-
Please support me in the 2010 Ride to Conquer Cancer - last year we were able to raise $6.9 million for the Alberta Cancer Foundation - hopefully we can raise even more in 2010! -
Blog under the Creative Commons Attribution 3.0 License
Jun
24
(2006)
The onslaught just keeps coming. It’s on pace to easily meet 20,000 spam comments in 24 hours. I had a very small handful of false negatives, but they were easily dispatched by clicking a couple of checkboxes on an admin page.
20,000 spam attempts. Peaking at multiple attempts per second, with over 500 spam bots simultaneously spidering/spamming the site. Drupal seems to be holding its own, triggering throttles to shut down higher-load functions so the site remains responsive.
And Akismet is dutifully blocking the roaches from getting through. Their success rate just keeps dropping – down to 0.1% success rate, and even that is only temporary, until I manually remove the small handful that gets by Akismet’s watchful gaze. The spammer’s effective success rate is exactly 0% – not asymptotally approaching 0, but exactly 0. Zero. Absolute Zero. Cold heat death for spam.
I’m pretty sure they’re sticking around here because the bots think they are succeeding – Drupal accepts the comment, so the bots think it worked. What they don’t realize is that the comment is immediately unpublished by the Akismet module – as soon as the Akismet retuns its spam flag.
Thankfully, Dreamhost appears to be handling it like a champ. Not even breaking a sweat. I’m pretty sure that if this blog was still back on GoDaddy’s servers, it would have curled up into the fetal position and mumbled quietly to itself…
I have been considering switching to Drupal for my own site for a while now but one of the things that has stopped me has been spam control. My own system works pretty well (not allowing links helps) and I know I couldn't cope with deleting a flood of the little stinkers. So this is good to know.
You are probably right about one thing. The spam bots are certainly sticking around because they think they are getting through. I wouldn't be surprised if the load continues to increase as a consequence.
One way to eliminate that is the bad behavior module. It will block many of the spammer access requests immediately before they can access any of the site rather than letting them think that the comments have been posted.
Charlie – thanks for the tip! I’ve just installed the bad behavior module integration to see how it works out. Begone, spam roaches!
Stephen – you’ve got an order of magnitude or two more traffic than I do, but I think Drupal could still handle that, given proper iron on the server.
Mike – I’ve tried BB before, and it seems pretty cool, but I haven’t had a lot of luck configuring it. I tried it on a Mediawiki site, and had to kill BB because it decided everyone was evil, and started blocking all access. I’ll give it another shot though – sounds like BB+Akismet should be a pretty sweet combo…
I haven't tried the Akismet module for Drupal, although I use it on my WordPress blog. Since I upgraded to Drupal 4.7 I've been using the Bad Behavior module and it's been working great. It's fun to look at the bad behavior log and find all of the spamming attempts it caught. I ended up disabling some of the tests which gave false positives and I still haven't had a single spam slip through.
hmm… first thing Bad Behavior did was block my automated requests for cron.php, complaining that “Header ‘Pragma’ without ‘Cache-Control’ prohibited for HTTP/1.1 requests” – so I’ll have to fiddle with curl on my office Mac to send proper headers…
That was easy… Followed the instructions here to remove the Pragma header, then deleted the entries from the Bad Behavior log (so it didn’t “recognize” that IP address again), and all seems well now. Cool!