Comment filtering for spammers?

I was wondering if and what measures are built in the script to filter the comments. I have taken a quick look at the code, but couldn't find anymore then the validation check for valid email adresses etc. Everybody having had a comment enabled blog or other script knows what I'm talking about. All those spam messages.
So what experience have people had so far? And what are the planned developments in this area?
As a sidenote: I know it's still a beta, but still, can anyone say something about how secure the script is at the moment? In my opinion, these aspects are more important then adding new features. I hope I don't sound to offensive. Really from what I can see ZP is very well programmed. However, I have seen so many scripts for gallery's, guestbooks, blogs etc that have gaping security holes in them. Like relying on magic_quotes being on for example.
I just would like to hear some more about these aspects.
Thanks, and keep up the great work!
«1

Comments

  • So, nobody has had any problems with spam in the comments? That would be quite unique, and also very good.
  • I'm sure it will come eventually , unfortunately.

    It would be realy great if the comment function somehow could be integrated with Wordpress' anti spam plugins. Would that be possible at all ?
  • That would be a good idea indeed. Since comment spam is such a huge and widespread problem, it wouldn't be very wise to try to reinvent the wheel. There's already so much effort being put in the anti-spam plugins for WP (or other popular scripts), at least some code could be reused. My knowledge in php is not advanced enough to do it myself, but I'm willing to help a bit by thinking/discussing about it :) My guess is that a combination of measures will be a good start.
    • Not allow repeated comments within a certain time
    • Blacklist the most common spam words (all medicines, gambling stuff etc)
    • Don't allow links to be posted
    • Validate input. (Valid emailaddress, etc)
    • ...
  • The comment spammers have arrived!

    http://lunaport.com/photos/mardi_gras/03.jpg

    I've left it on this page only - there was lots more. So, what can I do? I didn't see anywhere to disable comments.
  • trisweb Administrator
    Alright, that's it then. I'll start putting moderation and spam controls in, and the ability to disable comments. Definitely know now that we need to work on it. Thanks, and sorry for any inconvenience.

    For now you could disable the form in the theme, but that's tedious and hacky. We'll have a real solution soon.
  • I can't believe I was the first. I won't bother trying to disable the form - it seems to have stopped for now, and it's easy enough to delete the offending comments.

    Looks to me like the script mistook the comments form for an email form - the content of the posts looks like attempted email injection (http://securephp.damonkohler.com/index.php/Email_Injection). Guess they just try every form they find.
  • Yep i had a couple of ten not related comments on my site as well, looked more like hacked than spam 'cause i didnt find any viagra ;-)
    but it is annoying and somehow scary as well
  • yeah, installed it, and 2 days later i've got 73 comments from spammers. i really didn't expect it, but what can one do...
  • On my Wordpress blog I am using Akismet to prevent comment spam and it is working perfectly.

    Maybe Akismet anti spam can be provided in the form of a plugin for zenphoto?
  • if I modify the structure of the comments table to have the 'commentson' field default to zero would the comment form still show up?
  • went ahead and tried it. Nope comments and form still show.

    just add #comments {display:none} to the end of your template's css and they will not show
  • bjelm Member
    Hi!
    Any news on comments aproval moderation mail and comment spamming?

    Keep up the good work!
    /Petter
  • trisweb Administrator
    No news yet. Lots of dev time available now though, so might get some work on it done soon...
  • Yeah, instead of writing your own, how about developing an Akismet plugin? Most of us are already running WordPress and have an activation key.
  • trisweb Administrator
    Yep, good idea. The plugin API is sounding like something I should work on ;-)
  • jimjam Member
    Hi, has there been any progress on this?

    I also thought of a related feature. It would be great if users who were already logged into wordpress could post comments without having to enter their details a second time.

    Many thanks!
  • Integration with some captcha feature should solve this problem. I would be interested as well, if someone figure it. Thx.
  • One idea I thought of is the humanauth system of captcha. A little too much work, but it would be kind of cool to use your own images as sort of a gallery "captcha" method.

    Just search for humanauth online. They provide a distribution in php to get started, it might be cool to try and implement.
  • Here's the link to Humanauth:

    http://www.gigoit.org/humanauth/

    More thoughts on it:

    Probably taking photos from zenphoto in a random fashion would not be the best idea, as you'd have to "key" pictures to specific categories (or tags) which humanauth would then use for its algorithm. In other words, say you have 9 random pictures, three of them tagged as "cars". The system would then use the tags to identify the "cars" and then the user would have to click on the cars to pass the comment submit process.

    Seems needlessly complicated the more I think about it. But it sounds cool....
  • Greetings,

    Just wanted to reply to thinkdreams comment. Humanauth works by having the images in two separate folders. A "correct" and "incorrect" folder. The script looks at the file names in the folders and automatically creates everything for you. So there is no need to tag anything :) An image called "green_tree.jpg" will receive a title and alt tag with the text "Green Tree". The underscore becomes a space, the extension is removed and we even capitalize the first letter of each word so it looks nice.

