[Music]
Lea Alcantara: You are listening to CTRL+CLICK CAST. We inspect the web for you! Today we are talking about fighting CMS spam with Greg Aker. I’m your host, Lea Alcantara, and I’m joined by my fab co-host:
Emily Lewis: Emily Lewis!
Lea Alcantara: Today’s episode is sponsored by EllisLab. Everyone…
[Music]
Lea Alcantara: You are listening to CTRL+CLICK CAST. We inspect the web for you! Today we are talking about fighting CMS spam with Greg Aker. I’m your host, Lea Alcantara, and I’m joined by my fab co-host:
Emily Lewis: Emily Lewis!
Lea Alcantara: Today’s episode is sponsored by EllisLab. Everyone hates spam. Sponsorship ad sometimes feel like spam, so EllisLab would like us to just say, “Brought to you by ExpressionEngine,” and get on with the show. Spam prevented. [Laughs]
Emily Lewis: [Laughs]
Lea Alcantara: And we’d also like to thank Pixel & Tonic for being our major sponsor.
[Music ends]
Emily Lewis: Today Greg Aker joins the show to talk about dealing with spam within a content management system environment. Greg is a freelance full-stack web developer, as well as a systems administrator for our partner, Arcustech. Welcome to the show, Greg!
Greg Aker: Hey, thank you so much.
Lea Alcantara: So Greg, can you tell our listeners a bit more about yourself?
Greg Aker: Well, I used to work at EllisLab.
Lea Alcantara: [Agrees]
Greg Aker: So I worked on ExpressionEngine back in the day in the trenches when v2.0 was first released. At this point, I’m a Python developer.
Lea Alcantara: Oh wow! That’s a huge shift.
Greg Aker: Not as huge as you’d think. Yeah, it works, and it’s a lovely language.
Lea Alcantara: I heard it’s much easier language to work in than PHP.
Greg Aker: Yeah. I think there are some things about it that are a lot easier. I mean, PHP is really making huge strides with frameworks like Laravel and CMSs like Brandon’s [Craft].
Lea Alcantara: For sure, for sure.
Emily Lewis: So Greg, when we reached out to you, when I asked you for a bio, you mentioned that you play in a bunch of different bands?
Greg Aker: Yeah, yeah.
Emily Lewis: What instruments?
Greg Aker: Well, I actually have a degree in jazz saxophone.
Emily Lewis: Oh!
Lea Alcantara: Oh wow!
Greg Aker: Yeah. What I tell everybody is I wanted to really struggle for a living, which is why I got myself into the program.
Emily Lewis: [Laughs]
Lea Alcantara: [Laughs]
Greg Aker: Because jazz is the most popular music today, right?
Emily Lewis: [Laughs]
Greg Aker: But no, I play saxophone, clarinet, flute and I play keyboards in a Blues band and kind of my pride and joy is I just restored an early ‘70 Fender Rhodes.
Emily Lewis: Oh wow.
Greg Aker: Which you might not know what it is, it’s a keyboard, but you know the sound if you listen to any music from the 70’s.
Lea Alcantara: Oh, very cool. Very cool.
Greg Aker: Yeah.
Lea Alcantara: You’re added to our list of developers that also started as musicians.
Emily Lewis: It’s a long list.
Greg Aker: There are a lot. It’s very long. It’s very, very long.
Emily Lewis: So before we get into today’s topic about spam, I want to talk a little bit about what you just mentioned, some of the work you’ve done in the past. I was checking out your site and you also mentioned you’re doing a lot of stuff with Python, so you’re doing a lot with Django these days?
Greg Aker: Yeah, primarily Django.
Emily Lewis: Is that like custom app development or do you actually … I mean, I don’t even know if these exist, but are there any like Django-based CMSs you’ve worked with?
Greg Aker: There are. There are a couple that are very, very nice, but still, it’s much more custom. I’m using air quotes here that you can’t see, but much more custom code than you’re getting with an off-the-shelf PHP CMS, WordPress or whatever.
Emily Lewis: And have you worked with any other CMSs other than like ExpressionEngine? Have you done any work with Craft?
Greg Aker: I have not done anything in production. I just played with it, so yeah.
Lea Alcantara: Yeah. Why don’t we shift to today’s topic? Since you worked with a bunch of different languages and also a bunch of different CMS, either in actual production or just dabbling, you must have had your share of spam issues. But before we actually start talking about the fighting the spam, how do you define spam?
Greg Aker: Well, I think I define it not as an exploit, but it’s people trying to exploit you, right?
Emily Lewis: [Agrees]
Greg Aker: So there is forum spam, depending on what your hobbies, any forum you might go to, if somebody signs up and there is a lot of spam. It just happens.
Lea Alcantara: Yeah.
Greg Aker: It’s one of those things, or spam on your contact form, spam on comments.
Emily Lewis: Right.
Greg Aker: Just look at Facebook comments on any site, “I make $2,000 a week working from home, you can too.” Right?
Lea Alcantara: Yeah, right.
Greg Aker: So that is spam.
Emily Lewis: And you mentioned it’s them trying to exploit, but like that last thing that you just mentioned, is that just them trying to like get links out there or are they actually trying to take advantage of like vulnerability in a system.
Greg Aker: There is both. So I’ve seen both. A lot of it is just links, nefarious companies trying to get backlinks for whatever site that answered that spam email like, “We’ll get you on the top page of Google,” and so a lot of it is automated and a lot of it is somebody making $2 an hour doing it, right?
Emily Lewis: Right.
Lea Alcantara: Right. So people actually make money making spam?
Greg Aker: Oh, I’m sure. I’m sure. I’ve never met anybody that does.
Emily Lewis: [Laughs]
Lea Alcantara: [Laughs]
Greg Aker: I hope …
Emily Lewis: Who would admit it?
Lea Alcantara: Exactly.
Greg Aker: Yeah, I mean, that’s …
Lea Alcantara: So then it feels like it’s all really form, like form-related spam.
Greg Aker: [Agrees]
Lea Alcantara: Are there any other types of spam exploits besides form?
Greg Aker: Yeah. Yeah, absolutely. So I’ve seen vulnerabilities. Most of them you would call … they’re either through a vulnerability in your software like WordPress, EE or whatever.
Emily Lewis: Sure.
Lea Alcantara: Okay.
