Why I’m considering removing blog comments

Many others before me have disabled their blog comments. In fact, a blog post by Seth Goden from 2006 still sticks in my mind and all the outcry it generated from around the web. The longer my blog has been around the worst the spam has gotten. In a way that kinda makes sense as my domain name gets shared via spammer databases and my growing number of blog post links get stored in search engine results.

Spam comments are awful. As of today, Askimet says it has blocked over 250,000 spam comments since March 2014. During the time it took to write this post I’ve already received 16 spam messages. For every single legitimate comment, I get 1,000 spam comments. Seriously. If managed improperly, spam comments can crash your blog if your hosting provider limits the size of your blog database.

This happened to me earlier in the year. Silly me, I thought that it would be impossible for me to go over my previous hosting providers pre-set 2 gigabyte database size limit any time soon. Most of my blog posts are text based and take up very little room. The entire size of my blog database was around 15 MBs. I didn’t even know there was a problem until I couldn’t create any more blog posts. Upon further examination I had received over 75,000 spam comments over a 30 day period and they were waiting patiently for deletion. I’m not exactly clear on why Askimet didn’t correctly report these, or automatically delete them within 15 days, or what exactly happened. One thing was clear: my comments table in the database was full of tens of thousands of spam comments. I thought I had set them for automatic deletion but apparently Askimet only auto-deletes the worst of the worst spam and everything else goes to the spam queue. Caveat Emptor.

I still think I see the value of comments in that everyone including me can benefit from the “shared” feedback including myself. But, the increasing amount of time and headaches spent dealing with spam is making me seriously reconsider.

Simple steps for avoiding malicious spam emails

This post covers some simple things, in addition to having anti-virus software, that you can do to help prevent accidentally getting tricked by malicious spam email. I’m assuming you already have a full fledged virus checker installed. It was inspired by several friends and family members that aren’t particularly technically savvy, and they got infected via email.

It’s a fact that there are some potentially important emails that look absolutely legitimate at first glance. And, criminals are getting better every day at copying the look-and-feel of legitimate and highly recognizable companies. Four to five years ago, security experts instructed us to simply delete any email that seemed fraudulent. However, flash forward to 2012 and there is a chance you may be deleting a legitimate email.

How could I get infected when I have a virus checker?

Having a virus checker simply minimizes the chances of being infected. And, even major online email services can be fooled. Sorry to break the news, but virus checkers aren’t 100% effective.

Here’s one example and there are many, many more. Let’s say you have set up your bank account to send you monthly statements via email. Sounds reasonable enough, right? Well, recently I’ve seen some very convincing looking spam emails that did a really decent job of mimicking legitimate emails from a bank. The good news is there were a few things in the email that made me suspicious and fortunately I followed my suspicions and didn’t click on any of the links. One particular well done email came under the guise that the password had been changed on an account, and in fact it had been changed. How’s that for coincidence?

Two easy steps.

Step 1 is to use an email client that allows you to turn off the message preview feature. There are infectious agents out there that can nail you through JavaScript and HTML code that is run when the email is viewed via preview mode. One recent example was dubbed “Drive-By spam” by security experts. Another option it to use “text-only” mode, but for most of us text only messages are really boring and ugly to look at, and you also lose all images and styling.

Step two is view the message source code and look for links where the domain name does not match the domain name of the company that sent you the email. If there is anything suspicious then use the phishing reporting feature in your email service. DO NOT open the email, dude.

Now, criminals can change malicious URLs faster than anti-virus software vendors can keep up. So, everything in an email may look legitimate with the sole exception being the link they ask you to click on that could lead to a harmful website.

Step three is if you want to dig even deeper you can verify if the senders IP address is legitimate using an IP address lookup service. The senders IP can be found in the header information of the email source. If the email is sent from a block of computers not registered with the correct company name then I’d be highly suspicious. All legitimate and important emails should always originate from a company’s domain name. If it didn’t then there’s a really good chance it’s marketing related and trying to sell you something, or its hostile.

A note about your spam folder. I have actually received legitimate emails from banks that ended up in the spam folder because I forgot to put let my email client know email from that domain was legit. It was human error and it happens. So, simply saying I shouldn’t have opened it because it was labeled as spam isn’t 100% true. But, it is an indication that you need to proceed with caution. I agree that in general all the emails that are placed in a spam folder by your email vendor are actually 100% certifiable spam. But, human nature makes us curious especially when it appears to come from a legitimate source. The good news is you can still be curious and protect yourself by following these three steps above.

