Akismet: Heading Toward Failure?
The Akismet system has been protecting WordPress bloggers for a while now from comment and trackback spammers. It was a great system, protecting even small blogs from 1000’s of spam comments. The system depends heavily upon users marking these comments/trackbacks as spam and reporting them back to Akismet as such via the WordPress plugin. This means that many innocent bloggers are “false positives” in the Akismet system due to either malicious or ignorant behavior on the part of other bloggers.
I Got Tagged By Akismet
On Friday, I noticed that comment posts I entered at several sites I visit regularly weren’t showing up. Normally, they would show up right after I posted the comment. The first time, I thought, “Well, that’s strange. Maybe they changed their moderation rules.” The second time, I figured something weird was up. So I used the contact form for that blog and it returned the error message that I was flagged as Akismet spam!
So, I went to the Akismet page and filled in their contact form asking for them to correct the problem. Will they correct it? I don’t know. They don’t make it very clear what you should do in a situation like this. Their contact form is very generic and doesn’t allow you to describe the problem or get priority consideration for them to correct their mistake. However, at least they’re smart enough to know that their system does generate false positives so they just use a math question verification system on the contact form.
More False Positives By Akismet
It’s not just me. Many bloggers are being marked incorrectly as ’spammers’ by people who don’t like them for one reason or another or who’re simply ignorant and incorrectly marking any and all trackbacks as spam. I’ve had a number of people who’ve posted comments here on OpTempo have false positives in the Akismet filter. And I’ve also found a number of blog posts describing this situation.
Vic, of Blogger Unleashed and Blogging Zoom, has been marked this way, apparently more than once. He can be quite opinionated and several people have ‘rewarded’ his outspoken behavior by marking his legitimate comment posts as spam. Since both he and I were recently involved in a difference of opinion with particular bright orange blogger so we were wondering if this wasn’t the source of my problem. To update, it wasn’t, but being banned like this makes you a bit on the paranoid side, wondering who you might have unintentionally upset.
Over at The Great Startup Game, they report their experiences with this situation in this post: Automattic Kismet / Akismet: the little company that dropped the ball. It’s a nice article on how the whole Akismet process lacks transparency.
At Web Marketing HowTo, Robert says that he’s currently encountering this problem as well. Since we both recently left comments on the same blog, Remarkablogger, and given the way they word some of their articles, I have to wonder if someone doesn’t have an itchy trigger finger when it comes to what they think are spam comments or trackbacks. I didn’t write that sentence well. What I meant to say is that the way some bloggers write things it can make you concerned that they’ll ’spam’ you for the least little thing.
Paul Baylay takes the system to task in this article, I Hate WordPress. He calls Akismet a “Child of Frankinstein spam machine”. From what I gather, he got tagged as a spammer by someone who objected to something he had written.
Gaming the Akismet System
Unfortunately, it seems that the Akismet system may be very open for a malicious troll to drop the ban stick on you using black hat methods, thus limiting how you can socially interact with other bloggers as well as promote your blog. The system seems like it could be used to sully the name of anyone you don’t like or to backstab a competing blog.
Here’s how an Akismet ban attack could go down.
Someone who didn’t like your comment on a particular topic on their blog could take your information, your name, email, and URL, throw them into a comment spamming program, which are easy enough to find, and generate hundreds of spam comments apparently from you. To further cover their tracks, they could do this through a proxy server or run it as a PHP process on a shared server at a popular hosting site. Of course, most of these blog owners who got the ’spam’ would flag these comments as spam. This would result in your credentials being incorrectly marked as spam comments by hundreds of bloggers, thus damaging your ability to promote your site.
To make matters worse, Akismet apparently doesn’t do IP tracking. It seems that they could figure out that there were 10000 spammy comments from one IP address and 150 legit comments from another address. But, apparently, they don’t do this.
Akismet, Time to Come Clean
Akismet needs to come clean with what they’re doing to prevent this kind of attack and to become more transparent when it comes to reporting a false positive situation. They’re apparently relying too much on automated systems and this leaves the whole process open to exploitation by malicious individuals.
Furthermore, they seem to place a lot of weight on just a few reports which could be simply ignorance of how trackbacks work or perhaps someone reacting out of anger to a negative comment.
Lastly, they need to make it crystal clear how to get your credentials cleared after being given a false positive status in the system.
Having an anti-spam system for blogs is important. However, having an anti-spam system that can’t be easily gamed or that gives credibility where credibility isn’t due is also important. Akismet needs to step up and correct these serious and growing problems in their system.
Have you been the victim of an Akismet false positive? Have you gotten a lot of Akismet false positives in your filter? Leave me a comment and let me hear your opinion.
