your suggestions are all awesome .. but havent a good deal of them been included/discussed by you here already though? And you mention this being covered in a plugin, but you have it in feature requests.. Thats important only because :

I preface this by saying im not a dev, BUT:

Adding all of those features to the core of b2evo would seem to me, atleast, an attempt to make b2evo an anti-spam application, as opposed to a blogging package. Know what I mean?

In other words, plugins yes, all of that in the core, no.

Thats my vote atleast. Except for the moderation of comments -- which is a defualt feature in nearly every other blog package Ive looked at.

Ive always been one to stress the development of the core features, not begin adding extras.

Thats the joy of plugins. No bloat, and the user can pick and choose.

You're right, whoo, most of those suggestions have already been discussed in several threads in the forums, including those ones:

• [url=http://forums.b2evolution.net/viewtopic.php?t=5062]Antispam Bandwidth, revisited[/url]

• [url=http://forums.b2evolution.net/viewtopic.php?t=2976]Captcha for b2evolution (finally)[/url]

• [url=http://forums.b2evolution.net/viewtopic.php?t=4876]Spam: an IP based approach[/url]

• [url=http://forums.b2evolution.net/viewtopic.php?t=5361]Moderation of Trackbacks[/url]

• [url=http://forums.b2evolution.net/viewtopic.php?t=4910]Public Stats: Reduce Referrer Spam Weight[/url]

• [url=http://forums.b2evolution.net/viewtopic.php?t=5322]How to control referer spam hits from search engines[/url]

• [url=http://forums.b2evolution.net/viewtopic.php?t=5243]CPU Usage Reduction Suggestions: Antispam[/url]

• [url=http://forums.b2evolution.net/viewtopic.php?t=5323]Enabling flood control[/url][/list:u]

Some hacks are already available:

• [url=http://wonderwinds.com/hackblog.php/2005/02/07/antispam_recheck_tool_part3]Antispam recheck tool part3[/url]

• [url=http://isaacschlueter.com/blog/b2evolution_antispam_recheck_cronjob]b2evolution Antispam Recheck Cronjob[/url]

• [url=http://wonderwinds.com/hackblog.php/2005/08/24/yaash_banning_ips_in_your_back_office]YAASH - banning IPs in your back office[/url]

• [url=http://forums.b2evolution.net/viewtopic.php?t=2438]Require user login to comment[/url]

• [url=http://www.village-idiot.org/archives/2005/01/28/b2evo-captcha-explained/]Captcha for b2evolution, explained [/url]

• [url=http://forums.b2evolution.net/viewtopic.php?p=23293#23293]BlockUntrustedVisitors()[/url][/list:u]

This post is just a summary of what would be fine to find into one single plug-in... or hack! There is one argument I can't agree with you, however. Some of [url=http://b2evolution.net]b2evolution[/url] users are so much harassed by spam they have strong difficulties to use that blogging system. Making that plug-in or hack part of [url=http://b2evolution.net]b2evolution[/url] would significantly reduce spam. It appears spammers look specifically for [url=http://b2evolution.net]b2evolution[/url] blogs to spam them (see [url=http://b2evolution.net/man/2004/12/29/control_referer_spam_howto]How to control referer spam hits from search engines [/url]). Making it more difficult for spammers to spam [url=http://b2evolution.net]b2evolution[/url]-based blogs would make that platform more efficient and usefull. When you pretend to craft the best car in the world, you also ship it with a good (if not the best) locking system, don't you? The current antispam system is fine, but not perfect (okay, none is). However, since [url=http://b2evolution.net]b2evolution[/url] releases are quite rare, while the spam war requires probably more frequent releases, that would be nice to see a separated plug-in, but why not shipped with a default [url=http://b2evolution.net]b2evolution[/url] release.
[/list:u]

There is one argument I can't agree with you, however. Some of b2evolution users are so much harassed by spam they have strong difficulties to use that blogging system. Making that plug-in or hack part of b2evolution would significantly reduce spam. It appears spammers look specifically for b2evolution blogs to spam them (see How to control referer spam hits from search engines ). Making it more difficult for spammers to spam b2evolution-based blogs would make that platform more efficient and usefull. When you pretend to craft the best car in the world, you also ship it with a good (if not the best) locking system, don't you? The current antispam system is fine, but not perfect (okay, none is).

I defer to Wordpress.

A MUCH larger target for spam, I assure you -- and very little in the way of built-in defenses..