What does hostile email source code look like? It can actually look very much like a real email in the source code. Looks for the code specifically related to things such as links for “Getting Started”, “Log in”, and “Click here for more information”. Hopefully you get the idea. It will be wrapped inside a tag called “<a href=”, and if you are a software developer you already knew this.

Hostile code can also be downloaded through JavaScript. It’s much, much harder to detect hostile JavaScript code because it may have already run when the email was viewed. One option that’s not appealing to most people is you can disable JavaScript in your browser when using browser based clients. The downside is this makes browsing the web an awful experience because much of the dynamic nature of modern websites is driven by JavaScript.

As I mentioned above, some criminals are getting better at re-using templates from legitimate emails. So I’ve received email where all the logos, banner images and help links pointed to real and legitimate sources. In fact, in a recent phishing email that seemingly came from a well-known bank, everything looked perfect except for the code tied to the getting started button. Even the “reply-to” email address was correct.

Here’s an example of an email supposedly from a major, name brand bank where I have obfuscated the URL for security:

<a href="http://--some other non-bank website name---.com/spa---/"><b>Click here to get started</b></a></p></font></td>

Here’s what the header of the email looked like, it’s also been obfuscated:

Authentication-Results: hotmail.com; sender-id=softfail (sender IP is 70.---.---.142)
header.from=AmericanExpress@---.com; dkim=none header.d=welcome.---.com; x-hmca=fail
X-SID-PRA: AmericanExpress@---.com
X-DKIM-Result: None
X-SID-Result: SoftFail
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9...
X-Message-Info: uTMDiBlPf5+Op9WrkKVGnq8+zr4Yfrs3...
Received: from server.DRGARCIA.local ([70.---.---.142]) by ... with Microsoft SMTPSVC(6.0.3790.4900);
Wed, 17 Oct 2012 07:11:24 -0700
Received: from USER ([198.--.--.35]) by server.DRGARCIA.local with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 27 Sep 2012 12:20:10 -0500
Content-Type: text/html
SUBJECT: Important: Notification of Limited Account Access

FROM: American Express &lt;AmericanExpress@---.com&gt;


Return-Path: AmericanExpress@---.com

How to view an email source using Gmail or Outlook.com? In Outlook.com you can simply right click on any email and select “view message source”. In Gmail, you have to open the message and in the Reply options pull down list select “view original”.

I use Outlook.com (formerly Hotmail) because it lets you view a messages source code without having to first open or preview the email. On the other hand, Gmail forces you to open the email first, and then you can view its source code. Simply by opening or previewing a potentially hostile email can allow malicious code to be installed on your computer. This seems like a major security hole to me.

Conclusion. If you have an email in your inbox or spam folder that looks legit and you absolutely have to open it, then the two steps listed above should help protect you, your computer and your data. Criminals are getting better every day at creating the illusion that an email is totally real. And, if you know how to read the source code of the email you can potentially avoid an infected computer.

DISCLAIMER. Of course I have to have a disclaimer these days. The contents of this post do not 100% guarantee that you still won’t be tricked into doing something unintentional that causes personal trauma, data loss, catastrophic damage to your hard drive or even cause kittens to purr. If followed properly, these steps will significantly improve the safety of your computer and electronic data. But, hey…even experts can be tricked!

You should also have anti-virus software installed and up-to-date. Yes, some virus checkers offer email protection of sorts and that should also be enabled. I’m also here to tell you that some viruses can and will slip through that protection. Sometimes, when a virus, Trojan, worm etc. infects your computer it takes hours to remove it, or in drastic cases you have to completely rebuild your system.

Maximum WordPress Spam Prevention: Part 2

Anyone who has a public facing blog knows about being bombarded by spam. Recently I got so annoyed I started locking down blog comments after thirty days. After a month or so I realized this was counter productive. Readers could no longer participate, ask questions, etc. so I started searching for a better way to handle my anti-spam measures.

After doing a bunch of research I landed on Askimet. Note, I am not being sponsored by Askimet, I truly did this research on my own. I can say so far the results have been awesome. I’ve been able to turn all blog comments back on, and it’s very rare for a spam comment to sneak through. 99.9999% of the time when that happens it seems that Askimet has already killed the spam by the time I get around to viewing the WordPress spam queue.

Since turning Askimet on I haven’t had to personally deal with 462 spam comments. Yay! In the screenshot below, the 228 spam comments number represents a partial snapshot of the spam that I had to manually delete prior to Askimet.

