Tuesday, October 10, 2006

My battle with comment spam

Crap. Spammers have discovered my SFragments site and flooded it with disgusting spammy comments. I had previously made it so that only registered users would be able to comment, but that didn't help. Spammers have been registering with impunity. And why shouldn't they, if Geeklog, the CMS my site runs on, does not even present them with captchas? At least that was the case two years ago, when I installed Geeklog. For all I know, Geeklog may have captchas now, but I wouldn't know, because I have not upgraded it since then. So in a way I do deserve what I get. :-) It's just that back then, caught up in the enthusiasm of creating my very own site, I did not figure in the time it will take to maintain the software that runs the site. Such as to execute periodic upgrades and deal with breakages that typically follow the upgrades. :-) And captchas are not a panacea against spammers. I've heard spammers have tools for solving captchas.

The reason I chose Geeklog in the first place was because a certain technically-oriented group of very 1337 people had chosen it to run their website. So I concluded it must be a Good Thing. Since then, the webmasters of that organization found out there were security holes in Geeklog, and migrated their website to a different CMS. I've been thinking of doing that too for more than a year, but have been paralyzed by the mind-boggling multitude of CMS'es that exist out there. I did not even know how to begin to evaluate them.

Now that I got a taste of dealing with spammers, I have formulated at least some of my requirements.

1. It should allow the administrator to either disable creation of new users, or set it to where the administrator must approve all new users before they can do anything. (Geeklog claims to have this feature, but it doesn't really work.)

2. It should allow one-click batch-editing of comments. By editing I mean mostly "deletion", because I don't expect any comments other than spam.

3. It should allow the administrator to "close" a particular story for comments, so that neither registered nor unregistered users would be able to post new comments.

4. It should allow one-click batch-editing of users. An admin should be able to "select all" newly registered users and delete them. Because I don't really expect any other users than spammers to register on my site.

5. It should allow the administrator to batch-delete the submitted articles with one click. Because I don't really expect any non-spammy articles to be submitted to my site (except by me, of course).

Geeklog does not seem to live in this century, because it does not have any such functionality. Comment spam was well known even back in 2004 when I first installed Geeklog, so I don't see why this hasn't occurred to its developers (or they didn't think it was a priority). It adds insult to injury to have to delete every spam-user or every spammy comment by hand. After discovering there is no such batch-delete functionality, I had to login directly into the database my Geeklog installation uses and whack all the comment rows, and set certain fields to disable comments. It's a shame you have to go directly into the database for that, instead of doing it from Geeklog administrator's user interface. Fortunately, Geeklog design seems robust enough so that whacking those rows did not create constraint violation elsewhere in the database. As far as creation of new users, I decided to "cripple" my site by commenting out the new user creation function, so that anyone who tries that would get a PHP runtime error. Radical, and ugly measures, but, gee... I really hope spammers won't find a way around THAT! :-)

And now, to shake off the analysis paralysis, and go find CMS that meeets my requirements.

No comments: