[...] Since I switched it on a while ago Spam Karma has prevented at least 1500 spams from seeing the light of day on this blog alone. There’s a rare slip-up, but Spam Karma has made my life enormously more simple. Now Dr Dave, the creator, has written in The State of Spam [Karma] about how it’s a tough battle, with a sudden increase in spam battering at the gates: The reason for this sudden burst, is a new breed of spam, or more likely, of spambots. It is confirmed now that some spammers have gotten hold of much more efficient spamming tools. Ones that bypass some of SK2’s strongest filters without trouble. [...]

Dave: I’m with you. I do my blog purely for love too.

I sent in some dough but didn’t read far enough down in your post to see you asked for blog url & e mails along w. the donation. By all means, make me public & use the info I’ve entered for this comment.

BTW, when I try to lv. this comment using FF 1.5 I can’t see the Submit Comment button. It appears to be covered by the “This entry was posted…” msg. So I had to use IE to post this.

[...] “Dr Dave”, the author of the excellent Spam Karma WordPress plugin, has a long but (IMO) fascinating post about how the “war” against comment spam goes. I direct you to The State of Spam [Karma]. [...]

[...] kann sein, daß ich kurzfristig die Kommentar/Trackbackfunktion abschalten muss, die Spammer-Meteoriten Einschläge kommen immer näher, sozusagen. Muss wohl auf SpamKarma 2.x updaten, wie es Dave ja bereits schon beschrieben hat. verwandte Artikel: [...]

Thanks for SK. Just made donation. Cheers!

Hey,

I just sent a donation as well.

I know how you feel buddy as sadly I’m in the same boat.

Luckily this week I could afford a small donation.

I really do appreciate all your hard work.

Take care and sleep tight.

Will

[...] Many of you will know that after a month or two of running this ‘ere blog, I started to receive comment spam, as I’m sure most other bloggers do. Deciding that something had to be done, other than manually removing it myself, I looked around for solutions and eventually settled on Spam Karma. This is a plugin for WordPress blogs and so far I have found it to be very effective. Just scroll down to the bottom of the page to see how many spam comments it has eaten. And a fare few get put into moderation as well, which I don’t believe increment the counter, but that is techie stuff and beyond me, so don’t quote me on that! Either way, SK2 has been working wonderfully (no real comments eaten by SK yet) , and it is good to see that its creator – Dr Dave – is keeping himself abreast of the new and varied tactics employeed by spammers. On his blog, Dr Dave has discussed where he thinks spammers are going and the tactics they are using, and also a little about where he intends to take SK in order to keep ahead of the game. It is a light and brief read, even for a novice like me, and it is always nice to know that something one relies upon is going to be continued. [...]

Just recently made a $ contribution and am glad I did. You’re better at, and about, clueing in this noncoding user than just about any coder I’ve come across. Bless you. May whatever gene is responsible get loose and spread throughout the coding-human species.

Seriously, I may be able to kick in a little more after awhile. In the meantime, know tht your efforts and communications are really appreciated. I’ve got a few of the damn things slipping through, but nothing like it was before plugging SK2 in.

Kampf dem Kommentarspam

Nachdem ich im Kampf gegen den Kommentarspam vor einigen Monaten Spam Karma 2 installiert hatte, konnte ich wieder beruhigt schlafen. Das Plugin arbeitete äusserst zuverlässig, erkannte Spam praktisch immer oder schob den Kommentar bei der geringste…

Thanks Dr.Dave! I can spare a few bucks for the time and trouble you have saved me

Woa… that’s a lot of comments.

Sorry for being remiss the whole past week, I was busy bathing in gold and flipping through $100 bills taking care of student life.

So, first of all, a general thank you to all of you. I just posted a few details, for those interested.

Secondly, to all those who contacted me about helping with docs (and left an address): I’ll be sending you an email soon to discuss the improvements that need to be done. Don’t hesitate to bug me (preferably through email) if you don’t receive anything by the end of the week: it means I probably lost your email somewhere…

Now, as for the specifics:

nacken

Indeed, Bombay Sapphire is fueling my brain, it’s also helping to protect me from malaria by guaranteeing my daily quinine intake. It also shuts the voices in my head long enough to let me focus on code.

Charles (and a few others)

Actually, I hadn’t realized that people would be scrupulously following whatever amounts I offered by default: I figured anybody could just then go and use Paypal’s free form directly, or use combination of amounts as many times. Hence the limited number of options I had there (corrected ever since).
As for anybody donating $666, or even $40 for that matter: I think I’d be embarrassed and, to say the truth, slightly suspicious of what it is exactly I am relinquishing for such an amount.

And about the exams: no big worries, even if these were busy times indeed, my being more of a “going back to uni” situation, means I am both fairly relaxed and not overly concerned about the rest of my professional life being impacted by this. But thanks for reminding me

Eric

Yea, JS evaluation is fairly basic to do. I can think of many ways (ranging from Greasemonkey to an MFC app using MSIE components) for a spambot to behave exactly like a browser. And expect to see even more of the anti-bot filters becoming increasingly irrelevant.

