Blog
Ben Barden - Life of a web developer
My Sites
- Web portfolio
- Blog Tips
- Blogging Guide
- CMF Ads - Low cost advertising
- Injader - Open source CMS
- How To Achieve Anything
- Instrumental music
In a previous post, I said that banning by IP address doesn't work. But in some cases, banning by IP is all you've got. When should an IP ban be used? What other measures should you use other than the IP?
When to use an IP ban
Any site that allows user contributions is at risk of being spammed. I've seen blogs with tens of thousands of spam comments, and forums with thousands upon thousands of spam accounts.
Some spam comments use IP addresses once only, so there's not much point banning the IP. However, if you see a lot of spam from the same IP address, banning that IP is a good idea. It can mean that the spam comes in on a new IP address, but without banning any IPs, you'd probably get a lot more spam.
Banning by IP can be very effective when you're banning a static IP, which is an IP that doesn't change. Dynamic IP addresses can and do change, which can result in a banned user being able to access your site, and legitimate users being banned if they end up with the same IP address as a previously banned user.
When to ban a range of IPs
Look out for similar IP addresses. For instance, if you ban the IP 1.2.3.4 and suddenly you start getting spam on 1.2.3.5, you could adjust the ban so it affects 1.2.3. which will ban everything from 1.2.3.0 to 1.2.3.255 inclusive. If you then start getting spam from the IP 1.2.4.6 then you could ban 1.2. which will ban from 1.2.0.0 to 1.2.255.255 inclusive.
IP ranges aren't perfect, but they can be used to lock out a lot of IPs in one go. Be careful though - you're more likely to ban legitimate users in the process.
Don't rely on the IP
If you're trying to ban a specific person from your site, perhaps because they are trolling your site (posting unconstructive comments and trying to cause trouble), keep an eye on whether their IP changes if they post comments on your site. If possible, cross-check the IP with other bloggers who may have comments from the same person.
Above all, don't go accusing people of posting things unless you're absolutely 100% certain that you have the right person. If you can't verify the IP and an IP ban doesn't work, it's better just to ignore the person - responding to them will fuel the fire, and keep them coming back for more. This is a good approach with trolls anyway - banning their IP address, even if it works, may push them to get around the IP ban so they can continue to cause trouble on your site.
Other ways to filter out unwanted comments
Depending on the software you use, an IP ban isn't the only way to filter out unwanted comments.
- Akismet. If you use WordPress, you really shouldn't be without this plugin. Most spam will go into the spam queue without you having to lift a finger. Make sure you check your pending comments and click "Spam" on anything that should be in the spam queue. Also, check your spam comments and click "Approve" on anything that shouldn't be there. Akismet tries to keep track of incorrectly filtered comments and adjusts its rules accordingly, so it's important to tell it if a mistake has been made instead of just deleting the comment.
- Question/Answer. This can be an effective way to keep out spammers without making life difficult for legitimate users. There are two problems, however. Firstly, it's not too difficult for a computer to solve "3+3", is it?! Write the question in words instead of numbers, e.g. "What is three plus three?" Secondly, it's wise to rotate your questions regularly. Make sure a question is chosen at random from a selection of three or more, and change the questions from time to time. Otherwise, it doesn't matter what your question is, people will write scripts that answer it automatically.
- Word verification. I know a lot of people aren't a fan of word verification images (also known as a CAPTCHA). Some of them are really difficult to read, and many have been "solved" by spammers anyway. However, in some cases they are pretty much essential. Even though a lot of spammers can get past them, not all of them can. In software such as vBulletin, using the built-in word verification can help to reduce spam signups. It doesn't stop spam completely, but it does help.
Here are some more ways to fight spam.
What do you think? Do you ban by IP? Does it work?
Want to read more posts like this?
Subscribe!
< Announcing my new music site | Blog | Building a better "Top Blogs" list >
Thanks for the tip Lyndi, I didn't know about AntiSpam Bee. What's your opinion of Bad Behaviour?
I commented over at that top10 post about blocking by number of links. :) Since then I additionally coded:
- spam if known (present in WP spam folder) spam URL in field
- spam if known spam content
- spam multiply comments with identical content
Works excellent and system is basically self-learning - the more spam I get the better filtering gets.
When it will not be enough I will just add more parameters. :)
Hi Rarst - sounds good! Do you store the spam-related data separately for each site, or do you store it on a separate domain that other sites could contribute to? I've been thinking of how to improve the anti-spam code in Injader, but it could put quite a bit of pressure on the main website.
@Ben
I use WP native system. It stores spam comments neatly in SQL database and it is very easy to make use of native functions to run queries on it. Guess it would require some tinkering to make it work for few sites.
I believe in localized and point-specific solutions (as opposed to giant third party services).
If you want - drop me an email and I will share PHP code I am using. It's RC stage for months already, I lack resolve to properly clean it up and make complete plugin out of it. :)
Hey, Ben. I was thinking of adding an "auto-ban" function for use with our contact form, by use of word filtering. I thought of this because my friend, other admin posted out their that he will help people with their "online gaming accounts." With this people didn't follow directions, and contacted us through our contact form. So I wanted to filter out certain words and or phrase that when used it will ban them from using the contact form, when not logged in, by their IP Addresses. I don't know how to
The contact form uses PHP, and we have access to databases, I was wondering if you could help me code for it, please. Thanks.
Hi Rob, I have a feature called Spam Rules in my CMS - Injader. These allow you to send comments to the spam queue if they match the words or phrases on your list. However, I've only implemented Spam Rules for comments. As it's open source, you could download Injader and study the implementation of Spam Rules to see how I've written it.
I have tried using IP Ban in the past and found that it had no real effect. These guys keep coming at you from different IPs. They most probably make use of proxies.
Akismet works well but the manual checking of the spam queue is just too much work. I kept Akismet activated and added AntiSpam Bee to my arsenal. This appears to be working well. The spam has virtually stopped and Akismet only catches 1 or 2 a day now.