Akismet Stops Spam: Some Side Effects
There’s a new spam stopper for Wordpress called Akismet. It works by submitting every comment you get to a centralized comment-checking service, and echoing back a “spam” or “not” response. Hurray. I can identify a few problems with this idea, however:
- You are trusting your user feedback to another company. Do you really trust them?
- A DDOS or any downtime of their servers allow spam to clutter up your moderation queue again
- Comment posting will have increased latency based on however long it takes for the roundtrip, and them to decide if your comment is spammy or not. There’s no SLA for this service, either, which is bad
- We have no idea how it works
Then, looking into the code, I notice some sketchiness:
- Communication is in the clear, so a Dolev Yao attacker can spoof Akismet and trick you.
- It automatically deleted your old archived spams and optimizes the wordpress comments table every time a comment is submitted, spam or not. This is a big performance problem, in theory.
- There’s a spelling error or two in the admin panel. Automattically?
- Is there anything to prevent a spammer from posting to the admin page that his comment is not spam? I don’t see authentication in this file.
| This entry was posted on Tuesday, October 25th, 2005 at 8:53 pm and is tagged with spelling error, checking service, spam stopper, performance problem, hurray, admin panel, ddos, spams, roundtrip, spoof, sla, spammer, attacker, yao, downtime, moderation, akismet, authentication, servers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback. |
You predicted years ago the very problems plaguing bloggers using Akismet today. The false positive levels keep rising and more ane more regular commentators are being flagged as spammers. Akismet makes it easy to be flagged (it appears it only take a few spam clicks to flag you) and really challenging to get unflagged.
Some bloggers have tested and even after 20 not-spam clicks they were unable to get a regular commentator unflagged. There is a process to request Akismet to reconsider but any regular commentator will just get flagged again.
We have a new anti-spam solution written by Andy Bailey of CommentLuv based on an idea by Phil Hollows of FeedBlitz and improved by a suggestion from Dazzlin Donna. We have tested it in dozens of blogs with no problems to date.
It is super simple and working brilliantly. Andy will be uploading it to the WordPress repository soon and anyone who wants a copy now can simply leave a comment in the post linked to this comment and I will email it to them.
Akismet treats your readers VERY badly. That white page some see – that is intentional! Drop by and read all my posts about Akismet issues and at least learn how to turn off the “delete instantly” option that few bloggers understand.
All I can say is that Akismet has caught over 32,000 spams on my blog, and it rarely makes a mistake. I could use a captcha, but that makes my visitors do extra work, which is contrary to my goal of fostering discussion. As I write this, the good comment counter is about to hit 60,000.
Blogging with Akismet is much better than blogging without it.
The spelling of “Automattically” is intentional, according to their FAQ.
Hi Elliott,
I don’t think you ever used akismet. I don’t think you ever read what they wrote on their website. I don’t think that you really wanted to know whats behind it.
Point by Point:
>> Trust or not?
You allow people to post feedbacks on your website. If Automattic was interested in reading user feedbacks, it googled for it. (Think about it)
>> the thing with the “DDOS” and the “queue”…
I was using akismet for years never had any situation like the one described above. Sorry.
>> Speed & stuff
Ok, honestly, akismet does slow down the post process _a bit_. But filling out stupid captchas does the same (ok, akismet does not help people to train their brain cells and eyes. Sorry for that).
>> “no idea how it works”
Yes, like everyone who does not read the f. manual. They’ve even got a handy FAQ on their site, very simple to understand.
>> “spoof akismet and trick you”
Yeah, of course he can.
>> “in theory”
Automattic only provides the API, what you do in your code is your business. Disable the query in the source if you don’t want it.
>> “spelling error”
Yeah, I hope these pseudo-spelling error don’t keep you spending whole night awake in bed. If they do so, you could go on akismet’s Website and read the f. FAQ (and be shocked by the knowledge you get in less than 5 seconds; ah yeah, the wisdom that “automattically” isn’t misspelled as well.)
You’re not serious.
>> “auth”
Please don’t make automattic responsible for your security problems.
Greetings
jeko
Never knew about this. However I need it badly as some of my sites are getting pounded with spam at the moment and can’t keep up.
[...] I remember seeing a post on Planet Wordpress a while back (unfortunately I can’t remember by whom it was) about spammers trying to trick stopper software by inserting comments with text and links that don’t contain obvious references to typical spam content, thus undermining the contextual barriers that these tools put up. It was exactly this that made me wary of installing Akismet (apart from the idea that it probably won’t work properly for foreign-language blogs anyway), because I’m a bit skeptical of the whole checking-against-a-centralized-database idea. Some of the problems of the Akismet approach have already been mentioned here and there (and see also this comprehensive post). [...]
[...] I also sent an email to Adsense: The Adsense publisher pub-5121418238017619 is running your ads on my content that he has stolen without authorization. I have filed a DMCA notice with his hosting provider, and hope that you will remove the economic incentive for his theft of copyright materials. Compare the original work to the stolen work. [...]
Funny how they ’syndicated’ this content without the little copyright notice. Looks like they didn’t even use the RSS but scraped your whole page. Even the ‘generate a trackback url’ link is present…
Ooo, thanks Rich. DMCA time, baby!
Slightly offtopic this, but, I just spotted your content somewhere else and it looks little over-syndicated..
One thing I’ve noticed about authors of WordPress anti-spam plugins is that they tend to be critical of other anti-spam approaches than their own. Even I was critical of Akismet, when it was named *** and I found out about it through rumors and whispers. So I wound up coding on it.
You can read my two reviews of the work in progress and the final (?) product if you like, just to see what I mean.
No one’s been able to make this particular approach fly before, so we’ll all see how it goes.
Thanks guys. I really hope this flies!
Automattically is spelled like that for a reason…Automattic. If you look at the bottom of the Akismet page you’ll see a link to this.
Akismet is an interesting concept and I guess we’ll see how it flies.
Hey, thanks for your comments. Point by point:
We can’t do anything about people trusting us or not, but if you don’t there’s no reason to use the plugin.
Downtime and latency are issues that millions of websites deal with, and there are pretty robust and known ways to address them, and we’re building out the infrastructure to do that. We do have SLAs available for enterprise users.
Communication is in the clear, but your a system has already been compromised if the domain returns someone other than Akismet, and you have far bigger problems to worry about than comment spam. (Comments are also posted in the clear.)
Deleting and optimizing doesn’t cause performance issues in our testing, though I could put a line in to have it optimize less frequently.
Automattically is a reference to Automattic, any other spelling errors you spotted?
Spammers could submit spam as false positives, but they would need an API key to do so and we attach rating and various levels of trust and verification for different API keys.
Thanks again for giving the service such a thourough examination.