There is a proxy block for comments. Last I checked, it was still susceptable to blocking regular/non proxy ips. (it might be fixed -- I havent looked at it lately)

There is comment moderation.

There is a VERY easy one line hack for adding trackback moderation.

The rest : ALL plugins.

The logic is simple:
1. An intuitive plugin interface allows for easy plugins to be made.
2. That (#1) allows users to pick and choose without the bloat that built in stuff causes.
3. Devs are able to work on making it a better blog.

Yes, it is arguable that "less spam" makes for a better blog, I realize that.

----

MT: same thing, plugins

phpBB: same thing: mods.

CAPTCHA was a phpBB addon longgggg before it was actually included in a default install of phpBB. And thats pretty much all the phpBB devs plan on adding. Again, they want to focus on the core.

---

Perhaps, a blog that came standard with a gazillion ways to block spam would garner more attn, in the long run, but thats an if, for sure -- and if the blog itself were substandard at the expense of fighting spam -- thats surely a bad bet.

whoo wrote:

The logic is simple:
1. An intuitive plugin interface allows for easy plugins to be made.
2. That (#1) allows users to pick and choose without the bloat that built in stuff causes.
3. Devs are able to work on making it a better blog.

You are probably right on these points. Moreover, competition is supposed to lead to better products. Having several teams working on several antispam plug-ins is probably making all these teams better work.

There is still one condition to that: there must be several teams! For now, I see about half a dozen of people working on the core and another half a dozen publishing some hacks and plug-ins. Apparently, there is not enough developers involved in [url=http://b2evolution.net]b2evolution[/url] to make competition really efficient here...

I really hope the next major version of [url=http://b2evolution.net]b2evolution[/url] would make possible to write easily installable plug-ins so anybody is going to be able to install them.

Looks that way to me. A bit of skin editing for the ones that make sidebar stuff, but basically drop the file in the folder and turn it on in your back office.

The previously defined external services features:

• external services usage:
  an external services referrer and IP DNSBL;
  • external authotification/identity validation (Six Apart TypeKey, etc.);[/list:u][/list:u]appear to be incomplete. Maybe there should be something like:
    [*]external services usage:
    [*]use external DNSBL services for checking and reporting spamming IPs and URLs;

    • use other blogging software antispam blacklists (WP, MT, etc.) for both checking and reporting spamming IPs and URLs;

    • report spamming sites to [url=http://www.google.com/contact/spamreport.html]Google[/url] (must be fully documented, including any objective and usefull evidences that both the spammer and the promoted site are related; see [url=http://spamhuntress.com/]Spam Huntress[/url]);

    • external authotification/identity validation (Six Apart TypeKey, etc.);[/list:u][/list:u]

    I've just updated the above list to make it up to date.

The previously defined comment filtering features:

• comment filtering including:
  [*]a local and shared dynamic e-mail blacklist of banned e-mails;

  • a local and shared dynamic e-mail whitelist of authorized e-mails (needs any kind of identity authentification);

  • a local and shared dynamic e-mail greylist of unknown e-mails to bann or to authorize;

  • a comment validation system sending an e-mail to the pretended comment author in order to validate it (be aware of not becoming a spammign service ourselves by this way!);

  • a CAPTCHA system for comments;

  • an optional manual validation for both white- and greylists;

  • anti-flood feature limiting the amount of added comments on a period of time globally, on the same post, from the same IP or with the same content;[/list:u][/list:u]might be extended to include some additional features:

  • comment filtering including:
    [*]a local and shared dynamic e-mail blacklist of banned e-mails;

    • a local and shared dynamic e-mail whitelist of authorized e-mails (needs any kind of identity authentification);

    • a local and shared dynamic e-mail greylist of unknown e-mails to bann or to authorize;

    • a comment validation system sending an e-mail to the pretended comment author in order to validate it (be aware of not becoming a spammign service ourselves by this way!);

    • a [url=http://www.village-idiot.org/archives/2005/01/28/b2evo-captcha-explained/]visual[/url] and/or audio CAPTCHA system for comments;

    • a client-side "keypressed" checker;

    • accept comments from JavaScript-enabled browsers only;

    • a [url=http://www.sixapart.com/pronet/plugins/plugin/bayesian.html]bayesian filter[/url];

    • a link filtering:
      [*]removing links from displayed comments;[*]limit the maximum number of words per link;[*]limit the maximum number of links per comment;[/list:u][*]an optional manual validation for both white- and greylists; [*]anti-flood feature limiting the amount of added comments on a period of time globally, on the same post, from the same IP or with the same content;[/list:u][/list:u]I've just updated the original list of features.

