Addressing comment spam is a frustrating and time-consuming task for organizations. Typically, companies are required to manually edit spam out of content after it has been posted or rely onmoderators to filter individual posts to ensure they are legitimate, Internet security firms concur.
And every decision to delete a comment creates at least a momentarily struggle between conflicting goals. What's more important: free speech or the overwhelming desire to stomp out stupidity?
Yes, content producers have a difficult job — and it extends far beyond the challenge of finding writers who actually know how to write. Now a new report from Redwood Shores, Calif.-based Imperva reveals 80 percent of comment spam traffic is generated by 28 percent of attackers.
Get a Life
Anyone who has worked with Internet content for more than a few days ends up wondering how so many people have so little to do. Who has the time or inclination to post so many spam comments?
Sure we all have visceral reactions to certain people, places and things. But most of us have the sanity to refrain from creating multiple logons just to immortalize our fleeting hatred in the form of a poorly crafted offensive comment.
Of course, vitriolic ideation is only one reason for comment spam. Some spammers do it for economic reasons, including Search Engine Optimization (SEO). The goal is to improve a site’s ranking within a search engine result set (with respect to given search terms), which is based on the number and quality of websites that hold links to it — back links.
So posting many comments containing links to a target site increases its ranking within search engine result sets (especially with respect to keywords surrounding the link), Imperva explains.
Big and Getting Bigger
Last year, comment spam got bad enough to force Popular Science to disable comments on its posts:
It wasn't a decision we made lightly. As the news arm of a 141-year-old science and technology magazine, we are as committed to fostering lively, intellectual debate as we are to spreading the word of science far and wide. The problem is when trolls and spambots overwhelm the former, diminishing our ability to do the latter."
Yes, as I've noted before, the rules of etiquette changed the day the Internet was born. Suddenly it was OK to curse, criticize, spell words like "are" and "you" with single letters, and publish photos of wieners that no one would ever want to place on a bun.
But there is, apparently, a limit to the Wild West of wicked words and semi-pornographic photos. In recent years, US courts have increasingly clamped down on comment spammers, even if those comments are ostensibly made anonymously.
Last summer, a California appellate court ruled against a man who had a penchant of describing his former landlord in Yelp reviews as a "sociopathic narcissist -- who celebrates making the lives of tenants hell." Justice Kathleen Banke, writing for a three-member panel of the California Court of Appeal's First Appellate District, noted, "While many Internet critiques are nothing more than ranting opinions that cannot be taken seriously, Internet commentary does not ipso facto get a free pass under defamation law."
Back in 2010, a former model successfully sued Google to reveal the identity of YouTube commenters who were saying "malicious and untrue" things about her -- proving that it's not a good idea to call someone a "whore" online (or anywhere else for that matter).
There is, apparently, a line between babel and libel, even in cyberspace.
Understanding Comment Spam
Imperva, a provider of enterprise security, just researched "The Anatomy of Comment Spam." The in-depth study, one of its Hacker Intelligence Initiative reports, showed a relatively small number of attack sources are responsible for the majority of comment spam traffic. The report notes:
Like the flyers in our mailboxes, digital spam started its path to glory via email. However, with the evolution of web technologies and website interaction, spammers have moved to reaching users via the web, injecting spam comments into forums, comment fields, guest books, and even websites like Wikipedia, which allow user generated content to be published. And thus, comment spam was born."
The good news: the report claims identifying comment spammers quickly and leveraging IP reputation management to block their attacks will prevent most of their malicious activity.
Amicahi Shulman, CTO of Imperva, warned that comment spam attacks can "cripple websites, affecting uptime and compromising user experience."
Imperva's Application Defense Center research team noted that comment spammers often leverage automated tools to reach a maximum number of targets. Shulman said quickly identifying the source of an attack and blocking comments from the source can "greatly limit the attack's effectiveness and minimize its impact on your website."
Why act quickly? Because once a site shows its vulnerability, comment spammers often increase the velocity of their attacks.
The report is based on data Imperva collected last September 1 to September 14 through monitoring of more than 60 web applications.
What Can You Do?
There are several ways to deal with comment spam, Imperva notes:
- Content inspection: Akismet is a comment spam detection service that uses a combination of mitigation methods, including the content based technique.
- Source reputation: Relies on identifying whether a comment is spam according to the reputation of the poster.
- Anti-automation: One simple option is adding a check box to indicate whether a user wishes to post a comment. Regularly changing the HTTP field name for this check box is useful against the more sophisticated tools.
- Demotivation: Strives to make comment spam useless by blocking hyperlinks.Of course, this won't prevent comment spam from posters with axes to grind.
- Manual Inspection: Its primary drawback is its loss of scalability – as spam increases, manual inspection of it becomes impractical.
What solutions do you use — and how effective are they?
Title image by Asa Aarons / all rights reserved.