The MU forums have moved to

Anti-Spam by Default (11 posts)

  1. strixy
    Posted 17 years ago #

    IMHO: A little development time should be spent putting some anti-spam measures into the default distribution of WPMU.

    And by a little, I mean a lot. Mostly where the sign up page is concerned. A captcha plugin that requires installation, and doesn't really work as advertised; that requires GD libraries to be installed and configured, well, that doesn't really cut it. My point is that there should be some protection by default, anything - just something that less technically inclined users could manage. I'll tell you why in a minute.

    Spammers out there are having a field day with WPMU and it is the number one reason why I didn't want to use it at all. So long as it's easy for them to spam, they'll continue to target this package. Not everyone who runs it has the technical aptitude to challenge the spammers in a meaningful way. This is a big problem.

    Before getting into this I had developed my own WPMU type site with WP as the basis. I finally figured that it would be better for me to adopt this package and spend my time developing for the community rather than for myself. My own strong beliefs in the FOSS ideals played a big part in that decision. However, my pro-con list to determine which package I would use and contribute to was extensive and developed over a four month period. Even with all the other pro's, one thing about WPMU still nags at me, "Unsubstantial anti-spam measures".

    This thing (WPMU) is a nightmare to manage where spam is concerned. One exception: Akismet. It is available for personal use only on WP blogs. The other end of that, and where WPMU is targeted, there exists the option to purchase a commercial license.

    Doesn't this create a conflict of interest? I mean, why would you bother trying to lock down this "free" software against spammers when doing so would counter the necessity for a paid anti-spam service such as Akismet? See what I mean?

    It's a nagging conflict of interest.

    If every default installation of WPMU shipped with anti-spam measures (Such as gatekeeper, captcha, bad behavior, spam karma, etc ), paying for Akismet might not be such an appealing option for commercial site owners. It's a conflict.

    Let me back track for a moment. My point about "less technically inclined users" is simple. There are people who get into this thinking it would be interesting to host a site for their friends or church group, what-have-you, and then discovering that the reality is something they are simply not prepared to deal with, technically. They exist. Those hobbyists who do this for their friends, for example. They may know enough to get WAMP running and get pages served, but nothing about installing LAMP w/ GDlibs or reprogramming templates to get a captcha working on their wp-signup.php page.

    Heck, there are users of WP who can't even handle the requirements of something as simple as SK2 (Spam Karma 2).

    I'm sure there are people who don't know how to use their .htaccess to ban suspect IP addresses or how to plug that list into other blacklist servers (aside from Akismet, which exist and are out there). Heck, I'm sure they don't even know about robots.txt (not much good against spammers, but still, it's a part of my point).

    I've visited the site. It looks promising. But my question is, why doesn't WPMU ship with anti-spam measures by default?

    So long as users are left unequipped spammers will continue to target WPMU installations. This only propagates the problem. It only makes things worse. If the choice is to include anti-spam in teh default package or ban newbies from using WPMU, I think the choice is clear.

    Akismet is a good idea, but the marketing leaves some distaste in my mouth when nothing is being done to help prevent the problem with default distributions of WPMU. When the only option provided is a paid service, well... maybe newbies should be paying. IMHO: that goes against the spirit of free and open source software.

    That creates a conflict of interest.

    So... how about making the default distribution of WPMU a little harder to spam?

  2. drmike
    Posted 17 years ago #

    Why not just install Bad Behavior? That's what most of the folks are running here.

    Spam Karma has also been covered with an autoload version I believe. The poster may want to use the search sticky and search for the discussions.

    Also for reference, have you asked Automattic if a free lisence is something that you can be given? if you're running a low volume non profit site, they may offer it to you. (And, again of course they may not.)

    I personally think you're jumping to conclusions myself. WPMu doesn't ship with any anti spam measures because there's a number of them out there that are currently used by a number of admins here. It's up to you to make the choice as to which one you want to use. That's why WMPu doesn't ship with anything preinstalled.

    Now if it shipped with Akismet already in there, I'd say you had an arguement. It doesn't though and there's no pressure to install it. Heck, I think I'm the only one here in these forums running it and I'm being comp'ed for it because I'm moderating 2 of their forums.

    Also just for reference, "free and open source software" does not mean without cost. You learn that very quick as a developer and as a hoster. Heck, phpnuke charges for a download of the latest version of software. You think all those boxes and time involved are free and without cost?

    So, how about using the search function here in the forums and try the other options available to you.