There is an interesting article about comment spam:

[url=http://www.sixapart.com/pronet/comment_spam]Six Apart Guide to Comment Spam[/url][/list:u] Some interesting recommendations appear in that article, most are already discussed in the [url=http://forums.b2evolution.net]b2evolution forums[/url] and other discussion boards:
• [url=http://www.sixapart.com/pronet/comment_spam#obscurity]Security by Obscurity[/url]:
  [*][url=http://www.sixapart.com/pronet/comment_spam#commentscript]Changing the Name of Your Comment Script[/url];[*][url=http://www.sixapart.com/pronet/comment_spam#formvalues]Adding Additional Form Values[/url];[*][url=http://www.sixapart.com/pronet/comment_spam#obfuscation]Form Obfuscation[/url].[/list:u][/list:u] I've just updated the initial requested features list to take into account these ideas.

I've just found a very interesting piece of software:

[url=http://www.ioerror.us/software/bad-behavior/]Bad Behavior / Bad Behaviour[/url][/list:u]This PHP program (first intended for [url=http://www.wordpress.org]WordPress[/url], but some ports are already done and some other can apparently be done easily) analysis the visitors behavior on your site in order to identify spammer bots. This approach has not been listed yet in the original list of antispam techniques, so I'm going to update it with the following:
[*]visitors behavior filtering (see [url=http://www.ioerror.us/software/bad-behavior/]Bad Behavior / Bad Behaviour[/url]);[/list:u]

I've updated the features list with the following positions:

• comment filtering including:
  [*]fake comment forms before and after the real one (see [url=http://www.simong.org/index.php?p=739]A short monograph on the theme of blog comment spam[/url]);
  • CAPTCHA systems (see [url=http://www.w3.org/TR/turingtest/]Inaccessibility of Visually-Oriented Anti-Robot Tests (W3C)[/url], [url=http://www.w3.org/2004/Talks/0319-csun-m3m/Overview.html]Escape from CAPTCHA (W3C)[/url], [url=http://sam.zoy.org/pwntcha/]PWNtcha - captcha decoder[/url]):
    [*]visual (see [url=http://www.village-idiot.org/archives/2005/01/28/b2evo-captcha-explained/]Captcha for b2evolution, explained[/url]);

    • audio;

    • logic (see [url=http://wp-plugins.net/index.php?id=533]WP-SpamQuiz[/url]);[/list:u][*]accept comments from JavaScript-enabled browsers only, adding a client-side:
      [*]"keypressed" checker (see [url=http://www.simong.org/index.php?p=739]A short monograph on the theme of blog comment spam[/url]); [*]hash computation code (see [url=http://elliottback.com/wp/archives/2005/05/11/wordpress-hashcash-20/]Wordpress Hashcash 2.3[/url]);[/list:u][/list:u][/list:u]I believe the associated links are worth reading.

kwa, great posts and links and appreciated.

I think there needs to a focus on plugin solutions for any spam fixes to B2 because as a user and not a coder I am reluctant to install any of the myriad of excellent hacks and solutions floating around this forum, knowing that a major version update is just around the corner.

I would appreciate some comment from Francois on the matter and what direction he sees Anti Spam taking with B2

John wrote:

I think there needs to a focus on plugin solutions for any spam fixes to B2 because as a user and not a coder I am reluctant to install any of the myriad of excellent hacks and solutions floating around this forum, knowing that a major version update is just around the corner.

For now, I try to understand what spammers do to spam blogs and what solutions are already applied on other blogging systems and web applications to reduce spam effects at minimum cost.

Some people are publishing statistics on their filters efficiency. The [url=http://www.simong.org/index.php?p=739]A short monograph on the theme of blog comment spam[/url] article appears to be very interesting from that point of view. Renaming comment submission script and using hidden forms is cheap, but it works fine. Sending the position of the mouse on the submission button when the user clicked is useless and creates false positives. It's interesting to know where to spend time!

As a developer, I might be interested to write an antispam plug-in for [url=http://b2evolution.net]b2evolution[/url]. However, I probably don't have enough experience in web applications development, PHP and antispam techniques. However, since a lot of techniques have already been successfully experienced in other blogging systems plug-ins, that should make easier to make similar things for [url=http://b2evolution.net]b2evolution[/url]. If the software licences make it possible, it would even be possible to use the original code as a start point. (I don't like to reinvent the wheel and I don't claim I would do better than others.)

