Jun
29

Comment spam on my blog has increased immensely over the last four to six weeks. I'm getting, on average, 150 spam comments per week. In order to help combat the scum of the earth I have implemented both Akismet and Project Honeypot by way of activating these two features in CFFormProtect (which ships with BlogCFC).

Getting Project Honeypot going was quick and painless. Point your browser to the project Web site and sign up for an account. Once your account is verified load your dashboard page. This page is ridiculously busy but if you look beneath the IP lookup section in the lefthand column you'll see a section showing your stats. You should see a link in this section that allows you to request a "BL API key." Once you've received your key, which will show in place of the original "get your key" link on your dashboard, you need to open the CFFormProtect settings file (cffp.ini.cfm). This file is in the cfformprotect directory at the root of BlogCFC. Open the file and change the following lines. The lines will pound signs are the original lines commented out.

#projectHoneyPot=0
projectHoneyPot=1

#projectHoneyPotAPIKey=
projectHoneyPotAPIKey=your_honeypot_key_here

If all you are adding is Project Honeypot, save the file, upload it to your site and then refresh your BlogCFC cache. If you want to add Akismet, keep reading.

Akismet is a project owned and operated by Wordpress. To get an API key for Akismet you must first have a Wordpress account. Sign up or log-in to your Wordpress account and look for your "Wordpress API key" on your profile page. Armed with your key head back to the cffp.ini.cfm file and enable Akismet and enter your API key by changing the following lines. The lines will pound signs are the original lines commented out.

#akismet=0
akismet=1

#akismetAPIKey=
akismetAPIKey=your_akismet_key_here

Akismet also requires a few other changes. The installation help file for CFFormProtect has instructions on how to set up Akismet but it wasn't clear to me which fields were required and which were optional. After discussing a co-workers settings I believe you fill in values for all of the following lines:

akismetBlogURL=http://www.yourblogurl
akismetFormNameField=name
akismetFormEmailField=email
akismetFormURLField=website
akismetFormBodyField=comments

With the exception of the akismetBlogURL property and value all the rest of the values are the default HTML form field names for the BlogCFC comment form. These values associate form field context in your form with the proper functionality in Akismet so it knows how to check your form for spam.

Two more things. CFFormProtect can send you e-mail any time a form submission is flagged as spam. To set this up you'll need to alter the lines in the e-mail settings section towards the bottom of the cffp.ini.cfm file. I'm not sure why, but I have not been able to get e-mail notifications working. I added the appropriate values to the settings, the exact same settings BlogCFC uses in fact, and e-mails are not being generated. Lastly, you can instruct CFFormProtect to write ColdFusion log files to your logs directory. This feature is turned on by default (set to 1) but can be easily disabled by changing the value to 0. The filename for the log will be cfformprotect.log unless you enter a different filename in the logFile= setting on the last line.

To make sure everything is working refreshing your BlogCFC cache and add a comment on one of your entires. Instead of placing your name in the name field, use "viagra-test-123" as your name and complete the rest of the form. Press submit and when the Akismet Web Service is called, the invalid name should flag your comment as spam and display an appropriate message. The message will look something like this.



Finally, if you set up logging to a file or e-mail check to see if the appropriate content was created. Hopefully your comment spam will decrease.

By default the BlogCFC contact form is not enabled with CFFormProtect. For an example on how to change this check out this blog post by Eric Cobb.

Aaron West's Gravatar
About this post:

This entry was posted by Aaron West on June 29, 2009 at 1:30 PM. It was filed in the following categories: ColdFusion, BlogCFC, Site News. It has been viewed 22392 times and has 9 comments.

9 Responses to Adding Akismet and Project Honeypot to BlogCFC

  1. If any of your readers are using CFFormProtect for a business site, it should be noted that you can't use Akismet for free for business purposes. You have to buy a license key (or whatever mechanism Akismet uses). I believe Project Honey Pot is free for business use as well as personal.

    I'm curious why you decided to leave captcha on...in my experience a form without captcha (but otherwise protected as yours is) doesn't get spammed (or very rarely, that is).

  2. Thanks for the note about business users Jacob. I'm leaving Captcha on temporarily just to see how it works in tandem with Akismet and Project Honeypot. I'd love to turn it off but I want to make sure all the comment spam gets stopped first. Which leads me to a question for you.

    Is there any way I can turn on cfformprotect logging and direct the log file to a specific location on my site? I don't have access to the JRun logs directory or CF logs directory since my blog is still (for the next week) hosted on a shared platform. I'd like to review the log file so I can see if everything is working. Without access to the log file and not being able to get e-mail notifications set up I'm simply guessing if Akismet and Project Honeypot are working.

  3. In my experience, once you have Akismet enabled you can disable all of the other spam protection mechanisms of CFFormProtect. The other client-side spam protection features may be helpful if you are not using Akismet, but they can be easily defeated and add a lot of unnecessary and obtrusive code to your pages. I have not used Project Honey Pot, but it looks interesting, and given it is a service much like Akismet it is probably worth enabling as well.

    Also, I'm not running the latest BlogCFC with CFFormProtect, but Aaron does bring up a good point. While it is a huge step forward, it doesn't seem to be as well integrated into BlogCFC as it could be. For example, it seems to block what it thinks is spam outright, not giving the blog author the ability to moderate and mark as ham if appropriate. It also doesn't seem to allow you to report spam/ham back to Akismet. (Note: I didn't do a detailed review of the integration, so I may have missed something. Also, integration may have been improved in more recent versions of BlogCFC.)

    All in all though I'm very glad there is at least someway for BogCFC users to easily enable Akismet in BlogCFC.

  4. @Aaron,

    I'm not sure how to help you with the log file location...that code was actually written by someone else, so I'm not sure what you'd change (I haven't looked at the code recently). I'd suggest testing the logging code in a separate test page to see if you can get the location nailed down. And I'm not sure why the email code doesn't work for you...all I can say is that it works for me on my server. <shrug>

    @Nathan,

    I have seen a rare case where a spam comment was passed through Akismet, but the client side checks still stopped it. Your mileage may vary. :)

  5. @Jake - How did you report the spam to Akismet in that case? Does CFFormProtect allow for that?

  6. @Jake - The Akismet FAQ also states: "We ask that you turn off all other spam plugins as they may reduce the effectiveness of Akismet."

    While certainly not required, I think it is fair to contribute back to the project by submitting spam/ham if you are using it for free...

  7. @Nathan,

    Yes, CFFormProtect has a function for reporting missed spam back to Akismet (as well as false positives). I can't remember all the details off the top of my head, but they are in the docs.

  8. @Jake - Awesome, good to know.

  9. Thanks Aaron - this helped a ton.