Akismet

Version 2.4 of the Akismet plugin for WordPress is available now. This is a maintenance release that fixes some bugs, and includes some preparation for new features in a forthcoming version.

Major changes include:

* Akismet now uses the trash bin when deleting old comments (WP 2.9+ only)

* Legacy code needed for WordPress versions earlier than 2.7 has been moved to a separate file, legacy.php

* Several minor deprecation and compatibility issues in some versions of WordPress have been fixed

* Various bug fixes described in detail here.

This version retains backwards compatibility with old versions of WordPress, but it is the last major release that will do so. The next release of the Akismet plugin will require WordPress 3.0. We’ll continue to maintain the 2.4 branch of Akismet with security updates for users who are unable to upgrade from old WordPress versions.

If so, please take a moment to leave a short comment on this post letting us know!

We’re working on a new site design and would love to include some new testimonials whether you just started being protected by Akismet or if it’s been safeguarding your site for 5+ years now.

This morning around 9 AM CST there was a database error that ended up causing API slowness for 3-4 minutes, which could have manifested itself on your end as timeouts or spam getting through.

Although the downtime was short it did alert us to a weakness in our system we’ll address so this won’t happen again.

Our last major downtime was in September 2007, one thousand and twenty eight days ago. These things usually happen in threes but hopefully we can head off the next two.

Version 2.2.9 of the Akismet plugin for WordPress is now available.

This version fixes a conflict in 2.2.8 that could potentially lead to spurious spam or ham reports on blogs that use other spam filtering plugins in conjunction with Akismet. The conflict does not affect accuracy, but may in some circumstances cause incorrect stats.

Users of modern WordPress versions can upgrade by following the prompts in the wp-admin dashboard.

Version 2.2.8 of the Akismet plugin for WordPress is now available.

Changes in this version include better diagnostic checks, and fixes for a bug that prevented false positive reports from being submitted in some circumstances.

Users of modern WordPress versions can upgrade by following the prompts in the wp-admin dashboard.

We all know spammers change their methods frequently. But there are also some broader trends that slowly emerge over long periods. The economics of spam has changed considerably since Akismet first started back in 2005, and that has led to some new trends and changes in spam patterns recently. Here’s a quick summary of some of the most important changes in web spam we’ve seen over the last year.

1. Human-posted spam has been on the rise for some time. Low-paid workers are hired by “SEO” firms to post comments on blogs and forums, advertising their clients’ web sites (typically small local businesses). The workers generally operate out of internet cafes and universities, particularly in India, South-East Asia, and Turkey. The quality of comments varies, with the best written spam usually coming from SE Asia. There are now sophisticated marketplaces set up specifically for hiring manual workers to do this kind of spam.
2. Good old-fashioned pill, porn and malware spam continues to center around Eastern Europe and the Russian Federation. They have well established willing hosts in the Netherlands, Latvia, Russia, Germany, and the USA, and hacked servers elsewhere.
3. Several Eastern European spammers control large ranges of IP addresses. One in particular has dozens of /22 and /21 networks. These are rented out to spammers as a distributed proxy network, or in some cases sold as a hosted spambot service.
4. Chinese wholesaler spam is becoming more frequent and organized. In addition to the usual comments and forum posts advertising counterfeit fashion and miscellaneous goods, the spammers are now creating networks of fake blogs and web sites on free hosts including Blogspot.com, Weebly.com, Tumblr.com, Ning.com, and WordPress.com.
5. Other spammers are abusing proxies at ISPs and universities, and national censoring proxies such as those in Saudi Arabia and Singapore. They do this to mix their spam with legitimate traffic and thus make IP blacklisting impossible. (Akismet, of course, is not a blacklist).
6. Autoblog pingback spam is now so bad that many blogs are refusing to accept any pingbacks at all. There’s no single source or group behind this – rather, gullible people are following “make money on the internet” instructions that recommend creating fake blogs on discount shared hosts and running ads. They use packages of WordPress plugins that copy content from other blogs or article publishing sites, and send pingbacks to many blogs try to get backlinks and traffic. There are large numbers of people doing this, and most of them have many such blogs. Needless to say it doesn’t work — the only people who make any money from autoblogs are the ones who sell the “make money on the internet” scams.
7. Some well-meaning but careless bloggers are unwittingly annoying other blogs with large numbers of pingbacks. They’re using plugins that add “related links” sections to each post, with an automatically generated list of links to posts on other blogs, and send a pingback to each of them. Unfortunately the plugins usually do a poor job of selecting relevant links, and the recipients of those pingbacks often regard them as spam (which is not unreasonable as the pingback is often totally unrelated, and autoblog spammers use the same plugins). Some bloggers have configured their plugins to include 50, 100 or more of these links in each post, which is further exacerbating people’s frustration with pingbacks.
   (For an example of a related-link plugin that does a good job of selecting relevant links and limiting pingbacks to a reasonable number, give Zemanta a try)
8. Trackbacks have become so unpopular that even many spammers have abandoned them.
9. Parasite hosting – such as hacked wikis, forum profile spam and hijacked blogs – used to be solely the realm of porn/pill/malware spammers. But recently Indian and Asian SEO spammers have adopted the same tactics – so where it used to advertise penis pills or bogus antivirus programs, now it’s dentists, roofing, and pet food.