Regarding WP-Gatekeeper (and similar solutions). I must admit I am not a big fan.

In a nutshell:
- I don’t particularly like the fact it’s tied to language comprehension (sure you can localize it, but…). I would also be worried that quickly increasing difficulty of these “easy” riddles would become an obstacle to some of the less fluent commenters. And if you think any commenter fluent enough to read your blog would be fluent enough to answer that type of question, ask any English-speaking Japanese what color a green apple is: you’ll see what I mean.
Of course, one could ensure this level always remain low enough (by providing a canned dataset and little ways to change it) but then:
- Any riddle-building algorithm based on a limited set of data can be reverse-engineered all the same (say you have thousands of installs with a dozen fruit names and the color associated to them: how long do you think it’d take a bot to work through that).
- More evolved algos, using bigger datasets (and then bringing us back to problem 1) would still be breakable with very basic AI. In fact, I’d be personally much more confident in my ability to break such “Turing riddles” than even the simplest Captchas out there.

So at the end of the day, I can only retain accessibility (minus usability) as an asset over other solutions and Captcha in particular. Knowing that the accessibility card for Captcha is something of a false problem (there are hundreds of ways to work around the issues it creates for sight-impaired users), I would say that the result is not worth the effort in the short term. At any rate, I don’t mean to belittle your work here: bringing in a usability-aware alternative to Captcha is a tough probelm, and one worth studying even if I’m doubtful of the chances…

Jose

Not sure what kind of beverages can safely be shipped to Japan (their customs are notoriously tight), but actually I am no longer residing in beautiful Tokyo at the moment (something to do with recent life changes).

Michael

By JavaScript payloads I am indeed referring to what WP Hashcash (and a few others, including SK2) do. And I am quite positive now that they’ve been broken by some spambots. I would love to hear more data from users of other JS-based plugins, but in the end, I am confident that those who haven’t been broken, will be, as soon as spambots makers turn their attention to them. Also note that, as I wrote in the entry above, these new spams look very strongly like manual spam. I will look into WPH again, but the best I know, its entire stopping power revolves entirely around this JS payload.

Paolo

“Unfortunately”, there are no such things (for comment spam, at least) as companies providing the spammers with service or tools (the one who claim doing so are usually complete rip-offs and the least of our worries). All these tools are developed and sold in shady virtual back-alley and little can be known of what is done there. Of course, boycotting products and sites that use their service is a minimum, but I doubt they really care.

Actually, one thing I forgot to talk about, but that’s been on my roadmap for quite a while now, would be an automated counter-google-bomb that would ensure all the keywords the spammers try to push automatically get “hijacked” back to non-spammer’s site. For example, if all installs of SK2 had a dedicated page linking “viagra” and “texas holdem” to their respective Wikipedia pages. Currently, the only thing stopping me from doing this, is that I would need at least a dozen neutral (non-commercial and consensual) reference sites in order to efficiently bump spam results off the first page of Google.

Anybody’s got suggestions beside the obvious (Wikipedia and Everything2)?

Dr. Dave- you’re the man- seriously. Spam Karma is the best kinda Karma there is- and my website would have been a comment-free site a year ago, had it not been for you. My donation will come on Friday, once my paycheck (student stipend- I empathize) clears. The $666.00 is intriguing…I wish I had enough to send you the Number of the Beast. Keep up the great dev work.

Peaceout

Dr. Dave,
Looks like the update to 2.2 might have temporarily taken care of the problem. I noted the difference between before and after updating with a particularly bothersome url getting through. After the update, it got thrown into Hell. I know this may not hold for long, but for now, that irritating bother has been stopped.

“Most importantly, the spam bypasses SK2’s Javascript filter, which indicates an ability to parse javascript.”

Hi Dr. Dave,
Regarding your comments about spambots mimicking users, I think it’s a fair assumption that most spambots are actually remote controlled browser clients, I have made this kind app for a web-test tool and it really made things simpler for simulation purposes because of JS, CSS+IMG loading, headers etc. are all the real deal.

Hello,
Hey now a days really comment spam issue is rising , we need to take a serious step for the same. i m doing a project on filtering this comment spams, for that i require some comment spam samples but i m unable to get it. So could u plz help me by sending them on my mail.
It would be of great help to me.

[...] I kind of wish everyone could use Spam Karma, by Doctor Dave. That’s my anti-spam solution, and it’s pretty good. Is it 100% perfect? no. But it does get almost all of the spam, with very few false positives. There are a few people who sometimes get caught in the anti-spam net, but it’s a pretty small number. If you have a WordPress blog, I highly recommend the Spam Karma 2 plugin. If you don’t have a wordpress blog, and are still using blogger or typepad, my only question is “why?” « I’m sure there’s a story here somewhere… [...]