Greg Aker: Whether it’s core code or an add-on.
Lea Alcantara: Okay.
Greg Aker: So I helped somebody fix a very, very hacked-up WordPress site once that I couldn’t find their entry point, but basically what they did was they installed the plug-in and then they were able to go alter code in the theme that added links to Viagra ads and Buy Now Nike and Buy Gucci or whatever, right?
Emily Lewis: Right.
Greg Aker: And so they’re adding those hidden and they’d use CSS like … I don’t do much CSS anymore…
Emily Lewis: Just display:none?
Greg Aker: Or like throw it off to the left of the screen, that kind of thing.
Emily Lewis: [Agrees]
Lea Alcantara: Oh okay, right.
Greg Aker: So Google is picking it up, but you don’t know until Google says, “Hey, you’ve been compromised,” right?
Lea Alcantara: Oh, right.
Emily Lewis: So it sounds like spam, is definitely on the annoying side, especially if you are maintaining a site and you’re getting a ton of it from like your contact form. But what you just described, it actually seems like it’s bad. If Google notified you that you’ve been compromised, does Google penalize a site, for example, that might have a ton of that kind of crap on it?
Greg Aker: Yeah, absolutely, they will, and you can get a Safe Browsing warning in Chrome that Google thinks your site has been compromised.
Emily Lewis: [Agrees]
Greg Aker: I’ve seen this happen on fairly high-traffic sites. Even people within our industry, I’ve seen this happen. You’ve got to go clean up your files and tell Google like, “I’m free and clear now. Please take this warning away.”
Lea Alcantara: Right, and that takes a long time.
Emily Lewis: [Agrees]
Lea Alcantara: Like it takes so many steps and then having to explain to clients too.
Greg Aker: It’s a total pain in the rear, is what it amounts to. It’s awful.
Lea Alcantara: So we mentioned that maybe perhaps money is a factor for spammers spamming. Do you have any other idea why they would spam?
Greg Aker: They’re bored.
Emily Lewis: [Laughs]
Lea Alcantara: [Laughs]
Greg Aker: They do it because they can, just to prove they can. If you sit and watch logs on a server — which I’m a nerd so I’ll occasionally do — you see hundreds of or thousands depending on the level of traffic requests coming in from China, coming in from North Korea, coming in from Russia is a big, big one. Either they’re trying to SSH into your server somehow where they’re hitting a form over and over, that kind of thing.
Lea Alcantara: Now, I’m just wondering though, I feel like that seems to be common when there’s something called the DDoS attack, right?
Greg Aker: [Agrees]
Lea Alcantara: Is that essentially what it is where they just kind of do a massive amount of spamming essentially, right?
Greg Aker: Yeah, I mean, it can. Especially there are, I don’t know if EE still does this, but they used to with their secure forms, they would write to the database every time you loaded a page with that secure form hash, so effectively you could have your database locked up. Because by default, you’re using MyISAM for the MySQL storage engine.
Lea Alcantara: [Agrees]
Greg Aker: And so that puts a lock on the table when you’re writing to it and a lock on the table when you’re reading from it, right.
Emily Lewis: Right.
Greg Aker: And so that’s going to make your site slow if somebody is hammering a page with a form on it, and it’s even worse if it’s your home page, right?
Lea Alcantara: Right, right. Yeah, so just for me, I’m just trying to wrap my mind around like why, why bother doing this? I guess beyond like the boredom and just maliciousness, it’s just such an annoyance and it’s like what’s the point?
Greg Aker: Right. It really, really is, and I don’t think there’s a good why or an answer to the why.
Emily Lewis: Right.
Greg Aker: We have to deal with it and kind of arm or stack our arsenal full of things to deal with it really.
Emily Lewis: Absolutely. So let’s talk about dealing with it. So what are the main things that we need to look out for when we’re dealing with spam? I mean, is one of the first things to figure out what type of spam you’re dealing with? Like, for example, you mentioned people putting backlinks on your site like in comments or in a forum, but you also mentioned like trying to get into your server. Is that where you start figuring out what type of spam you’re dealing with?
Greg Aker: Well, I think, first and foremost. Especially when you’re dealing with an open source or commercial off-the-shelf CMS is keep your software up-to-date.
Emily Lewis: Yeah.
Lea Alcantara: Yeah.
Greg Aker: And most of the issues come from people running three- or four-year-old versions of the software, and things, you know?
Lea Alcantara: Yes.
Greg Aker: Security issues happen, we know that, and nobody is going to program something perfectly the first time. There can be strange edge cases that can introduce a security issue, so keep your software up-to-date, right?
Lea Alcantara: Yeah.
Greg Aker: And if the vendor you’re using doesn’t have kind of like edge and stable release versions, put pressure on them to do so. So they’re backporting fixes. If you’re on version 2.7, you want to get it to 2.7.1 with that security fix backported if it’s in there. If there’s currently a version 4 out, if they’re still supporting it.
Timestamp: 00:09:57
Emily Lewis: Right.
Lea Alcantara: [Agrees]
Greg Aker: So also, I think it goes with all of these communities, be very careful about what plug-ins you choose. Be very, very careful about what plug-ins you choose.
Emily Lewis: Yeah.
Lea Alcantara: Yeah.
Greg Aker: If we’re sitting in the PHP world, look over the code. Even if you don’t know PHP very well, still look it over because, A, it’s going to teach you something about PHP, and you sort of get to know how these work. So look for things like cURL calls, so maybe it’s calling after something else. Are they trying to embed an iFrame, and if so, what is that iFrame? Is there something that’s Base64-encoded and they’re decoding it to display on your screen.
Emily Lewis: [Laughs]
Greg Aker: So regardless of your comfort level, and this is really like how I started programming … I was starting to understand PHP, like I was an ExpressionEngine user in the community and it really annoyed the hell out of me that I didn’t understand how like the weblog tag worked, and I wanted to figure that out.
Lea Alcantara: [Agrees]
Greg Aker: And so I spent, you know — not knowing any PHP — like a month trying to figure it out. So that is how you’re going to advance yourself in your career and make sure you’re being smarter about what you’re installing if you don’t know the author of it. And stuff like the Craft and EE community, they’re small enough, most people really seemed to know each other. So with these like really large communities like Drupal being very large community, WordPress being very large, I think more care needs to be taken there, but you still need to do your due diligence in the smaller communities.
