Akismet sucks. No really – if it can’t tell that 400 duplicate comments made to the same blog but different pages by the same IP address linking to the same domain in a matter of 4 minutes are to be considered spam, no thanks – we’ll find something better.
Seriously though! This has happened 3 times in 24 hours. 100 or so comments each time. Each “wave” comes from the same IP, links to the same site, contains the same exact (non) words, and is just as ridiculously obvious as being spam…. They don’t even get flagged as “moderated,” they go straight to the inbox (so to speak..)!
Is it because they’re Italian and German, and not English? Great, we’ll just create our own spambot, link to NeoSmart Technologies in French, and take over the (blogging) world – except we don’t do spam, even if Akismet makes it this easy. Obviously there is a new spambot out there that queries your site for each and every post/page that accepts comments and spams the hell out of it. One comment per page, playing to WordPress’ duplicate-comment filter that allows duplicate repeated duplicate comments to different posts.
Needless to say, we’ve disabled Akismet and gone back to Spam Karma 21 – which is a great plugin badly in need of some bugfixes, updates, and new releases (as well as a customized weight-setting method for the various components a couple of new add-ons). Even if it gives our users a nasty error page if we’re using MySQLi for WordPress yet works just fine, it’s worth it if it can stop things so obviously spam and in such great quantities.
Of course when we received each wave of spam we took the time to manually flag each comment as spam so Akismet can be re-tuned, but if it takes Akismet a day or two to “learn” a new spam entry, then the bigger sites will always fall prey to “new” spam bots and links and comments… That’s just the way it is.
Link may not work from Opera because of a stupid Bad-Behaviour bug that the author refuses to fix ↩
Hello,
I develop SK2 and I would really love to hear from you about whatever bugs you encounter when using it… Particularly if any of them still occurs with the newest release (2.3). Lately and mostly due to WP2’s poor database architecture, SK2 would sometimes start hogging server resources to the point of returning errors to casual visitors, but this should have been greatly improved, if not fixed completely. You may also want to keep an eye out for some news about sk2_mod_security, which might help large sites deal with nasty IPs at the server level (before it even hits WP).
Also, I don’t know if this what you refers to, but SK2 has always given you the option to customize the weight given to each test. In the admin panel, you can select the strength of each filter separately.
Cheers
Oh, and while I am at it… This Opera/BB bug you refer to above: does it have anything to do with my site? This sounds weird, as I do not have BB installed on it (precisely for this sort of reason)… But I have a couple other basic security checks (have to, due to the insane amount of bots trying to hit this page) which might be otherwise interfering. If you can give me more details, maybe I can look into it.
Hey Dave,
Thanks for dropping by; I hadn’t downloaded the new version yet, I’m glad to see a couple of old bugs have disappeared, though the MySQLi bug still exists.
Bascially, once you use NST’s MySQLi for WordPress add-on, Spam Karma 2 will report SQL errors after each SK2-related action, but the request will go through and carry out successfully – I’d guess it has something to do with SK2 manually checking to see if it was successful or not, and manually escaping comments as well with a call to mysql_* which technically isn’t necessary since WP does that with the mysqli_* functions instead with the patch.
As for weighting: I meant giving it numercial weights for further customization.
Maybe when you press “advanced options” you get numbers instead of “strong, weak, normal, etc.”
Like, I’d say if Akismet says ___ give it Β±4 points, and if the captcha succeeds give it Β±6 points, etc.
I’m not seeing that BB/Opera bug right now with the same link, I got when I followed the URI from Google, but I’m not seeing it now; I’ll take down the notice π
Is the upcoming sk2_mod_security basically BB at the server level? Sounds enticing!
Hmnn… That mysqli issue sounds more like a compatibility issue than a bug. Problem is: WP really wasn’t thought through very well to do multi-database (despite the fact it uses some level of abstraction). Also, the DB API it provided at the time I first released SK2 was a pain to work with, so I had to shortcut it and make calls to the DB myself (escaping included). As a result, I can see how any plugins/patch that would work by replacing WP calls to mysql_* won’t really do any good to SK2.
For now, all I can suggest is grepping for mysql_* calls (thankfully, there aren’t much) and commenting/replacing appropriately… If you come up with a backward-compatible fix, I’ll be glad to incorporate it into the next release.
Re. weighing: I’d say this is “a feature, not a bug”… There are many problems with providing free-form numeric weights for each module instead of the current “weak/strong/etc” option. Most importantly: it would confuse non-Power users even more than the “strength” menu does now (and believe me it does). Second: the way modules work in removing/adding karma points is often much more subtle than a simple “add/remove x points if ham/spam”, using weights instead of set values allows a good compromise (modules can have an elaborate scale of karma granting, user can modulate it proportionally).
sk2_mod_security, as the name hints, merely provides mod_security for Apache with a list of the nastiest IP pulled from SK2’s blacklist (configurable, and can do domains too). Nothing overly fancy, but can be a big time saver with some of the stupider bots. It’s already up and working on my blog in a slightly modified version, I have contacted its original developer to see if he wants to release it or if I should do it.
Do you have the latest version of Akismet? It allows you to force a re-processing of the queue for spam. Maybe after flagging one or two e-mails you can just re-check the queue. Not an ideal solution of course, but it is still fairly automated. And it’d be interesting to see just how fast Akismet learns.
I don’t think that’s possible – because Akismet not only didn’t label them as spam, but also labeled them as ham!!
You can only re-queue moderated comments or spammed comments, not ham ones – so I threw Akismet away.
Dave,
There’s one more bug I’ve seen, and I wish I could reproduce it for you. It’s happened with me several times, and today I experienced it with the latest version: After manually moderating a comment, it’ll be marked as manually recovered and have a plus xx of 30 for manual hamming.
This seems to happen when you have dupe comments and select more than one or something – I’m not exactly sure how or when it happens, but it can be really annoying.
I’ll be sure to pay closer attention the next time I see it.