Flux CMS DevBlog

... and you're using the Akismet service, upgrade to the very latest version of Trunk or the 1_5 branch. This article tells why it was slow, and that was the patch needed.

Like written in my other post, I added now akismet support to the Blog plugin (in trunk aka 1.5-dev). It's used as a last resort, when all our own checks don't catch it. So far, it's working great and already caught one of those handcrafted spam comments (all others were labeled as spam before akismet had to do anything)

If you want to use Akismet, you need your own API key from them, and put that into config.xml with the following lines

<blogAkismetKey>yourkey</blogAkismetKey>

and that's it. We will make that option available later also on the site-options page in the admin.

We used the Akismet PHP 5 class by Alex for a really easy integration of the service.

BTW, we still think that captchas are the wrong way to tackle the whole spam problem (they don't help with handcrafted comments or trackbacks anyway) and only discourage legitimate users to comment at all. With all our anti-spam features we have now, we should be on the right track to avoid having to use captchas even longer (hopefully forever). Nevertheless, there is captcha code in the CMS, which can be turned on via an option, it's just not really tested yet (as noone is using it :) )

We (the Bitflux Blog) are currently hit by trackback spam once again. It's especially hard to take appropriate countermeasures, as the usual antispam techniques (captchas, hidden fields, etc) don't work here. So what do we do:

The usual comment modes also apply to trackbacks, meaning if you turn off comments, you can't trackback either anymore. Also trackbacks - as with comments - are only allowed for one month by default. You can change that behavior for each post or globally in the settings.

Furthermore trackbacks are moderated by default. Currently you can't change that, it's hardcoded. But in my experience, it's not worth automatically publishing trackbacks. There are much more spam trackbacks, which fall trhough our spam-detection than legitimate ones. It may be irritating to legitimate trackbackers, that their trackback doesn't show up immediatly, therefore I added now a little text to the default templates about that.

We also check the IP sender against xbl.spamhaus.org (catches about 50% of spam trackbacks) and against surbl.org (less than 50%). We also have our own blacklist, where we add spam-urls as soon as they hit us (and we find the time and internet connection to add it :) ). For this reason, I always allow comments on Bitflux Blog, so that we get as much spam urls as possible.

By the way, you won't get email notification for rejected comments/trackbacks by default, therefore you may sometimes not know, how much spam you get :) You can change that in the settings, too. But we never had false positives and you can check the rejected comments/trackbacks also in the webadmin (but they are deleted automatically after 3 days).

If anyone has any idea, how we can further improve trackback spam detection, let us know.

After a suggestion by Frank and some former nagging by Alain I finally added the possibility to accept or reject comments with one click from the notification mail. You don't even have to login to make a rejected comment approved or an approved rejected. This is done with some hashes for each comment, which is in the link and checked against. You only can change the comment-status once, after that it doesn't work anymore for that comment and you have to login to change it again. And this also works for Trackbacks.

If you have your own Flux CMS installation, don't forget to update the db with calling http://example.com/admin/webinc/update/.