Emily Lewis: Well, that kind of leads me to what I was going to ask: Is an open source piece of software or platform more vulnerable than maybe a commercial product? Like WordPress compared to Craft?
Greg Aker: No, I don’t think so. I think a lot of it comes down to where — I’m going to assume the Midwesterner in me that not everybody is nefarious, and most people are just trying to provide a nice service for others, contribute back to the community — so I think a lot of it is just mistakes being made. I don’t think most people are intentionally trying to introduce these issues.
Emily Lewis: Right.
Lea Alcantara: Sure, I do believe that like the larger community, the harder it is control.
Greg Aker: Absolutely, yeah.
Emily Lewis: Yeah, monitor.
Lea Alcantara: Yeah, like especially with something like WordPress, there is such a low barrier of entry, which is like fantastic when you’re starting out. But especially when you’re starting out and if you don’t have as much programming knowledge or whatever, you just see free add-on, excellent.
Greg Aker: Right.
Lea Alcantara: I’ll pull that in there. It looks like it works. Does it work? Who knows?
Greg Aker: Yeah, some of the themes out there, they’ve had major security vulnerabilities in them. They’re free off-the-shelf themes, so it’s mainly doing your due diligence to ensure you are not going to be compromised.
Emily Lewis: Right.
Greg Aker: And more importantly, if somebody is paying you to build a product for them, a site for them, you’re not going to get yourself into trouble by introducing something that could potentially lead to issues. Does that make sense?
Emily Lewis: Right.
Lea Alcantara: Absolutely, absolutely. I think it’s just one of those things though, as a vendor speaking to a client, just trying to make them understand that there are certain things that are out of your control. And there are a lot of things you could do to help prevent it, but having to tell them that, “Yeah, you need to pay someone to help you update your site every so often and keep up to date, especially if you don’t have any of those auto-update stuff.” But even with those auto-update stuff, if you’re using a third-party ecosystem of any sort, we all know that it’s never as easy as just pressing update.
Greg Aker: Right.
Emily Lewis: Right. [Laughs]
Lea Alcantara: Because what if the add-on itself isn’t doing something correct, et cetera, so trying to sell a client and explaining to them that maintenance service or something like that is going to be good for them in the long run.
Emily Lewis: Right.
Greg Aker: I think you need to be blunt with them. It’s a matter of “We can do this now and we can greatly lower the chance that something is going to happen.”
Emily Lewis: Right.
Greg Aker: Or, “We can wait for it to happen, and it’s going to be expensive.” You know?
Emily Lewis: Right.
Greg Aker: Whether it’s you need your hosting company to be running scans on the server to make sure the server hasn’t been compromised in some other way, or you having to literally go through just about every file in the installation and replace things to ensure that it’s not messed up.
Emily Lewis: It even occurs to me it’s a discussion that it’s not just maintenance. It’s even starting a project … like what you were describing, the due diligence of making sure the platform you choose, the plug-ins you choose are safe and that you know what they’re doing. People like, “Oh, I just want a quick and easy free WordPress site, a couple of thousand dollars.” Sure, you get what you pay for. If you want to pay for someone who’s an expert who … even if it is a WordPress and you’re saving some money there, you’re still going to be paying for the expertise of the person who understands what the right solutions are that are “safest” for what they’re going to build for you.
Greg Aker: Right, and especially for clients out there, it’s a tough thing because I’ve seen people writing custom code that’s just riddled with security vulnerabilities, like all over the place. You can drop the database if you want. And so it’s being very paranoid and to be blunt, not going off half-cocked just like, “I got this, so I’m going to do this.” You know?
Emily Lewis: Right. [Laughs]
Lea Alcantara: Right. [Laughs]
Greg Aker: And as a developer, having a bit of impostor syndrome and really, really double-checking and asking for advice, reading … that kind of a thing is very, very important.
Emily Lewis: Right.
Greg Aker: And mostly, the really good developers I know that I have some amount of respect for, that is the way they approach things.
Lea Alcantara: Yeah, worst-case scenario and then try to see what you can do about that.
Emily Lewis: [Agrees]
Greg Aker: Right.
Lea Alcantara: So when you are that developer looking at the worst-case scenario, what do you find people miss when they try to deal with spam attacks?
Greg Aker: What do I find people miss? There are some simple things you can do. If we are going to talk about comment form spam, use Akismet.
Emily Lewis: Right.
Greg Aker: There’s no reason not to. There’s no reason not to.
Lea Alcantara: Unless they don’t want to pay the $5 a month for a commercial license, right?
Greg Aker: Then…
Lea Alcantara: Because it’s only free for non-profits.
Greg Aker: Right, right, or you can pay me to clean it up, you know?
Emily Lewis: Right.
Lea Alcantara: Sure, right.
Greg Aker: I mean, in the grand scheme of things, if you’re building, let’s say, $10,000 to $50,000 site, $5 is a drop in the bucket, and you do want to make a $60 investment on making this easier for you, or do you want to be paying somebody a $120 or $150 an hour to clean it up later?
Emily Lewis: [Agrees]
Lea Alcantara: Right.
Greg Aker: Or take time away from your staff, who’s doing things to clean it up later.
Emily Lewis: Right.
Greg Aker: It’s a no-brainer. It’s $5 a month.
Emily Lewis: Sure.
Greg Aker: That’s Starbucks, right?
Lea Alcantara: Yeah. [Laughs]
Emily Lewis: So what else do you think people miss? Well, I mean thinking about my early days.
Lea Alcantara: [Agrees]
Greg Aker: [Agrees]
Emily Lewis: In dealing with spam, I just looked for plug-ins, like you said. I was running a blog. That was a non-commercial thing, so I had ExpressionEngine site. Well, it still is, I just haven’t blogged in three years. [Laughs]
Lea Alcantara: [Laughs]
Greg Aker: So you sound like me. [Laughs]
Emily Lewis: [Laughs]
Lea Alcantara: [Laughs]
Emily Lewis: Yeah. So I was actually using Low NoSpam, which ties into Akismet.
Greg Aker: Right.
Emily Lewis: And that’s all I did, like I didn’t look any further. Is that something that I missed? Should I look further to see if there was something else I could be doing? Is it just kind of relying on just a simple solution and not looking further?
