About eight months after I opened this weblog, spam comments were approaching 100 per day. The very reliable Akismet caught most of them, but checking the rising flood for false positives was getting tiresome. Requiring commenters’ names and e-mail addresses is useless because spammers automatically generate those anyway. Short of shutting down comments entirely, the only other option available on WordPress.com was to require user authentication, and that’s what I’m doing now.
As of 19 January 2013, you need an account with WordPress, Twitter, or Facebook to leave a comment. I’m not very happy with this small selection of proprietary networks but it’s all that WordPress.com offers, and together they should cover most legitimate commenters. The spam-blocking effect is certainly remarkable: in the week since I made the switch, only three spam comments arrived – two pingbacks and one entered manually, defying any conceivable anti-spam measure. So if you run a blog that’s drowning in spam and your system lets you require user accounts for commenting, you should consider that option.
To compensate for restricting comments, I added my e-mail address to the top menu. That’s a clickable, unobfuscated, standard mailto: link of the kind that everyone warns against posting in public. I do it anyway, and the rest of this post explains why.
Email Obfuscation
In 2008, Silvan Mühlemann (mildly NSFW) completed an experiment on spam-proofing e-mail. He opened nine distinct e-mail addresses and published them for 1.5 years on the same web page, one in plain text and the others using different obfuscation methods. The resulting bar graph certainly looks impressive: the plain-text version got the most spam by a wide margin, over 2.5 as much in terms of size as the worst obfuscation methods.
However, this is a classic example of measuring against a misleading baseline. The total number of spam messages that arrived on the plain-text address was 1800 – which still sounds bad, until you consider that the experiment ran for 1.5 years! Looking at the time stamp of the original post, it’s actually closer to 20 months. This time period translates to 638 days, give or take a few, and that means only 2.8 spam messages per day on a completely unobfuscated e-mail address.
This matches my own experience. My webmaster address has been online without obfuscation since I put up kynosarges.de in 1999, and I never got more than a few spam mails per day. On the other hand, I do have another e-mail address that gets up to 100 spam messages per day, much like this weblog before I locked down commenting. Can you guess what it is? It’s a Google Mail address that I only ever used in private communication… and on other websites which had promised not to publish or sell it. Right.
Evidently, spammers don’t jump on any random e-mail address just because it’s there – much like social networks, they prefer to have some commercial context. So if you are still obfuscating your published e-mail, I suggest you try Mühlemann’s experiment: make a throwaway address, put it online, and see what happens. If no great spam invasion arrives, your legitimate users should be happy for the convenience of a directly clickable link.
Fascinating stuff (esp. as my spam count is just starting to take off). Thanks so much for posting this – I am a real person btw!!
I didn’t think you were a bot. :) Glad you found it useful!