[matvoz]

Don't worry about spam bots. One of my websites has more than 2500 visitors daily and I am still waiting for the first spam comment. Spammers don't search pages by hand. Their programs look for "footprints" of the usual software (ie Wordpress) and try to automatically add comments. If you build your own commenting system from scratch and use the good practice for building (preventing XSS..), you are ok.

Or put it this way, if your website becomes so popular, that spammers will customize their programs to try to automatically post on your page, you have bigger problems :)

[stevekemp]

I run http://blogspam.net/ which does real-time spam blocking for forums/blogs/etc. On the whole you're correct, spammers go for easy targets.

But I started the project when a custom CMS of mine (more or less) started getting added to the spammer-lists. It seems like it's only a matter of time these days until people find your site and submit 10-500 comments a day. Some I can see are clearly bots, or compromised IPs, others are clearly humans (presumably paid very cheaply).

[matvoz]

Did you have auto-aprove comments? AA is a spammers heaven, and they will walk the extra mile if they find that kind of a CMS. Even if you have no-follow links. Very nice initiative for the spam-fight though. How high is your success rate? Do you use any blueprints for spun comments?

[stevekemp]

I'm not sure what you mean by "auto-approve" - There are plugins for things like wordpress which will junk comments automatically, solely on the result of the test, but others are more fine-grained. (The API does allow whitelisting/blacklisting by IP, etc.)

The success rate is pretty fluid but about 80% of comments submitted were judged to be spam today. Whether there are too many false negatives/positives is hard for me to say ..

[matvoz]

Auto-approve - comments in blog show up immediately without moderation or approval.

Good luck with fighting spam. There are never enough of you!

[CoreSet]

Interesting, thanks for responding!

Are there any other forum moderation tools you would recommend (not competitors, obviously)? I'm curious what else is available to the homebrewer.

[stevekemp]

Akismet is probably the biggest alternative.

[CoreSet]

Thanks! This helps a lot. Part of my curiosity about commenting best practice stems from an ignorance of how spambots really work.

It's nice to hear from someone in the same space.

[matvoz]

No problem CoreSet. Look at it this way. You will learn something. Oh, and have a kill-switch readdy if Murphy comes (disable comments, non auto approve, something like that). @stevekemp also has a valid point in another comment of his. If you write your own functionality, you store the comments. If you use 3rd party app, they store your comments. This can be the tipping point for some people.

How the spammers work. Really short and banal explanation: - dear program, find wordpress blogs (in a certain niche, or any blog - I am not picky today) - footprint of the day will be "powered by wordpress"

- thanks for the list, now check each url if that blog has a form for comments enabled

- great, now, because you were programmed to know which inputs (name, e-mail, content) (and with what names/IDs) needed to be filled, use my predefined texts and submit

- oh, and if you see a capcha, would you be so kind to OCR it and fill the right text there also? thanks

- check after one hour if the comment is visible (yes? woohoo - we found an auto-approve blog! - no? ok, check in one week)

Hmm, that gave me an idea for a honeypot webpage. One single page with footprints of many blogs and forums, some forms on it and IP logger. Every IP that would like to submit anything on this page, goes to the sh.tlist.