Greg Aker: I think within the context of a commercial off-the-shelf CMS, there’s not a whole lot more you can do. There are a few things depending on what the CMS allows you to do, like put rel=nofollow on links. I know there’s a way in EE to do that. I don’t know about the others. Another thing to remember — it was earlier before a lot of people in the community kind of stepped up and talked about not doing this within EE land — was if you’re just running a blog, do you need random people to be able to sign up? No, you don’t, and so due to the permalink style in EE, it was like a ripe target for people to sign up and post naughty links or whatever in their profile that was public. So I think Erik Reagan has in his EE [Master] Config that changes the member profile page every time the page is reloaded.
Lea Alcantara: Yes.
Greg Aker: And turn that off. Make sure those things aren’t exposed, and that’s a really good way to combat spam. You know I can’t speak for some of the other ones, but if they have those options, do that.
Lea Alcantara: So you mentioned the stuff that you could do with EE, and we kind of touched on add-ons and things like that. Do you think just in general CMSs introduce weirdness into spam issues? Is there any particular challenge the CMS does?
Greg Aker: Yeah, there are huge challenges within a CMS because you’re not building a custom solution for one specific problem.
Lea Alcantara: Right.
Greg Aker: It’s one size fits all.
Lea Alcantara: Right.
Greg Aker: And so these are important problems to solve and it’s something you want it to be as absolute. These CMSs are targeting designers. They are not targeting nerdy back-end developers.
Emily Lewis: Right.
Lea Alcantara: Right.
Greg Aker: So they’re targeting designers with maybe some PHP experience or some Python experience or some Ruby experience. And so these “one size fit all solutions” are incredibly flexible, but you can get your butt into trouble with them, you know?
Emily Lewis: Right.
Greg Aker: Depending upon the confines or restrictions of your CMS, there are things you can do, you know?
Lea Alcantara: [Agrees]
Greg Aker: Like I said, the easiest one is Akismet. Another great idea is use CloudFlare.
Emily Lewis: CloudFlare, right.
Greg Aker: Right. They have this security stuff in it, and so they’re going to detect naughty requests and just blackhole them, and they have the free tier. There’s no reason to not use CloudFlare.
Timestamp: 00:20:00
Lea Alcantara: I will point out that there is one tiny reason.
Greg Aker: And what’s that?
Lea Alcantara: Just based on client that I was monitoring in New Relic, for whatever reason, turning on CloudFlare ups all the resources.
Greg Aker: For a minute or was it constantly?
Lea Alcantara: No, sustained for days. It was one of those things where we saw that there was an increase in resources, and we’re like, “What’s happening? What’s going on? What changed from this particular day where there was a spike?” And the only change was we turned CloudFlare on.
Greg Aker: Interesting.
Lea Alcantara: Yeah, and then afterwards, we’re like, “Okay, is it CloudFlare? Let’s turn it off. Let’s see what happens.” And since we turned it off, it went down.
Greg Aker: That …
Lea Alcantara: Which is weird, I have no idea why. Maybe there are other configuration things or maybe CloudFlare itself was configurated incorrectly. Who knows?
Greg Aker: Yeah, that could very well be.
Lea Alcantara: Yeah, but it was one of those things where turning it on, increases resources, and turning it off, you know.
Greg Aker: That’s odd. Yeah, that’s kind of the opposite of what I see.
Lea Alcantara: Of what it should be doing, because it’s essentially supposed to just cache all the things.
Greg Aker: Yeah, I mean, there are page rules to set up. Maybe that was just weird. I don’t know. That’s interesting.
Lea Alcantara: Maybe it’s because part of the thing with CloudFlare and CMSs is that you have to exclude the actual administrative part of the CMS, so like perhaps, it’s always checking the exclude URL. Who knows?
Greg Aker: Yeah, I don’t know. I don’t know. That’s interesting.
Emily Lewis: It’s odd.
Greg Aker: Yeah.
Lea Alcantara: It’s odd, and it’s one of those things that was completely unexpected, but it is … that’s what New Relic told me.
Greg Aker: Interesting.
Emily Lewis: Since you have a lot of the experience with ExpressionEngine, let’s talk a little bit about that to start.
Greg Aker: Okay.
Emily Lewis: So the CMSs introduce, and maybe vulnerability is too strong of a word, but they definitely introduce a challenge in the spam fight.
Greg Aker: [Agrees]
Emily Lewis: But in turn, do they attempt to fix that? Like for example, I know ExpressionEngine in their docs, they have like a page on spam protection, and some of the built-in things that are available, if you set them up correctly, to help you prevent spam.
Greg Aker: Right, absolutely, it does. EE has a very, very stellar security record — plain and simple — since the beginning. Most of the time, security issues are found and caught before they’re reported. That’s a real testament to Wes [Baker] and Pascal [Kriete] and the other developers there. So I think following the docs and setting those things up the way they say, and if you have other ideas, obviously, going and opening a dialogue with them is a smart thing to do, you know?
Emily Lewis: [Agrees]
Greg Aker: Because they’re human beings, and we all can’t think of everything all the time.
Lea Alcantara: Well, that kind of opens up the question, is there any CMS — because you mentioned that EE has got a stellar record with security — is there any CMS better at preventing spam than others, or is it just some of them has better add-ons? What do you think?
Greg Aker: For the best experience I’ve had with preventing spam was a completely custom, from the back-end to the front-end, solution. And we had ran on EE and we kept it up today, et cetera, et cetera, like you’re supposed to. And Alex Rubin, who I used to work with, came up a great idea and he was essentially blackholing these spam comments and we looked and we were getting 50,000 or 100,000 a week.
Emily Lewis: Wow!
Lea Alcantara: Whoa!
Greg Aker: Yeah, and so we’re writing them into this other database. It was crazy, and so what we ended up doing, we rewrote the site and we put it in — I don’t think it still is — but it was written with Ember.js on the front-end and we wrote an API in Django on the back-end.
Lea Alcantara: Oh.
Greg Aker: So a couple of things we did that were, I thought, very cool and they seemed very, very effective. And the first one was when the page loads, we did not show a comment form. The comment form was not in the DOM.
Emily Lewis: Oh.
Lea Alcantara: Hmm.
Greg Aker: It was until somebody clicks the comment or like “Click to comment” or whatever, that we would add the comment form to the DOM.
Lea Alcantara: Right.
