Damian Nicholson

A while ago you may have noticed that I removed the need for users to complete a CAPTCHA before being able to post comments. My reasons for this were twofold:

• Due to the nature of half decent CAPTCHA’s, I think they set the barrier to entry too high as contributing to a website should be as simple as possible, forget signups.
• reCAPTCHA in particular is an eyesore – other than colour scheme it has zero customisability, or at least none that I could be bothered to delve into. In addition to this, reCAPTCHA was also broken in the annual Time 100 World’s Most Influential People list.

Don’t get me wrong I hold the reCAPTCHA project in high regard, as I think the service they’re providing is invaluable – solving captchas to transcribing books, but at the end of the day it just wasn’t for me.

In its place I’ve opted to use a spam detection system called Defensio.

Why not Akismet?

Because I’m quirky, I wanted to try something other than Akismet, which has become the de facto choice to combating spam. Other than sounding like something out of Harry Potter, Defensio has received mixed reviews on the interwebs. Nonetheless it must be doing something right as it was recently acquired by Websense, and my experiences up to this point in time are very good. What’s nifty about it is that every comment receives a “spaminess” value, so I’ve set up a view on the admin side sorted by descending “spaminess”. As a result I only have to monitor the top portion of this list in order to determine whether any false negatives manage to slip through.

In the month or so since deploying Defensio into production, I’ve received 12 spam comments, two of which were flagged as false negatives. That accounts for something like a 16%, which on a small scale website like mine isn’t anything to grumble at. Considering their API is extensive and has features for flagging comments as false positive/negative and automatically hiding those marked as spam, I think it’s only going to get better.

Time Lapse

Another mechanism that I’ve put in place is disabling the posting of comments 20 days after the original post. Some may question the validity of such a mechanism but in my experience 90% of what’s posted after this initial period is spam.

Sure some good posts hold their value, and receive comments for years after they were originally published, but let’s be honest…I ain’t gonna be slashdotted anytime soon.