Reviewing The Growmap Anti SpamBot Plugin (G.A.S.P.) Update

iControlWP WordPress Management LogoPerhaps one of the most elegant, and simplest ways to stop WordPress Comment SPAM is the Growmap Anti SpamBot Plugin.

It’s excellent and we use it on all our WordPress sites. It had been doing a stellar job until a week or so ago

Something changed and we’ve been seeing increasing amounts of comment spam getting through.

This was a bit odd and I first thought it was down to more “manual” spammers at work, but the content of the comments eventually suggested otherwise… somehow, the bots were getting past the defenses put in-place by the GASP plugin.

Today, a new version of the GASP plugin (v1.4.1) has been released in an attempt to combat this – read on to find out what’s new.

What is actually new with the GASP plugin?

After reviewing the code changes they’ve made, I believe it works by ensuring that the post/page to which you comment on must be loaded in a browser first.

That is to say, a spambot cannot directly post a comment to a page without loading that page first.

Now, the good thing about this is that it’s another layer to the spambot protection.

However, the unfortunate part is that it’s relatively easy to work around – it’s a simple matter of pre-loading the page, grabbing the unique secret key for that page, and then using it to post the comment to that page.

How to improve the GASP plugin further

With this new “secret key” approach to the GASP plugin, there are a couple of ways to improve this that borrows a little bit from our Login Cooldown system in our WordPress Simple Firewall plugin.

At least, creating a unique key per page?  At the moment the secret key is site-wide and once it is learned by the bot, it can be used on all the pages.

A visitor will probably be on your page several minutes before they decide to post a comment, and perhaps even longer until they actually finish composing one.  Given this is the case, and that the secret key system forces you to load the page first, there is a way to further halt a spambot posting on your site.

We could place a unique comment timer on each page… that is to say a minimum-time-to-comment timer.

It would work as follows:

  • When page/post loads that has comment capabilities, a unique ID is assigned to that page load. This ID is also given a time stamp of exactly when the page was requested.
  • We state, for sake of argument, that a visitor must be active on a given page for 60 seconds before commenting.
  • We use Javascript to load the GASP comment form elements and enabled the comment-submit button after this 60 seconds.
  • When a comment comes in, we exam its unique ID and ask whether it has been submitted within 60 seconds. If it has, we know it was a bot and we ignore drop the comment.

This approach has several key advantages:

  1. It uses server-side rule checking.  Since any protection that is based in the browser is ultimately circumventable, we want as much server-side protection as possible.
  2. While it doesn’t prevent spambots from posting that have worked around this new secret key idea, it will serve to put the brakes on them.  Since they must always load pages to get the Unique IDs and secret keys, they must wait 60 seconds before they can ever post a comment to that page… or longer if you set the timer longer. 🙂

WordPress Simple Firewall and GASP Comment Protection

We’ve already added GASP protection to the WordPress Login page but we’re thinking to take the GASP principles and using their latest approach combined with our suggested additions, add comment spam protection to our Firewall plugin.

Ideally we’d like to see it in the GASP plugin so we wouldn’t have to write this ourselves… even with not a lot of sites to manage we’re still having to clean up spam when the spambots catch up on the protection we have.

If this is something you’d like to see in the WordPress Simple Firewall, please leave any comments and suggestions below.

Join the discussion 8 Comments

  • Hi there,
    I know that you guys are big fans of Growmap, and gave it a try on a couple of sites experiencing spam problems (in one case “attack” would not be too strong a word). I saw an immediate INCREASE in spam getting through, albeit ending up in the Spam queue. The reason appears to be that most of the spam is not fully-automated, but rather semi-automated (if I can use that term), i.e. the comment form is actually being loaded in a browser and the whole process emulates a legitimate user making a comment. The Stop Spammers plugin fortunately appears to have provided the answer to this type of spam, at least for now! You can check it out here:
    http://wordpress.org/plugins/stop-spammer-registrations-plugin/
    Cheers,
    Russell

    View Comment
    • Paul G. says:

      Hi Russell,

      We’re always on the look-out for new and improved options for the plugins we use and recommend. Until now, we’ve had great success with the GASP plugin.

      I’ll check out the Stop Spammers plugin. I’m currently working on adding GASP comment checking to the WordPress Simple Firewall, with some further additions of my own (in part what I laid out here). I’ll also see what techniques I can borrow from this one that you recommend and hopefully have something that works and is sustainable going forward.

      Fingers crossed.

      Thanks for the plugin recommendation Russell, and for commenting!
      Cheers,
      Paul.

      View Comment
  • dellauk says:

    There are plenty of anti-spam plugins that bloggers can use to try and prevent the posting of comment spam. These vary in effectiveness, and amount of administration involved in ensuring that genuine posts are not categorised as spam or vice versa.
    If you can prevent the majority of spammers from targeting your site in the first place, then you will reduce time spent on moderation and the chances of letting spam through.

    View Comment
    • Paul G. says:

      Hi,

      Thanks for commenting. What you say is right, but it’s practically impossible to prevent the spammers reaching you. We also use CloudFlare which detects spambots and prevents them to some degree, but there’s not preventing all of them.

      Thanks,
      Paul.

      View Comment
  • Gail Gardner says:

    Hi Paul,

    I came across your post and wondered what the latest is on using GASP? I see you’re still using it, so hopefully that means it is working well again? Spammers keep getting around it, but Andy has been able to block them out again so far.

    I run the version of GASP that is built into CommentLuv Premium now and periodically spammers get through, but right now they’re being blocked effectively again.

    View Comment
    • Paul G. says:

      Hi Gail,

      Thanks for dropping in. I don’t actually use Andy’s GASP plugin, I redeveloped it from scratch and integrated it into our WordPress Simple Firewall Plugin (http://wordpress.org/plugins/wp-simple-firewall/)

      To date, I haven’t had a single bot spam comment and I haven’t needed to update the algorithm since I first released it. It’s really very robust and it’ll be some time, if at all, that the spambots can get past what I’ve implemented there.

      The difference is that it’s based more on the server-side, within no more impact on the visitor than the basic GASP.

      Check it out and let me know what you think!
      Cheers,
      Paul.

      View Comment
  • Rabbi says:

    greate job
    A visually refreshing and knowledgeable blog.

    View Comment
  • Ankit Chauhan says:

    Google actually does penalize sites for spammy incoming links now – it’s part of the Penguin update. While I know it’s not the point of this post, I did want to bring attention to that.

    View Comment

Leave a Reply