Emily Lewis: That’s clever.
Greg Aker: Right?
Lea Alcantara: Smart, smart.
Greg Aker: Right. So if it’s an automated bot attack, they’re probably not going to see it until they get smarter and we have to do other things. So another thing we did was the secure form’s CSRF tokens, of course, and we used Akismet and the other thing we did was we’d use a Honeypot field. Do you know what those are?
Emily Lewis: I do, but for our listeners …
Greg Aker: Okay, so when a bot typically is going to hit a site, they find a form and they enter something in all of the fields on the form and they submit the form, okay?
Lea Alcantara: Right.
Greg Aker: So we have one field or I think two fields. I called it like website or URL or something like that.
Lea Alcantara: Yeah.
Greg Aker: And if they fill that in, we would just blackhole the comment and say, “Thanks for submitting your comment,” and of course, that website field was never shown. It wasn’t shown in the form, it was a hidden form field.
Emily Lewis: Right.
Greg Aker: And so if they’re submitting that, then we know it’s a bot.
Lea Alcantara: Right.
Emily Lewis: When you say you blackholed it, is that the same as like blacklisting?
Greg Aker: No, we didn’t really bother with that. We would just make them think that we would return it and show the comment on the page. So maybe they think that it got submitted, but in the back-end we did nothing.
Emily Lewis: Oh.
Lea Alcantara: Aha!
Greg Aker: We didn’t actually save it, and so that’s kind of what we would do.
Lea Alcantara: Okay.
Greg Aker: And our spam at that point dropped. And I think the biggest aspect of it — and this was all Alex Rubin and Jerel Unruh’s idea — was not showing the form in the DOM drops the positives and false positives or whatever in Akismet to like nothing.
Emily Lewis: Wow.
Lea Alcantara: Wow.
Greg Aker: Like absolutely nothing from getting like 50,000 to 100,000 a week. It was remarkable, so if there’s a way your CMS can allow you, and it’s relatively simple with a little bit of jQuery, right?
Lea Alcantara: Right.
Greg Aker: Have a form or have a URL that you can hit, grab that comment form and shove it into the DOM and it was pretty remarkable.
Lea Alcantara: This actually reminds me of a link that Emily found when we were doing research. It was called “How I Stopped WordPress Comment Spam.” And I believe, just based on my understanding on the article, that his process was more or less the same, but instead of hiding the entire form, he just hid one particular like field.
Greg Aker: Oh.
Emily Lewis: Yes, kind of like a Honeypot sort of thing.
Lea Alcantara: Yeah, yeah.
Greg Aker: Yeah.
Lea Alcantara: So it’s like literally the field did not exist until somebody presses whatever.
Greg Aker: Oh, that’s good. Yeah…
Lea Alcantara: So the forms still like showed up like it’s fine, but the field itself was the one that didn’t show up until it got pinged by a bot or something.
Greg Aker: That’s a great idea. Yeah, it’s very, very similar, but a good idea, and another alternative I think a lot of people are overly sensitive about having their comments like perfectly styled the way they just want their comments, it’s not a big deal, right?
Emily Lewis: Right.
Greg Aker: Like use Disqus, and a lot of people really don’t like that I’ve heard … like passionately dislike using that. But they have their own spam prevention measures. Nothing is rock solid and perfect, but that makes a difference, as well, if you don’t want to go through or jump through the other hoops.
Emily Lewis: [Agrees]
Lea Alcantara: Yeah, because then it’s their job to administer comments as their full time service.
Greg Aker: Exactly.
Lea Alcantara: So you might as well deal with it as a third-party thing, and then your client can yell at them instead of you. [Laughs]
Emily Lewis: Right. [Laughs]
Greg Aker: Exactly. Yeah, exactly.
Emily Lewis: You short of mentioned a couple anti-spam methods using Akismet. We talked about Honeypot. What are some other anti-spam methods? CAPTCHA comes to mind because I have to deal with one probably at least three times a week when I’m online, shopping or whatever. What are you thoughts on like using a CAPTCHA?
Greg Aker: They’re broken.
Emily Lewis: Yeah, right.
Greg Aker: They’re broken. In EE and whatever CMS you’re using, they’re pretty pointless to be honest. They’re very legacy at this point. They’re broken. I wouldn’t bother. I think reCAPTCHA is still good. It depends on if you want to give Google that data or not.
Emily Lewis: [Agrees]
Lea Alcantara: [Agrees]
Greg Aker: Since they own reCAPTCHA. I’m pretty sure they do anyway. So reCAPTCHA would be pretty much the only one I would use. I think it’s a user experience pain the rear.
Emily Lewis: I agree.
Lea Alcantara: Right, right.
Emily Lewis: What do you think about those like, and maybe it’s considered a CAPTCHA as a label, but it’s like, “What’s 2 plus 3?” It’s like a little formula that you have to fill out to figure out if you’re a human or not.
Greg Aker: I don’t like those either. I think they’re intrusive and annoying, and they make me not want to submit that form. There is a lot of them that have big-time accessibility issues with. If they’re written in JavaScript and like slide this deal this way or something like that … big-time accessibility issues with people on screen readers and stuff like that. And also, if you’re targeting 2 plus 2, is somebody in France going to know what you’re saying? Is someone in Russia, you know?
Emily Lewis: Right.
Lea Alcantara: Right.
Greg Aker: So you’re cutting off a good portion of your potential readership at the knees.
Emily Lewis: I think the thing I hate most about it is what you said, the user experience. You’re making your user have to deal with a problem you should be dealing with some other way.
Greg Aker: Right. Other very low-fidelity ideas or put everything into a moderation queue.
Emily Lewis: [Agrees]
Greg Aker: WordPress can do that. EE can do that. I would assume the others can. Just put stuff into moderation queue.
Timestamp: 00:29:40
Emily Lewis: If I can speak to that point just real quickly … so for my blog where I have — and I still think it’s in place, but I just have comments turned off at this point — but I have Low NoSpam in place, and that basically puts anything it flags as potential spam comment in a queue I guess for me to decide whether it is spam or it’s not.
Well, if you’re not paying attention to that queue on a regular basis, it can get really, really big, and at one point, it broke my site because I hadn’t been cleaning out that spam and so it filled up. I don’t know enough about the back-end, but I actually pulled up an email from 2010 that I sent to EngineHosting, which is now Arcustech, because it forced that I had to increase my PHP memory limit to even go into the control panel and delete those things. I ultimately had to go in through SQL and delete all of the comments that have been sitting in there for me to delete out.
