Skip to content →

I wish I could remove comment moderation…

Sarita just left the following comment:

“And responses are MODERATED? If you were that offended by the comment, just reject it! Just because someone annoys you doesn’t mean you have to try to smear them, much less expose them.”

So why do I have comment moderation on this blog?

Well, this blog seems to attract a level of comment spam far above the blogs of many of my friends, colleagues and peers (even ones with higher Technorati rank or Google PageRank).

A quick peek through Akismet, the excellent anti-comment-spam module in WordPress, shows that it is currently zapping a comment spam every 7 minutes. It’s not uncommon to have 10 or 20 comment spam attempts in the space of a few minutes.

With the above volume in mind, it’s perhaps not surprising that a fair amount manages to sneak it’s way past the security measures I have enabled – of which Akismet is just one of many. For example:

SGML. Girl spanking free pictures

(link removed)

This is why I continue to have first-comment moderation active on this blog.

(…which means the first time you leave a comment with a new email address, it must be green-flagged by me before it is published to the blog. Any future comments under that same email address are automatically published, of course.)

I would so really like to be able to turn this off – but at this time it’s just not possible with the amount of spam.

Akismet is such a great tool – but it needs to get a little better before I’ll trust it 100% for my comments.

In the meantime, let me be absolutely clear with my moderation policy:

I only dump comments that are spam or totally off-topic to the original subject. I do not remove comments that are critical of me, in case people think that’s why I have moderation on. Check out [1] [2] [3] for examples of that!

Published in Uncategorized


  1. That comment was just copied and pasted from an early comment by anon2 on the same post (who was suggesting you shouldn’t have posted the comment rather than the whole googling their IP and posting it thing)

    As for copying a comment, maybe it’s a spambot on behalf of igloo360?

  2. Ben Ben

    This is true, well spotted. Gah, see this is what I have to deal with — smarty-pants bot developers…

    This ain’t your father’s common-or-garden regular spam being sent to this blog. Oh no, it’s hardcore tricky-dicky stuff.

  3. I have written it on some more blogs and I hope the word came more around: Don’t count on a single plug-in. I use a battery of anti-spam plug-ins here: Bad Behavior 2; blocks typical spam (e.g. no user-agent and such) attempts, Spam Karma 2; it’s more a framework for it’s own plug-in system. There are a lot SK2-Plug-ins available (like Akismet) which gave an opinion about the comment. Once “karma level” has reached a specific value it got marked as spam.

    And last but not least my own CPR plug-in (Comments Post Rewriter) which blocks POST request without a generated and server-unique authorization key.

  4. Are you the victim of targetted attacks or just bots/spiders?

    If former; simply add CATCHPA i.e. image verification. Job done no?

    If it’s the latter than you are in a word of hurt and you certainly didn’t help your cause by admitting that previously accepted e-mail addresses bypass verification. Duh… 🙂

  5. Ben Ben


    I won’t add a CATCHPA to my blog because it breaks so many accessibility rules and is simply not usable by those with visual impairment.

    I think Yahoo now have a CATCHPA system that will read a CATCHPA out via mp3 to you, but obviously I don’t have that kind of technology at my disposal on my blog.

    CATCHPA’s also don’t stop bots, they just prevent dumb bots and lazy people from commenting. You can write a bot to OCR a CATCHPA and equally many people are put off by them and simply won’t bother.

    Admitting I use email address bypass verification… well I decided to be open with that because this blog is primarlly a conversation platform and so I feel I owe it to my readers to let them know that once they do comment they can comment automatically on the same emaill address for ever more.

    Sure, that might mean I now get even more attack attempts but I’ll simply delist white list email addresses if spammers start guessing commenter’s email addresses. I actually don’t think they will.

  6. “I won’t add a CATCHPA to my blog because it breaks so many accessibility rules ”

    When I first read that I thought you must have been joking. You really are serious, aren’t you?

    I just find that sentiment incredible.

    CATCHPA would fix the automated spam problem at the cost of a little accessibility i.e. some people (in reality, none anyway) may not be able to post comments on your blog. When you weigh the things up; it’s a no-brainer decision. I always did disagree with people that gratuitously, blindly follow accessibility rules and web standards. Simply put; they are open for interpretation. This is how the web works.

