Akismet Stops Spam: Some Side Effects
There’s a new spam stopper for Wordpress called Akismet. It works by submitting every comment you get to a centralized comment-checking service, and echoing back a “spam” or “not” response. Hurray. I can identify a few problems with this idea, however:
You are trusting your user feedback to another company. Do you really trust them? A DDOS or any downtime of their servers allow spam to clutter up your moderation queue again Comment posting will have increased latency based on however long it takes for the roundtrip, and them to decide if your comment is spammy or not. There’s no SLA for this service, either, which is bad We have no idea how it works
Then, looking into the code, I notice some sketchiness:
Communication is in the clear, so a Dolev Yao attacker can spoof Akismet and trick you. It automatically deleted your old archived spams and optimizes the wordpress comments table every time a comment is submitted, spam or not. This is a big performance problem, in theory. There’s a spelling error or two in the admin panel. Automattically? Is there anything to prevent a spammer from posting to the admin page that his comment is not spam? I don’t see authentication in this file.
This entry was posted on Tuesday, October 25th, 2005 at 8:53 pm and is tagged with spelling error, checking service, spam stopper, performance problem, hurray, admin panel, ddos, spams, roundtrip, spoof, sla, spammer, attacker, yao, downtime, moderation, akismet, authentication, servers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.
on October 25th, 2005 at 9:09 pm
Hey, thanks for your comments. Point by point:
We can’t do anything about people trusting us or not, but if you don’t there’s no reason to use the plugin.
Downtime and latency are issues that millions of websites deal with, and there are pretty robust and known ways to address them, and we’re building out the infrastructure to do that. We do have SLAs available for enterprise users.
Communication is in the clear, but your a system has already been compromised if the domain returns someone other than Akismet, and you have far bigger problems to worry about than comment spam. (Comments are also posted in the clear.)
Deleting and optimizing doesn’t cause performance issues in our testing, though I could put a line in to have it optimize less frequently.
Automattically is a reference to Automattic, any other spelling errors you spotted?
Spammers could submit spam as false positives, but they would need an API key to do so and we attach rating and various levels of trust and verification for different API keys.
Thanks again for giving the service such a thourough examination.
on October 25th, 2005 at 9:10 pm
Automattically is spelled like that for a reason…Automattic. If you look at the bottom of the Akismet page you’ll see a link to this.
Akismet is an interesting concept and I guess we’ll see how it flies.
on October 25th, 2005 at 9:32 pm
Thanks guys. I really hope this flies!
on October 26th, 2005 at 4:48 am
One thing I’ve noticed about authors of WordPress anti-spam plugins is that they tend to be critical of other anti-spam approaches than their own. Even I was critical of Akismet, when it was named *** and I found out about it through rumors and whispers. So I wound up coding on it.
You can read my two reviews of the work in progress and the final (?) product if you like, just to see what I mean.
No one’s been able to make this particular approach fly before, so we’ll all see how it goes.
on October 26th, 2005 at 6:24 pm
Slightly offtopic this, but, I just spotted your content somewhere else and it looks little over-syndicated..
on October 26th, 2005 at 6:28 pm
Ooo, thanks Rich. DMCA time, baby!
on October 27th, 2005 at 2:36 am
Funny how they ’syndicated’ this content without the little copyright notice. Looks like they didn’t even use the RSS but scraped your whole page. Even the ‘generate a trackback url’ link is present…
on December 6th, 2005 at 2:09 pm
[…] I also sent an email to Adsense: The Adsense publisher pub-5121418238017619 is running your ads on my content that he has stolen without authorization. I have filed a DMCA notice with his hosting provider, and hope that you will remove the economic incentive for his theft of copyright materials. Compare the original work to the stolen work. […]
on January 8th, 2006 at 3:34 pm
[…] I remember seeing a post on Planet Wordpress a while back (unfortunately I can’t remember by whom it was) about spammers trying to trick stopper software by inserting comments with text and links that don’t contain obvious references to typical spam content, thus undermining the contextual barriers that these tools put up. It was exactly this that made me wary of installing Akismet (apart from the idea that it probably won’t work properly for foreign-language blogs anyway), because I’m a bit skeptical of the whole checking-against-a-centralized-database idea. Some of the problems of the Akismet approach have already been mentioned here and there (and see also this comprehensive post). […]
on September 8th, 2006 at 1:50 am
Never knew about this. However I need it badly as some of my sites are getting pounded with spam at the moment and can’t keep up.