We have a brand new look! Take a tour with us and explore the latest updates on Adobe Support Community.
Spam is no longer limited to email marketing, but it comes in various forms through websites and blogs that support commenting or forms.
There are several reasons for which a human or an automatic spammer might submit comments and forms with irrelevant information:
To bring visitors to the site that the comment or the user is referring
To link-back (for free) an other website for search engine ranking benefits
Submitted web forms
Different commercial or scam purposes – I am sending you an offer via the contact form; works just like in the case of email spam
SPAM in comments or web forms can be submitted automatically by Spam bots or by humans. Both human spammers and Spam bots get cleverer and cleverer all the time to achieve their goals.
Human spammers improve their text and comments all the time so that they seem as natural as possible; whereas bots improve their ways of bypassing anti Spam mechanisms .
Both types of spammers are equally dangerous, although the content submitted by Spam bots can be more annoying due to the large number of comments or submitted forms.
Before listing a series of best practices, I must say that there is no single solution for this, that the process is a continuous one and that the site owner/partner must commit to it on e medium-long time frame.
Human SPAM has to be treated differently from automatic SPAM and vice-versa.
1. Use Akismet. Make sure that you enable Akismet from the Admin Console > Module Modules>Comments.
Make sure that you train Akismet everyday for at least 2-3 weeks, until Akismet learns what type of content and what users to consider SPAM. BC is sending right to Akismet all the information related to a comment: user IP, username, website, email address, comment text. Based on these details Akismet will learn which user is dangerous and start marking all the comments from that user as SPAM. And if the user changes the IP, username, email address or website, Akismet learns the structure of the comment used by that specific user and mark it as SPAM.
2. Moderate each comment: if Akismet fails at some point, be sure that the company behind the service is doing the best to improve the SPAM detection algorithms. Hence, until they release a new version or until they improve the current one, you need to start moderating comments. This is a shared responsibility, between the technology providers and the website owners.
Observation: Sometimes, Akismet may mark valid comments as SPAM (in this case, they are called false positives). In order to teach Akismet that this specific comment is a valid one, you need to mark it as valid.
So your responsibility as a partner or your customer’s responsibility is to check regularly the Comments tab and mark them as SPAM or to approve them as genuine comments.
The most effective solution for spam bots is a strong CAPTCHA. But most of the times a strong CAPTCHA can annoy blog or forum users. Any commenter wants a very easy way to submit his content and make it accessible to others. And you or your customers must make sure to provide this easiness.
However, n order to avoid irritating automatic spam submitted through forms and blogs, follow the next steps:
For Blogs or forums:
1. Start with Akismet (see the above observations).
2. If you are not satisfied with the level of SPAM that you encounter, you can enable CAPTCHA on your comments. Go to Site Settings > Captcha and choose the type of Image verification that you want to enable. In the case of comments we only offer native Image Verification solutions. For web forms we’ve also enabled reCaptcha.
3. Make sure that you enforce CAPTCHA on “Comments”.
4. As you can see, there are 2 versions for the native CAPTCHA solution. If the level of SPAM is very high, we recommend that you use the second one (“Harder to read, but more secure”).
Observation: If your business has a strong social presence or if you want to build a strong social presence and Facebook is an important channel, you can also use Facebook comments for your blog.
For WebForms (and checkout forms):
1. CAPTCHA – when you create the form make sure that you enable ”Image Verification” in Misc. The version of CAPTCHA (“Easier to read vs. Harder to read, but more secure”) will be the one that you chose from Site Settings>Captcha.
2. reCaptcha If this solution is not what you are looking for, you can try inserting reCaptcha, the Google native image verification system. You can find it also in the Misc section.
3. Anti-bot Fraud Protection module: All new forms come, by default, with “Web form protection module” enabled. You can see it in the form or if you check out the Code View, you’ll be able to see the generated code for this module. Make sure that you don’t delete it. The usage of this type of modules is something that we recommend that you always do. It is in fact a hidden “Input Field” with a random name. Spam bots usually fill this field, and once we detect that this field is being filled, we realize that the corresponding form submission is through a bot. Humans don’t see this field and aren’t able to submit it. For older forms, you will have to add this module to a form if it is not activated yet.