Greg Aker: Yeah.
Emily Lewis: So if you’re not paying attention to that queue, you’re going to have problems eventually.
Greg Aker: Right, absolutely. I mean, you’ve got to stay on top of it and it’s the kind of thing that can grow by hundreds of thousands a day, depending on the content of your site.
Emily Lewis: Yeah.
Greg Aker: So yeah, you’ve got to be careful.
Lea Alcantara: Yeah, I have to say that I’ve had experience with that in Craft as well. Remember, Emily, we were playing around with different types of contact forms?
Emily Lewis: Yeah.
Lea Alcantara: And one of them — and this is very similar to the same what we call functionality as FreeForm in ExpressionEngine — but the other form add-on we were using in Craft was saving the contact form information in the database, so it was almost like an entry thing. And we haven’t been checking it because we had only received in our actual email client the real email, but then there will be spam emails that would still publish in the form and it would be in EE.
Emily Lewis: In the database.
Lea Alcantara: I mean, sorry, it’s in the database. It’s in Craft. So in the end we decided, “This probably isn’t the best contact form add-on for us for our uses for this contact form, like too much spam is going through and it’s actually writing to the database.” We went way back to just the basic Craft first-party contact form.
Greg Aker: And if I can speak to that, a word of caution — and this is where looking at your plug-ins and add-ons, et cetera, is very, very important. I have a site that I maintain that gets several hundred thousand views a week, and it’s in Django. There’s a very rudimentary comment form on there, and I didn’t deal with the CAPTCHA. I don’t write anything to the database. I just shoot the email, and I will occasionally get an email with somebody trying or they will try to do an SQL injection attack or an email header injection attack on this form. So when you’re dealing with email writing to the database, you never trust what a user is putting in.
Emily Lewis: Right.
Greg Aker: You always consider it dirty and naughty and sanitize your data.
Emily Lewis: [Laughs]
Lea Alcantara: [Laughs]
Greg Aker: Like the XKCD’s Bobby Tables, Drop Bobby Tables or whatever code input.
Lea Alcantara: Right, yeah, I saw that one, yeah.
Greg Aker: Sanitize your input if you are doing something on your own, and look at these third-party add-ons to make sure they’re doing it correctly.
Emily Lewis: I’m curious, is there anything on the server side that can be done to help with spam prevention or anything that we can ask our host provider to do for us?
Greg Aker: I think most of it falls on you. There are a few things you can do. There are ways you can rate limit. Like in Nginx, I think there’s something for Apache. You can rate limit specific URLs to say, “If somebody has hit this URL ten times in the last five minutes, or they can only hit it twice a minute or something like that.”
Emily Lewis: [Agrees]
Greg Aker: Peter Baumgartner at Lincoln Loop had a really good write-up on that. If you’re hosting your own thing with Nginx, we’ll include that in the show notes.
Emily Lewis: What about blocking IPs and blacklist?
Greg Aker: I mean, it’s sort of works. IPs are spoof-able though, right?
Emily Lewis: Right, right.
Greg Aker: And so depending on how your CMS handles that, all you’re doing is making your .htaccess file bigger and bigger and bigger and bigger and bigger.
Emily Lewis: [Agrees]
Lea Alcantara: Right.
Greg Aker: And there comes to a point — I was just speaking earlier today with Nevin [Lyne] at Arcus about after a large redesign — people have a hundred thousand or whatever 301 redirects, you know?
Emily Lewis: Right, right.
Greg Aker: And then they forget about it. That takes a lot of processing power on every single request, you know?
Lea Alcantara: [Agrees]
Greg Aker: So I think there’s a trade off. You don’t want to block and ban everybody at the server level. There comes a point when the trade off is not worth it.
Emily Lewis: Right.
Lea Alcantara: Right.
Emily Lewis: So Lea, you were talking a little bit about what we did when we rebranded as Bright Umbrella and launched the site using Craft.
Lea Alcantara: Yeah.
Emily Lewis: So can you describe a little bit about the add-ons you tried and the final solution we’re using?
Lea Alcantara: Okay. So currently, and here’s the thing, it’s still not perfect. We’re still getting spam.
Emily Lewis: Yeah.
Lea Alcantara: So we might need to re-address certain things, and part of it might be because when we first launched with our Craft site, there were a lot of add-ons that were still in beta. Do you know what I mean?
Emily Lewis: [Agrees]
Lea Alcantara: So like that means it wasn’t like perfectly written and hasn’t been battle-tested completely yet. So maybe part of the problem is we need to install their updated version and then things might be better.
Greg Aker: Yeah, keep it up-to-date.
Emily Lewis: [Laughs]
Lea Alcantara: Yeah, exactly, exactly.
Greg Aker: [Laughs]
Lea Alcantara: Well, I mean, Craft is pretty easy to keep up-to-date, so we’ve been pretty up-to-date with Craft, but like the add-on installs, we haven’t been easily updating. But currently, what we’re using for Craft is we went back to just the general first-person simple Pixel & Tonic Craft form. So we’re not using a third-party form add-on, we’re just using the first-party … and I think that may be something important to also mention, if you can, try to use the add-ons that the actual developers of the CMS has created, you know?
Greg Aker: Yes.
Lea Alcantara: Yeah, so like if there are already features inside EE or there are features inside Craft, use those first, see if they work because …
Greg Aker: Can I just interject there?
Lea Alcantara: Sure, sure.
Greg Aker: I think that goes to CMSs as a whole.
Emily Lewis: Oh yeah.
Greg Aker: I saw a lot of people that, “I am doing a site and I need this add-on, this add-on, this add-on. I need these 37 add-ons to build a five-page website.”
Emily Lewis: [Laughs] Right
Lea Alcantara: [Laughs] Right.
Greg Aker: And base WordPress installed with maybe a contact form add-on. Craft can do that out-of-the-box. EE can do that out-of-the-box. All of these can do it out-of-the-box really, really well, and focus there first.
Emily Lewis: Right.
Greg Aker: Before you’re, A, spending your client’s money on add-ons and, B, adding overhead with all of these add-ons. And the overhead includes keeping them up to date.