    You also made some comment about how the CATCHPA image could be OCR’d. Come on – that isn’t the case. Most images are obfuscated to prevent OCR i.e. it’s a total non-issue.

    Sorry dude don’t mean any ill-will here just friendly comments 🙂

  7. Let me just add this too:

    I believe your spam problems are a result of using some standard web publishing system i.e. the attacks are automated and not targeted. Therefore any customisation (however trivial) should solve your problem and in theory could still be accessible.

    Why not simply add another text field and generate some text like this “please type the word DOG into the text field”.

    A little bit of work will go a long way towards eliminating non-targeted spam.

  8. Ben Ben


    I have already modified some of the ‘out of the box’ features of WordPress in the way you have described. I’m not going to mention exactly what they are, but suffice to say anyone trying any automated attempts with an ‘out of the box’ config is not going to be successful. All of the spam I receive is following on from someone scraping the comments page and checking for my values – although I agree there perhaps is more I could do along those lines.


    I’m very much serious in my dislike for them. They are an abomination of accessibility – and I’m slightly taken aback that you appear to hold such little regard for blind and partially sighted users of your own websites.

    During my tenure at the BBC I spend a considerable amount of my time advising the BBC on accessibility best practice as part of my work within the BBC’s New Media Accessibility Working Group.

    I’m proud of the work the BBC has done to make it’s sites accessible and would only want the same for my own sites.

    You should check out this recent post from the Google Blog:

  9. Ben Ben


    BTW: I’ve seen first hand some nifty hacks to OCR CAPTCHA – actually for blind people.

    It does depend on the implementaiton of CAPTCHA, but equally I have not been able to successfully navigate certain CAPTCHA implementations as the writing as been soo obfuscated. And I have 20:20 vision.

  10. Hey Ben

    I respect your position on accessibility given your background but these things are never that clear-cut IMO (they are when you work for the BBC, but there are shades of grey i.e. your blog).

    Maybe one of us should turn this into a blog entry and we can dissect it a little.

    Over on my company blog I implemented a comments system powered by e-mail (rather than web forms) which gives us very hefty spam protection for free i.e. third-party Bayesian filters etc. Check it @

  11. Tim suggests “Why not simply add another text field and generate some text like this “please type the word DOG into the text field”.”

    I did something like this recently with 100% success.

    My blog was getting about 20 spam comments an hour (mailed comments, actually).

    I added an HTML text capcha – I display five characters from the session id and ask people to complete it. It’s accessible. Likely needs tweaking to make it unambiguous for human visitors but it works.

    To see it in action, see the bottom of

  12. I had an idea for a nonspamplugin. When someone posts a comment. Check for screendepth and resolution using javascript. Send this via the form action (action=”postComment&screen=2132*2323&depth=2312) if thoose two values are not filled. Just ignore the post. The users without javascript enabled is not meant to surf the web 🙁

    // alexander

  13. Even captcha’s won’t deter em, the best bet is to just keep moderation on for the time being and see where that leads. People write software specifically to get past the captha’s

  14. Ben Ben

    @Johanna – lol cos with your comment you managed to squeeze in an otherwise unrelated link to your site “PostItFree” site.

    But, well, I like the guile and it’s rel=”nofollow” so I’ll let that one by.

    As it happens, I’ve turned off moderation for the time being to see what happens. I’ve got some new anti-spam detection in place which seems to be working well with Akismet to form a good solution.

  15. I have a blog about gadget & electronic news and this information very useful for me, thank’s!

  16. Welcome to my site – Myusenet-pics

  17. Here’s the thing,
    for most daily comments that any blog gets they are just ‘bot’ generated that contain over enthusiastic remarks on how your post changed their lives and so on.
    the thing is that these guys are just getting better in what they do so it’s not that easy.
    adding Captcha or any visual anti spam might not just do the work.

    I would suggest to anyone who’s getting tons of traffic and comments per day to hire a VA and let him handle this part.
    it’s not worth your time writing a post for 30 min but dealing with comments 30 min per day.

Comments are closed.