Observation: our research shows that visitors (humans) are not as annoyed by filling in image verification fields (CAPTCHA, reCaptcha) in case of web forms (contact submission, payment forms etc) compared to comments. So, when dealing with web forms, try to enable an image verification form (whether the new Captcha Image Verification version or reCapctcha).
What’s missing and known issues
Let us know how your process of stopping SPAM from your sites and blogs works.
Dragos Manescu, Product Manager Adobe Business Catalyst
Comments shouldn't be automaticall posted to a BC site as a default. That process inheritantly will collect spam because if you add the default Blog with the built in BC module template without following your instructions it is geared to promote SPAM.
Partners with due dilligence who are going to enable the anti-spam feature, etc shouldn't have a problem with ticking one box to enable auto approval of comments.
Rather than just assuming all Partners will understand the risks of unmoderated comments.
In regards to the new anti-spam features Dragos .. when implemented correctly .. I still have yet to see one come through. It's a wonderful feeling. Good work.
thanks for the feedback.
Keep me in the loop for what happens with the spam levels on your sites.
I have been getting reports that people get error messages that refer to credit card when trying to sumbim the forms that have no credit card fileds. I tracked it doen to the Anti-bot Fraud Protection module. It appears that when Autofill feature of the browser fills in the form, it also filld in this hidden field and causes them not to be able to submitt the form. The probelm is, the error message is not clear. I have never been able to get an error to appear so I don't know what the message is but obviously the message is not clear if the people are getting confused. The message needs fixing.
This shoudl be better documented because I found nothig else except this paragraph on this module.
I will be investigating this issue. The thing is that, normally, the "Autofill" feature should not fill the hidden field, hence no abnormal error should occur. I'll get back with a solution.
Dragos M, Product Manager Adobe Business Catalyst
Has there been any update to this?
We've had similar reports. Even without auto-fill.
I was wondering if on Blog Comments that the "rel=nofollow" tag can be automated on BC? I have tested on a site and can't see that this tag is included in the comments to blogs.
In the past couple of months we have implemented 2 blogs for clients and both are getting rubbish responses coming through. Although BC recognises it as Spam we are getting inundated with email notifications.
The issue is that low end SEO'ers think that they can steal a link to help web page ranking by finding blogs that do not have the nofollow tag.
This would be very useful to have in addition to the Captcha code and Akismet checks. With the rel=nofollow, we can then add an advisory at the top of the comments section referring to Spammy comments, nofollow etc.
Since human spammers are impossible to stop, is there a way in BC admin to mark specific spammers, thereby preventing any associated future workflow notifications from being sent?
We are getting "human spammers" using our Contact Us forms. We have Recaptcha set up. But that doesn't seem to phase these people. Can Akismet look at forms Comments and be trained?
Okay, here's my brain wave or brain fade: To beat the spammers server-side validation is required for forms. This is just an idea, BC could develop it for us.
Step one is to split the email field into two fields like so: _______ @ _______. This will help limit auto-fill. Add all other fields you want and a button called 'confirm'.
Step two. On submit only the two email address fields are sent to the server for verification, where the server combines the two fields and only then creates a customer ID. The customer ID is sent back to the browser as a new form post address, loading a new page (or with JS reformatting the existing page) which displays the content of the form fields and asks the customer to confirm these before finally submitting them (you may want to allow them to go back and edit the form too).
Any update on changing the workflow notification so they are sent after the post is determined to be spam or not?
Akismet is generally working well on the site to detect spam (and then delete) but it is still really annoying for clients when they receive workflow notifcations for all spam comments.
Guys, just a reminder to this make sure for public areas of the site you have CatpchaV2 installed and Enforced for comments. The standard captcha doesn't work anymore. This will significantly reduce the amount of SPAM as a first line of defence.
It's not a favorite, but if you are going to enable workflows for comments you must turn this on. Customers will eventually ignore the workflows if there are getting more spam comments than legit ones.
Most of my clients do not want to use this version as it is too hard to read (clients are calling complaining) and so they are worried they are losing enquiries because of this.
yes .. I know .. it's not the best, but catcha1 doesn't work, I've run mutplie tests on sites switching between captchas and as soon as I roll back to captcha1 spam starts poring in. Eventually, captcha2 will be cracked as well.
If you prevent a workflow because it's pending a spam check, then won't the customer loose that enquiry/comment as well? Either or they'll still need to check every workflow or comment submission.
You might need to look at alternatives, depending on your situation and weigh it up.