Emily Lewis: [Agrees]
Lea Alcantara: Yeah, absolutely, and double-checking to make sure that they’ve got the security stuff that you mentioned earlier in the show, and that takes time.
Greg Aker: Exactly, right.
Lea Alcantara: So for Craft, we’re using P&T’s regular form. And then currently — and here’s the other thing that I’m not sure is an issue — we’re using two CAPTCHAs right now. One is Snaptcha, and the beta version of Snaptcha, and one of the earlier versions of Barrel Strength’s Invisible Captcha. So we’re using both of them and we’re still getting spam. I’m wondering is this because it’s conflicting with each other? Is it possible? Like if you’re going to choose a spam solution, should I only have chosen one?
Greg Aker: Within the context of that, I can’t tell you for sure. It might honestly be worth looking at the idea of a little bit of Ajax to bring the form in and bring a certain field in, bring the submit button in, that kind of thing.
Emily Lewis: [Agrees]
Lea Alcantara: Right.
Greg Aker: If it were me, that would be kind of a next line I would go or if you can be using Akismet, use it.
Emily Lewis: [Agrees]
Lea Alcantara: Right.
Emily Lewis: Yet — I think, just for our listeners — I wanted to mention some of the add-ons that I’ve used for EE. As I’ve mentioned, I’ve used Low NoSpam, and it’s fine except for the whole like you basically have to moderate. You have to go in and clean up the comments that it captures on a regular basis, which is a major pain in the ass. And I’ve also used the EE version of Snaptcha, which is kind of like a Honeypot, but not entirely. That’s from Ben Croker at Put Your Lights On, and these are all available on Devot:ee. Again, just use wisely and be sure you’re informed. There’s also a Hon-EE Pot Captcha add-on, and then there’s a FreeForm Anti-Spam, so that’s I guess if you’re using Solspace’s FreeForm, it’s an anti-spam add-on for that particular add-on. [Laughs] An add-on for an add-on.
Lea Alcantara: And I do believe that Craft, we’re not currently using it, but Craft also has an add-on that does tie to Akismet. So that’s something maybe we should look into next.
Emily Lewis: [Agrees]
Lea Alcantara: Especially for our client.
Greg Aker: Definitely.
Emily Lewis: Yeah, I don’t mind paying $5 a month. That’s worth it.
Lea Alcantara: Yeah.
Greg Aker: Oh, yeah.
Emily Lewis: We’ve talked about this before, we aren’t WordPress developers, but just for anyone who’s interested, there are lots of WordPress add-ons out there for dealing with spam. But I’m going to link to this article that Lea already mentioned earlier, and it’s from David Walsh. It’s called “How I Stopped WordPress Comment Spam.” And he basically says he tried a dozen add-ons for his WordPress site, and he was still getting 8,000-plus spam comments per day. And so even those add-ons were not helping, and so what he did was kind of what Lea was describing earlier — but it sounds a lot like what Greg was talking about — which is building just a little something on the front end with JavaScript and a little PHP, so that a form field isn’t available until an actual human takes action on that area of doing a form. And it took care of that. It’s pretty straightforward and I actually think it’s something, Lea, we could even try ourselves.
Timestamp: 00:39:52
Lea Alcantara: I think we should. I think we should.
Emily Lewis: Just a little PHP and a little JavaScript.
Lea Alcantara: Yeah, it will be interesting to see like how our contact form spam is decreased. And honestly, this was part of the reason why we also decided not to have comments on our blog posts for our CTRL+CLICK CAST or our main site. It’s just a pain to maintain.
Emily Lewis: [Agrees]
Lea Alcantara: And it’s like, “Yeah. Well, if there’s no comment, there’s nothing to maintain.”
Greg Aker: And like I tell people when people say, “Well, I want to put this file on the Internet, but I don’t want anybody to be able to download it.” And my answer for that is “don’t put it on the Internet,” you know?
Emily Lewis: [Laughs]
Lea Alcantara: Yeah, yeah.
Greg Aker: I mean, there are a few exceptions to that rule, but just don’t put that on the Internet then.
Lea Alcantara: That’s a good rule for anything on the Internet. It’s like if you don’t want one other person besides the person you’re sending the text or image or file to you, pick up a phone, see that person in person.
Emily Lewis: Send them a letter.
Lea Alcantara: Yeah.
Greg Aker: Yeah. I was going to say pick up a pen and paper and write a letter.
Emily Lewis: Right.
Lea Alcantara: So there are still a couple of questions that I think we should address while we wrap this up, and I’ve kind of like mentioned it at the beginning, but I want to hear your particular thoughts, Greg. How should we set client expectations from managing this ongoing fight against spam?
Greg Aker: Well, most clients have dealt with this their whole lives. I mean, every day when you go to the mailbox, you’re getting spam.
Emily Lewis: Right.
Greg Aker: This is not a new concept.
Lea Alcantara: Sure.
Greg Aker: And whether it’s credit card offers or political stuff, now that we’re getting into political season, you’re getting this. It’s junk mail essentially.
Emily Lewis: Right.
Greg Aker: They deal with it on their normal email. Hopefully, they are not opening links they shouldn’t, but I think it’s an extension of that, and it’s not going away. If you’re dead-set against it, don’t have forms. It’s as simple as that.
Emily Lewis: Right.
Greg Aker: Otherwise, you have to deal with it.
Emily Lewis: Yeah, we actually just recently had this conversation with a new client. We got to the point of discussing her blog and we’re redesigning her site. We’re like, “Do you want comments?” She’s like, “Well, wouldn’t I?” I was like, “Spam. I think that might be one reason. Are you getting a lot of real engagement? Are you getting a lot of spam?” So we’re not putting comments on her blog.
Greg Aker: Yeah, and a lot of people are going to that. A lot of people or they use Facebook comments or Disqus or some other sort of platform that does an okay job of weeding out the crap.
Emily Lewis: I’m actually really glad, Greg, that you said “Disqus” because I never heard anyone pronounce it, and I always thought it was Disqus.
Greg Aker: I could be absolutely wrong so …
Emily Lewis: No, it actually makes sense that it’s Disqus because it’s commenting. I’m just now making this connection in my head.
Greg Aker: Right. [Laughs]
Lea Alcantara: [Laughs]
Greg Aker: Awesome.
Lea Alcantara: So then what’s your best advice for like the developer, someone who wants to fight the spam on their site?