Let me jump in, being the author of Pivot Blacklist. HashCash is originally a WP plugin created by Elliott Back. While it still works rather well I believe it’s a dead end. As Dave indicates, bots are getting too smart. If a bot runs the javascript, nothing’s gonna stop it.

What’s still quite effective though is the ’spam quiz’ idea. A bot will have a seriously hard time answering trivial questions, especially if each blog uses a different one. It defeats all spam except for manual spam of course. If your blog happens to be in a non-english language the protection is even better because manual spammers will need to understand the language the question was written in

I must admit though, I haven’t seen much of the really smart bots yet. My own blog doesn’t have any protection enabled at all at the moment. I use a custom AJAX comment submission scheme. There’s no form action to be scraped. Instead the form submission is hidden inside the javascript. A bot which executes the javascript would be able to beat this but… so far this has never happened on my weblog. When it does I’ll need to throw in the spam quiz thing.

If you combine the spamquiz thing with a cookie to remember the answer I think it’s as unobtrusive as possible. Unlike captcha’s, blind people can use it and it can’t be beaten with any script (except for hardcore AI maybe). It’s a ridiculously lo-fi solution compared to SK2, Akismet, Hashcash or AJAX stuff but it works INCREDIBLY well.

[...] Wie der geneigte Leser wei

“Captchas: work. Despite the ultra-theoretical “captcha breaking” scheme urban legend, spammers aren’t about to break a captcha on your blog. The big downside of Captchas, is that they are extremely user-unfriendly, intrusive and most of all: hurt accessibility (how do blind users do?).”

How do blind users do what? some Captcha algorithms also offer to make the chars being spoken through a wave-file generation (click on the picture to hear the char-sequence).
Using a little algorithm to add random patterns of noise to the audio so the spoken char is still audible enough to be recognised by the human ear, but fooling fourier algorithms to analyse the audio and extract the character from it.

Blocking Ip’s is another thing, i know there are a lot of open proxy servers, why can’t they be blacklisted using a similar globally deployed detection protocol like being used for open relay mail-servers?

There are various sites that publish open (or anonymous) proxy servers, 2 hints:
http://tools.rosinstrument.com/proxy/
http://www.atomintersoft.com/products/alive-proxy/proxy-list/

You can make use of those sites by updating your ip-blocking list.
I know it’s not friendly to block proxy ip’s, but i call it stupid of srever- hosts to make their server wide open in the first place.

To prevent nagging from victims of a false positive, yield expressions and accusations but rather inform a user that he/she is denied submission because one of the situations is applicable like:
-User uses an IP from an open proxy server that is blacklisted
-User uses a (dynamic) IP that has been registered earlier for spam origination.
-Submitted urls are listed as spam-sites or contain unrelevant information to the contents of this site
-Too many spam-related keywords detected used in the submitted text.

It sounds formal yet will bring a lot more understanding than shouting an accusing phrase (”You are a dirty spammer!” or whatever similar a legitimate poster is being confronted with).

Regards,

Vince.

Thank you, thank you, thank you. Seriously. I know I didn’t donate much cause, well… I don’t have much money. I do, however, write documentation at work for web applications and stuff, so if you need help with documentation or FAQ’s have your people call my people and uh… yeah.

Thanks for this great plugin. I plan to switch to it from Akismet (no clue how the third party server it relies on will remain fast and last in the long term).

Thanks for helping us keep up, in the anti-spam arms race.

I have noticed a fair number of people (or robots) finding my site by searching for the SK2 “spams eaten” footer. Perhaps those are bots targetting SK2 protected sites specifically.

Anti-Spam is a joke to be honest. I hate spam but please let me tell you a story.

I created an application to send text messages using http://www.vodafone.ie. Now this you say is no impressive task but let me continue.

Their system is setup much like an anti spam system. It checks the time it took you to input a text, the time it took you to log on, the time it took you to take a cup of tea and everything else it can.

Wanna know how I got around it? Simple… I created an application which basically mimics a user. First it opens http://www.vodafone.ie, it then waits 4 seconds and then inputs the user and password and clicks submit. It then waits a couple of seconds and clicks “SMS Messages” and then allows you to enter as many characters as you want. Their version only allows 160 so what mine does is it splits the text into 154 length chunks and adds a … to the end and beginning of each text. It waits about 5 seconds between each text to make the server think it’s an actual person typing it in. And know what? I know for a fact there is absolutely no way to tell the difference beteween it and an actual person without causing more harm than good.

I know it’s not pretty but face facts o.O

Replies to email only.

Hi,
I love SK better than Akismet dr dave . Unfortunately, I, too, am a student so money is pretty tight for me. So in the mean time, I can only help you with a dirt and mortar help such as writing FAQ or attending forums a couple of hours every day (or week?). Just let me know if you need any help.
thanks.