As you’ve probably heard, WordPress.com had a major network issue today. Fortunately, Akismet was not affected — all Akismet API services were operating at full capacity. (Some tweets and blogs incorrectly reported that Akismet was down too.)

We are of course monitoring closely for signs of any aftershocks. As always, if you have any Akismet problems or questions, please contact our support.

Details of the WordPress.com downtime are posted in this announcement on the WordPress.com blog.

One of the biggest challenges for Akismet is most people don’t know there’s a commercial option, and even if you do we use a Paypal subscription method that’s a pain in the butt. (For now.)

On the first front we have a lot of work to do on awareness, but on the latter it seemed like most people already have a billing arrangement with their web host so if we could work with them directly it would remove a lot of the friction from the upgrade process.

Probably the largest WordPress web host in the world is GoDaddy, and they’re also the first to make Akismet Pro Blogger license keys available directly on GoDaddy.com. Should you desire to do so, you can now get a commercial Akismet key with a single click from your GoDaddy account which will make you kosher if you have a commercial blog or want priority support and spam checking.

If you’re a GoDaddy customer and already cool with Akismet, please take a minute to leave a review on their site. It amazes me that some people still blog without spam protection.

Tom Lee writes at Manifest Destiny about his discovery that spammers were abusing a full-text RSS tool he developed.

The self-described black-hat search engine optimization crowd — the folks who assemble sites peppered with ads that are designed to attract search engine traffic, aka “link farms” — had been using my script to steal other people’s content and republish it on their own sites.

Spammers call those link farms “autoblogs”. They’re a popular fad among black-hat SEO consultants (which is what spammers generally prefer to call themselves). His description is correct: they use automated tools to copy material without permission and re-publish it on fake blogs covered with ads. Typically they also send high volumes of pingback or trackback notifications to try to trick naïve bloggers into linking to them (thus boosting the spammers’ search engine rankings – often at the expense of the original authors of the stolen material). They rip off both the bloggers whose material they’ve stolen, and the advertisers who are paying for worthless ads run on bogus sites.

It’s a pattern of behaviour we’re all too familiar with at Akismet.com. Spammers take advantage of trusting (and trustworthy) bloggers, web sites and online services. And it’s the innocent operators of those services who, ultimately, are harmed the most.

Tom’s experience demonstrates an unfortunate modern reality: that spammers will take advantage of trust and openness. If you own any web site that allows users to consume resources – that is, any web site that allows users to perform an action – you need to monitor it for signs of abuse. An unsupervised or abandoned web site is a spammer’s playground.

SEOMoz has posted some original research on effect of CAPTCHAs on conversion rates:

With CAPTCHA’s on, SPAM and failed conversions accounted for 7.3% of all the conversions for the 3 month period. With CAPTCHA’s off, SPAM conversions accounted for 4.1% of all the conversions for the 3 month period. That possibly means when CAPTCHA’s are on, the company could lose out on 3.2% of all their conversions!

In other words, a significant proportion of frustrated customers simply abandon their attempts to get past the CAPTCHA. (And, notably, some spam still got through!)

We’ve blogged before about the usability problems of CAPTCHA-based forms, and it’s good to see some real-world data measuring those effects.