Greg Aker: Follow the recommendations from your CMS. Give the least privileges possible, you know?
Lea Alcantara: [Agrees]
Greg Aker: So keep your members off if you don’t need to. If you don’t have member signup, the realm they’ll follow in the links, at least that seems to do some good or maybe make people not as interested. Moderate your spam. You don’t want to fill up your MySQL server with only spam, and then it’s really as we do something, they adjust, so we need to adjust with them. So it’s a fluid sort of attack.
Lea Alcantara: An ongoing thing.
Greg Aker: Yeah, and this, what we’ve talked about today in a year or a year and a half or six months from now could be completely …
Emily Lewis: Right.
Lea Alcantara: Obliterated.
Greg Aker: Right, yeah.
Lea Alcantara: Yeah.
Greg Aker: So you need to stay up on it.
Lea Alcantara: Because the more we get clever in fighting, the more clever they get in attacking.
Greg Aker: Exactly.
Emily Lewis: So Greg, our last question for you, have you ever eaten Spam?
Greg Aker: No.
Lea Alcantara: No.
Emily Lewis: Really?
Greg Aker: [Laughs]
Emily Lewis: Have you, Lea?
Lea Alcantara: I’m Filipino. I grew up eating Spam.
Emily Lewis: [Laughs]
Lea Alcantara: Like Spam and rice, it’s the most Filipino thing ever. [Laughs]
Emily Lewis: [Laughs]
Greg Aker: Awesome. That’s awesome.
Emily Lewis: I love fried Spam sandwiches with mustard.
Lea Alcantara: [Agrees]
Greg Aker: I don’t like mustard.
Lea Alcantara: Yeah, Spam and rice, Spam musubis, it’s like a Hawaiian invention. Basically, it’s sushi with Spam.
Emily Lewis: Oh, I’ve seen that on TV.
Lea Alcantara: Yeah.
Emily Lewis: Those are delicious.
Lea Alcantara: It reminds me of childhood.
Emily Lewis: Yes, salty pork, yum. [Laughs]
Lea Alcantara: Yeah. I have no complaint.
Greg Aker: Yes, yes.
Lea Alcantara: That’s the only Spam I can stand, let’s just put it out there.
Emily Lewis: Yeah, not all spam is bad. [Laughs]
Lea Alcantara: So before we finish up, we’ve got our Rapid Fire 10 Questions, so our listeners can get to know you a bit better. Are you ready, Greg?
Greg Aker: Oh, I hope so.
Lea Alcantara: All right, first question, Android or iOS?
Greg Aker: It’s iOS.
Emily Lewis: If you’re stranded on a desert island and can only bring three things, what would you bring?
Greg Aker: My wife. That’s a good answer, right?
Emily Lewis: [Laughs]
Lea Alcantara: Yes. [Laughs]
Greg Aker: My wife. Something to play music with, number two, and number three would be Bill Evans’ Sunday at the Village Vanguard.
Emily Lewis: Is that like a CD or something?
Greg Aker: It’s an old record, but it’s my favorite.
Emily Lewis: Okay.
Lea Alcantara: All right, what’s your favorite TV show?
Greg Aker: Oh, Archer.
Emily Lewis: Oh, such a good show.
Lea Alcantara: Fun.
Emily Lewis: What’s your favorite dessert?
Greg Aker: Apple pie.
Lea Alcantara: What profession other than your own would you like to attempt?
Greg Aker: Nursing.
Emily Lewis: What profession would you not like to try?
Greg Aker: Being a plumber.
Lea Alcantara: What’s the latest article or blog post you’ve read?
Greg Aker: Something to do with furniture making and finishing with varnish.
Emily Lewis: Cool.
Lea Alcantara: [Laughs]
Emily Lewis: If you can have a super power, what would it be?
Greg Aker: To fly.
Lea Alcantara: What music do you like to work to?
Greg Aker: Oh man, that’s a hard one.
Lea Alcantara: [Laughs]
Greg Aker: It depends on the day. It depends on my mood. In the morning, it’s normally piano jazz. In the afternoon, it’s like ‘70 soul and funk or yeah, I don’t really go much past the 90’s. Some days I’m in a grunge rock mood. It just depends.
Emily Lewis: All right, last question, cats or dogs?
Greg Aker: Dogs, of course.
Lea Alcantara: [Laughs]
Emily Lewis: [Laughs]
Greg Aker: Are you crazy?
Lea Alcantara: [Laughs]
Emily Lewis: [Laughs] You’re talking to two cat ladies, you know?
Lea Alcantara: Yeah.
Greg Aker: I know. I know. I’m just jibing you. I’m jibing you.
Emily Lewis: [Laughs]
Lea Alcantara: All right. So that’s all the time we have for today. Thanks for joining us!
Greg Aker: Thank you so much for having me.
Emily Lewis: In case our listeners want to follow up with you, where can they find you online?
Greg Aker: I haven’t blogged in three years at gregaker.net.
Emily Lewis: [Laughs]
Greg Aker: And Twitter has turned into read only for me at @gaker.
Emily Lewis: You and me are on the same boat there.
Lea Alcantara: [Laughs]
Greg Aker: Yeah.
Emily Lewis: So thank you so much, Greg. This was a blast talking to you!
Greg Aker: Yeah, you guys too, I appreciate it.
[Music starts]
Lea Alcantara: We’d now like to thank our sponsors for this podcast: EllisLab and Pixel & Tonic.
Emily Lewis: And thanks to our partners: Arcustech, Devot:ee and EE Insider.
Lea Alcantara: We also want to thank our listeners for tuning in! If you want to know more about CTRL+CLICK, make sure you follow us on Twitter @ctrlclickcast or visit our website, ctrlclickcast.com. And if you liked this episode, please give us a review on iTunes or Stitcher or both!
Emily Lewis: Don’t forget to tune in to our next episode when Samantha Warren will be joining us to talk about design deliverables for today’s web. Be sure to check out our schedule on our site, ctrlclickcast.com/schedule for more upcoming topics.
Lea Alcantara: This is Lea Alcantara …
Emily Lewis: And Emily Lewis …
Lea Alcantara: Signing off for CTRL+CLICK CAST. See you next time!
Emily Lewis: Cheers!
[Music stops]
Timestamp: 00:46:48