Spam and Web ads are annoying but much better than TV ads

For now my blog will continue to be ad free. Full disclosure: I’ve had two offers in the last month to expose my visitors to ads. The presumption is that I would make some (albeit small) amount of money. However, I’ve done the homework and know that the advertisers make the big bucks and not the advertisees.

Ads in all forms continue to plague the earth because some surveys consistently show that they work. The math is stark and the math simple. Someone is responding to spam email, even the icky ones. Someone is clicking on those web ads, and someone claims to be watching TV ads and even going so far as saying they are effective. Gasp! I will reluctantly agree that some ads are useful for communicating new products or features, but that doesn’t mean I have to like them.

I recently read about a survey claiming that 53% of online consumers said a TV ad had influenced them to purchase a product or service in the last twelve months. My heart nearly stopped. Yikes! Who are these people? Speaking on behalf of my own brain, it automatically shuts down within 30 milliseconds of an ad starting on TV or Hulu, or YouTube. Sometimes I can barely read a news article because my brain automatically blurs out 3/4’s of the page where presumably the evil ads are lurking.

Here’s a fact. When you watch prime time television you will be brainwashed and turned into a zombie through the constant exposure of 50 – 70 ads per hour. I’ll repeat that in case you missed it: 50 to 70 advertisements in a single hour. I can tell you this with certainty because I sat down one night and decided to convert percentage of ad time per hour into a meaningful number that anyone could understand. If you watch two TV shows back-to-back that’s possibly 100 to 140 ads that have soaked into your sleep addled brain. And, these are the actual ads and the numbers don’t include embedded product placements that are getting increasingly brazen.

After I had a grasp on the level of digital bombardment we were receiving from TV ads, I was able to take some of the full page, online, take-temporary-control-of-the-entire-browser ads with a bit more perspective. I also said a silent praise for DISH Network’s Hopper.

Maybe I’m writing this blog post because an ad told me too.

Maximum Anti-spam Measures for WordPress

On my blog I’ve had to take what I consider maximum, or perhaps even extreme, measures to minimize spam. I use captcha’s, which I don’t particularly like, as well as mandatory approval for comments along with shutting off comments after 30 days. Oh, and I’ve also commented out the code that allows for trackbacks and pingbacks.  It was the combination of these measures that finally gave me some peace-of-mind.

Back during the month when I finally implemented all of these anti-spam methods I had received over 400 spam messages via various methods. It was filling up my mail box and getting really annoying. Mostly it was the time wasted while glancing at each message to weed out legitimate comments from junk before deleting it. Now I’m down to around six or so spam comment posts per month, and while this is still annoying is a much more manageable number.

I’ve gradually accepted that I won’t be able to completely eliminate spam (argh!). And, there are several downsides to this heavy handed approach. Now, every time I upgrade to a new version of WordPress I have to re-comment out the trackbacks and pingbacks PHP code. If I don’t, I start getting spam again within 24 hours. Also, if someone wants to post a legitimate comment after 30 days they won’t be able to.

Minor Code Change – Bye Bye WordPress Trackback Spam

I’ve been getting a bit frustrated with thirty or more trackback/pingback spam emails per day from my blog. I’ve been trying to ignore it for about a month, but my inbox keeps filling up. So, I did some research and, surprisingly, most of the anti-spam WordPress blog posts are from five to six years ago. I’m currently using WordPress 3.2.1.

Some of the fixes/hacks crashed my blog faster than you can blink an eye. Others, such as turning off trackbacks/pingsbacks in the WordPress settings did nothing to stop the waterfall o’ spam. Simply put: most of the old hacks don’t work on the latest version of the WordPress. One fix was to install the Askimet plug-in, but that required registering for a key and I didn’t feel like doing that.

So, I decided to actually look at the WordPress code and create my own home-made hack just to see if it might work. What I’ve done is rather brute force.

Step 1. Locate the php file responsible for trackbacks. On my system it’s under /htdocs/WordPress/wp-trackback.php.

Step 2. [Update: 11/18/2011] Comment out the following two lines of code. Then save your work and make sure your blog still runs. These lines of code are the one that writes the trackback to the database. In theory, if I stop that from happening then I won’t be annoyed by spambots for at least a little while.

 //do_action('trackback_post', $wpdb->insert_id);

So, now that’s done I’m going to sit back and wait. I’ll update the post if my “experiment” is successful. Or, if I have to dig further into the WordPress code.

[Update: 11/18/2011] With the additional line commented out all trackbacks are now ignored and they cannot be written to the database. Sweet!