Moreover, I noticed very rare blogging systems have a centralized blacklist as [url=http://b2evolution.net]b2evolution[/url] has. In fact, I know of [url=http://b2evolution.net]b2evolution[/url] and [url=http://www.jayallen.org/comment_spam/]MT-Blacklist[/url]. [url=http://www.wordpress.org]WordPress[/url] plug-ins mainly use the [url=http://www.jayallen.org/comment_spam/]MT-Blacklist[/url] blacklist. Other plug-ins use some real-time blacklists to check spamming IPs and domains.

Finally, after reading the list of features to have in that "ultimate" antispam tool, it appears that cannot be a one developer project.

I've just updated the initial features list request with the following changes:

• trackback filtering:
  [*]hide trackbacks' URL (from RDF metadata and (X)HTML code) and display it (in the (X)HTML) using JavaScript (see [url=http://mt-hacks.com/20041203-mtdisguisetrackbackurl-v05-beta.html]MTDisguiseTrackbackURL[/url], [url=http://underscorebleach.net/jotsheet/2005/08/trackback-spam]TrackBack spam[/url]); [*]auto-generate trackback URLs with expiration delay (see [url=http://www.paulstimesink.com/index.php?op=ViewArticle&articleId=381&blogId=2]Other possible ways to fight trackback spam[/url]);[/list:u][/list:u]It appears trackback spamming becomes easier once all counter mesures are applied to comments, since the trackback sender doesn't even have to visit your site before sending you one. The best way to prevent trackback spamming becomes removing the trackback feature, or limit its automated usage by forcing the trackback sender to come on your trackback page and copy-paste a recent trackback URL. The URL display can then be encoded using some JavaScript making most spamming bots blind, since most (none? for how long?) executes JavaScript scripts. And even if spamming bots come to execute JavaScript scripts, it would cost more in terms of CPU usage (and then financially) too to spam blogs.

I've just discovered a new word: [url=http://en.wikipedia.org/wiki/Splog]Splog[/url]. The [url=http://b2evolution.net]Wikipedia[/url] defines it as:

Splog From Wikipedia, the free encyclopedia. Spam blogs, sometimes referred to by the Neologism splogs, are Web Log (or "blog") sites which the author uses only for promoting affiliated websites. The purpose is to increase the PageRank of the affiliated sites and/or get ad impressions from visitors. Content is often nonsense or text stolen from other websites with an unusually high number of links to sites associated with the splog creator which are often disreputable or otherwise useless Web sites. Splogs have become a major problem on free blog hosts such as Google's Blogger service. These fake blogs waste valuable disk space, bandwidth, and pollute search engine results. The term splog was popularized around mid August 2005 when it was first used by some high profile bloggers but appears to have been used a few times before for describing spam blogs going back to at least 2003.[/list:u] I've been spammed by some comment spammers for the past few days. They appear to promote splogs. [url=http://www.antisplog.net/]Antisplog.net[/url] identifies splogs. It claims referencing 2 millions of them. It references those that spam me right now. I've added in the above list that service, other similar services exist. If you know any of them, I would be interested to hear about.

I just had a referer antispam idea that involves b2 grabbing a copy of the referer page and parsing it to make sure there actually is a link to your site from that page. Of course this does require some processing power and additional bandwidth so having the ability to turn this feature on and off would be required but it could theoretically eliminate the vast majority of referer spam.

BenFranske wrote:

I just had a referer antispam idea that involves b2 grabbing a copy of the referer page and parsing it to make sure there actually is a link to your site from that page. Of course this does require some processing power and additional bandwidth so having the ability to turn this feature on and off would be required but it could theoretically eliminate the vast majority of referer spam.

Some might argue some pages are legit referrers, but cannot be accessed. Those include e-mails (from online services), private pages (like forums you have to log in before accessing) and other cases (including Flash and JavaScript enables pages requiring browser capabilities). However, those pages don't need to appear as referrers to visitors.

That idea has been alread presented there:

[*]referrer filtering including:
[*]a double check (load the page, check if it does link to the page it pretends to) of the greylist entries based on a scheduled basis or when the server has lot of unused CPU (take into account some page may link, but are not accessible: online e-mail services, etc.) with optional alert system;[/list:u][/list:u]