    By the way, Akismet is over there. This is where the mu users try to help each other out. All you;re doing is pissing into the wind with your rant.

  3. corourke
    Posted 17 years ago #

    I'd actually have to say that splog spam is a vastly bigger problem then comment/linkspam. While Patrick's solution is great when it works, it's not nearly stable enough at this point. I'd love to see some sort of default antisplog software (since akismet, bad behavior, spamkarma are all useless against splog signups).

  4. strixy
    Posted 17 years ago #

    "if you're running a low volume non profit site, they may offer it to you"

    I would prefer to remain Akismet free, not get Akismet free.

    I wasn't concerned with my own site. I'm mostly concerned with others who may be biting off more than they can chew. You've spent time reading the forums, you know they're out there...

    I'm suggesting that it's important if not imperative to be proactive about spam on WPMU sites from the get go - right from the install.

    Let's be honest here, would the spammers even bother writing scripts to spam a WP site if the default state of WP and WPMU was locked down?

    Nobody wants to consider that option because the newbies would have a very hard time getting their sites to work if it took as much effort and technical knowhow to unlock their sites properly as it currently takes to properly lock them down.

    It's something to think about and have a good honest debate about. I'm proposing that option and starting the debate. I expect to get exactly nothing, maybe a couple of flames, but thats my opinion and that's what I usually get when I share an opinion. Really, when you share an opinion that's usually what happens - regardless of whose opinion it is.

    Frankly, I'm shocked that WPMU doesn't already ship with splog and comment spam countermeasures. I'm shocked that the one captcha to combat it doesn't work without some serious tweaking. Which brings me back to my main point. The common newbie admin does not have the mad skills required to lock down their install which only makes this problem larger.

    I had to say something.

    It's quite possible that it was just overlooked and it's not some conflict of interest case... _____ knows I've done similar things in the software I've developed and the sites I've hosted over these past few decades.

    I'm just trying to draw attention to it.

  5. lunabyte
    Posted 17 years ago #

    "The common newbie admin does not have the mad skills required to lock down their install which only makes this problem larger."

    That's the thing, though.

    This isn't for noobs. Nor is it a "Set up a site just like and make a ton of money in 5 minutes" script, either.

    It's server level software, and requires an advanced level of knowledge to really pull it off.

    With so many options out there for spam, that CAN be tied into registrations, I'd rather have the choice to add what I prefer instead of what they want me to have.

    That being the case, you have to look at what's available to work with and filter against.

    A username and email are all that's input, which doesn't help much. So, the only real option is a traffic filter (ie. Bad Behavior) and/or a captcha of some sort.

    There a lots of captchas out there, but most require a little knowledge to tweak for MU. Which, goes back to my original point.

    /me... I wrote my own little captcha, and use BB on the sign up sheet. Which thus far has been effective overall. Nothing is 100%, mind you, and on occasion I have to delete a jackass. But 1 or 2 a month is better than 100 or 200.

  6. strixy
    Posted 17 years ago #

    That's a good point. I appreciate your thoughts. Kind of like a sink or swim scenario.

  7. drmike
    Posted 17 years ago #

    Something I remembered on the way home last night was that when I was using either SK2 or BB (What did I start out with anyway?), I had stripped out almost all of the settings from the options page for teh end user. Yes, it's a lot for the causal user. I agree with that. Why give them any of that though? May it easy on yourself and reduce your support tickets and just get rid of the options.

  8. lunabyte
    Posted 17 years ago #

    Absolutely Doc. I couldn't agree more.

    "Most" plugins can have the needed options hard coded in the file, or made to use global settings. Most users are fine with whatever you choose, and (even though they probably don't know it) they are probably better off with the admin's decision anyway.

  9. drmike
    Posted 17 years ago #

    Now on the downside of that, make sure they have the options that they need. For example, over at, folks got stuck with the auto delete of comments marked as spam on posts over 30 days. That's an option in Akismet now and soem folks didn't like having that set for them.

    Judgement call really.

  10. andrea_r
    Posted 17 years ago #

    You know, i remembe rwhen first using WP, I was impressed with the built-in features that WILL stop a majority of spam. I think we all get a little plugin-happy in many case,s when there's loads of built in things.
    that being said, it would be nice to have a global settings area in MU for things like the comment blacklist.

  11. drmike
    Posted 17 years ago #

    I realized something (else) on my walk into town this morning as well. With setting the "Number of links allowed" setting kind of low like 2, most spam is going to be dropped into the moderation queue anyway since they usually have more than 2 links a piece in there.

About this Topic