    All you really need to do is put whatever images you want in each folder. Currently we placed pictures of nature in the "correct" folder and request users to choose three pictures of nature. You can put whatever pictures you want in there and just update the challenge for your users. There is even a config file so you can make your own folder names and just update Humanauth to whatever you called it.

    As long as there is a central theme to the correct images, users will be able to identify them based off the question you ask them. In our example, we just took a bunch of pictures of things found in nature and dropped them in a folder. That was our theme.

    Humanauth already comes with these images and you can pretty much just drop it on your server and hook it into your site by using the code on our sample.php page included with Humanauth. Works with PHP4 & PHP5.

    We are always available to answer questions too, if you need any help :) It really is pretty easy. Hope you will give it a try.

    - Gigoit Staff
    ( http://beta.gigoit.org )
  • @gigoit

    wow. i never expected a reply from the actual humanauth people on the zenphoto site. this is pretty cool. i just think it would be a nifty addition to a photo gallery to use the photo gallery images to "validate" a human commenter.

    one thing i would like to know is how the best way to hook humanauth into the zenphoto comment architecture. In other words, would you place the humanauth code before the submit comment button on the comment form, or after the submit button is depressed, then it passes to humanauth?

    we can take it offline more as well if you want, i am at craig (at) thinkdreams.com. seems like a better place than cluttering up tristan's nice zenphoto board with another off-topic discussion.

    :)
  • trisweb Administrator
    No, please please clutter up the board with discussion! That's what it's for! Besides, I like to see what you're up to ;-)

    I do like the idea of using photos for authentication, it fits with the application's purpose very well.

    However, I have always thought any kind of captcha to be an excessive measure. I believe bayesian filtering is pretty good, especially distributed systems like Akismet. One big downside of Akismet is that it requires a wordpress.com API key... not terribly uncommon for public API's, but still an extra hassle. We could alternatively use a PHP bayesian filter internally, but that's not very effective either with the low numbers of comments you get on a photo album... maybe captcha is ok... :-)

    Really, we need plugins. Then we can make all kinds of sp*m filtering as needed.

    I know this is naive, but sp*m for most of us is still very low. Zenphoto isn't yet widespread enough to attract much attention, but all that does is buy us time to get some protection.
  • i do agree with you on the akismet thing. I run my blog using akismet, and it's not that popular of a destination, so I get minimal spam. My wife's business blog and site gets a lot more, because we advertise, so it stands to reason that the amount of spam you get is relative to how popular you are....

    captcha works ok as an alternative. i think humanauth is something a bit better since it does use photos. captcha can get annoying to people in some cases, and it definitely is a problem for ADA related issues. i truly cannot stand the random letter captchas.

    so i'm glad to hear it's ok to discuss it here. thanks tris.
  • Askimet is definitely the way to go. On my blog I currently have 340 comments that have been flagged and 'quarantined' as spam (they are automatically deleted after 15 days) and Askimet has caught over 1200 since I installed it recently. I have had maybe 1 or 2 comments slip through the net and to me that is a pretty successful ratio.

    I really think we should be trying to encourage browsers of our galleries / photoblogs or portfolios to comment on our images and creating any sort of barrier to entry is not a good idea. Askimet is a non intrusive solution that works, it requires very little administration on the admin's part and I really think it should be utilised in Zenphoto.

    @ Tris, I am really glad you are now seriously looking at the plugin facility again, I do appreciate you have been busy with other things. The plugin feature will take a lot of the heat off you and will undoubtedly increase the commercial credibility that Zenphoto deserves. Keep up the great work.

    Other than being a bit of Wordpress fanatic, I have no association with Automattic or Wordpress! :-)
  • Has anyone actually installed Humanauth for their commenting? If so, would you post a link? Thanks.
  • I kind of gave up on Humanauth, as I couldn't get any sort of direct response from them. I'll assume they're busy, but I had a few implementation questions that I couldn't get answered.

    After much thought, a plugin using Akismet would be the better way to go. Been busy working on my wife's business website, so I haven't had much time to work on it myself, but a good starting point would be:

    http://www.achingbrain.net/stuff/akismet/

    It's a PHP5 based script for comments using Akismet, which can be plugged into virtually anything. However, without the plugin architecture for zenphoto, it would require much editing of core files, and would make upgrading difficult.
  • Actually, since this thread was started, I thought about Akismet, but never really had the time to sit down and work on something like this. However, yesterday I learned about Micro-Akismet and so I took the day off of work today to try and work on a ZenPhoto "hack" using Micro-Akismet. We'll see how it goes later today!
  • @GameDudeX

    Let me know if you need an extra server to test with. I'd be glad to help.
  • @thinkdreams

    Thanks, I think I got it. Almost done. But just for future reference, you use any kind of Instant Messenger?
Sign In or Register to comment.