Back in May, I added the Disqus commenting service to this blog. In general, I'm happy with the service, and I think the people at the company are great.
There are lots of reasons to use outsourced comments, and lots of people have written about them. Owen wrote about the good and the bad in a recent post. One of the things he mentioned was spam.
Comment services typically provide some degree of spam protection. Since your comments must all pas through the service's system for storage, the service will typically introduce spam-prevention into that workflow. The submitted comments are passed through a typically proprietary set of rules for determining if a comment is spam or ham, and the comment is added to the approved list of comments only if it passes those rules. This often obviates any additional spam prevention mechanism related to submitting comments.
Outsourcing spam filtering is indeed one of the reasons I activated Disqus. So it seems an ironic post on which to get this comment.
Now, that's clearly spam. The text bears no relationship to the post, and the profile link goes off to some site selling handbags, yet Disqus let the comment pass. Not to mention the fact that to make a blog like mine one need only post a bit of drivel for a while, then neglect it for a few months.
One interesting thing to note, and likely part of the reason the comment got past the spam filters, is that the name of the commenter wasn't Replica Handbags when it was posted, it was Katie Duffs. And the profile link didn't go to a dodgy web site, but something that looked quite legitimate. Still, it did seem dodgy enough that I went and checked out Katie Duffs' Disqus profile. The profile was newly created, and mine wasn't the first Disqus-enabled blog Katie (I'm thinking of Katie as a bit like Eliza, an automated bot trying to pass for a human) had posted on. In fact, she'd had a flurry of activity after signing up, commenting on a couple of blogs an hour.
Katie's tactic was to post short messages on lots of blogs, short enough that there was a chance they'd be mistaken for real comments and not marked as spam. She was successful at this, with about 60 comments in a week, even getting three responses from blog authors (although one of those responses seems a bit spammy too). Then, when there are a reasonable number of comments out there, change the profile name and the URL, and whammo, Katie has snuck some spam past the guards. It's a fine line to tread; if the messages are too long, if the posting goes on too long, Katie risks getting marked as spam.
What could Disqus, or any other outsourced comment system, do about it? We'll never be able to completely eradicate spam, but there are a few metrics here that could be used to raise alarm bells.
First, the timing of comments. After sign up, Katie immediately posted a lot of comments, a couple an hour, with an average up near 10 comments a day. That's not the way that most people comment, nor is it the way that most people use a service that's new to them. It should be fairly obvious that Katie was targeting Disqus-enabled blogs. Either that or she was making another 50 or so comments a day on non-Disqus blogs.
Second, there was a profile change, not long after sign up. Again, this seems a little unusual. Katie changed blogs after five days? And changed her name at the same time?
Third, and related to both of the above points, Katie stopped posting once she'd changed her profile information.
Finally, as I mentioned, all the comments were very short, so as to increase the chance of appearing legitimate.
None of those things on their own would be enough to raise concern, but together that pattern - sign up, a burst of messages, profile change, and no more messages - should be enough to trigger alarms.