Good post, I didn’t even know about this kind of thing.
Hi Mike,
I didn’t realize how common the false positive situation was becoming nor that Akismet’s algorithm appears to be lacking some smarts when it comes to properly detecting things until I started researching it.
My prediction is that things will get worse before they get better.
Wow great post jfc.
That is a real shame, akismet has been a real godsend in my opinion, but I can totally see now how people can abuse the system. Really sad.
It’s hard to think of ways that this system could protect itself from this sort of thing. Maybe there should be a rule that only “established blogs” (that they approve) can submit spam to the system, whereas all the other blogs can submit spam to their own personal spam lists, which does not touch the global system.
I definitely hope that they can fix this up, because blog spam is a pretty serious problem. I’ll definitely be checking my approval queue for false positives from now on.
Hi Tim,
I agree that Akismet has been helpful, particularly on my VB.NET blog where it’s caught over 5000 spam comments (spammers seem to love that blog for some reason, probably because it’s PR4).
But they really give too much credibility to angry or ignorant people and their system seems to be open to black hat gaming based on my observations.
Frank the part that really sucks is that peeps are using this technique everyday more and more when they lack the nuts to actually face off with you. I will say this though Frank and I hope you will have the same thing to say in a few days. The times I have gotten blackballed the folks at Askimet had fixed my problem in less then 72 hours, but tell you what for some one that me, shoot I just seem to bring this upon me to regularly. Like I said at my site Frank I actually have the Askimet contact form bookmarked
Thanks Vic,
I can see this practice really picking up as we go into the US Presidential campaign season next year where a blogger who favors one party can block someone who favors another.
I hope they get it fixed up soon both for me and for others this seems to be happening to more and more often.
I’m not sure if I’m reading you correctly, but I hope that you’re not saying that I have an “itchy trigger finger” when it comes to marking comments as spam.
This whole issue of false positives and downright malicious behavior in order to attack others through the system is very unfortunate, and we all suffer. I spent more time than I wanted to scrolling through the hundreds of spam comments in Aksimet that had been collected in just a few hours in order to suss out Robert’s comments and allow them to see the light of day. I did it because it was the right thing to do for Robert.
I had also been using the Bad Behavior plugin, and then, due to an error on their part, me and probably thousands of others wound up unable to access our own blogs. By deleting the plugin’s folder via FTP, I was able to get back into my own blog. There is a new version of Bad Behavior out, but their previous error has eroded my trust considerably. I haven’t installed it.
I may switch entirely to the new Defensio service. Maybe the new kid on the block has got some chops.
Hi Michael,
I just noticed the coincidence of me and Robert visiting the same blog and remarked on it. I thought the way you worded some things meant that you would be quick to press the spam button, such as “anything that seems suspicious to me or that isn’t above-board”. Sorry if I got you wrong on this. I was just trying to figure out where and how it might have happened.
I had the exact same problem with Bad Behavior recently and the upgrade fixed it. It’s the only problem I have ever had with the plugin so don’t let that one problem dissuade you from using it.
Owing to false positives, I removed Akismet a long time ago and use Spam Karma 2, which is much better in my opinion. i leave akismet around as a backup in case of problems with SK2
“Since both he and I were recently involved in a difference of opinion with particular bright orange blogger so we were wondering if this wasn’t the source of my problem.”
For the record, you were marked before you visited my blog for the first time because I myself had to approve your comment from the Akismet spam folder. =(
Thanks for clearing that up Collin,
The reason I got a bit suspicious was that the link to OpTempo you put in your article showed up on my WordPress Dashboard and then disappeared. I’m not sure what would have caused that but it did rouse my suspicions. Sorry if I was wrong about that.
Thanks for letting me know that the comment I left was in the spam folder. This will help me further narrow down when the flag was tripped.
Wow Frank, if it isn’t one thing it’s another. Here I am just trying to learn all I can about using Wordpress and now I have to worry about Askimet. At least I know where to go now if that happens to me. Thanks a lot for posting this.
You had a run in with Vic? Yikes! Vic makes me nervous.
Hi Lin,
It seems the more controversial you are the more likely some malicious person is to mark a comment or trackback as spam. Vic is pretty controversial so that’s why he’s got Akismet on “speed dial”.
Vic and I had a little disagreement with Collin and the timing of some things had me suspicious but he’s cleared that up to my satisfaction.
Vic and I have debated Google’s intentions from time to time but it’s always been a friendly debate.
Very useful info, Frank. Thanks for posting. I wasn’t aware of this until I’ve read this article.
So far, Akismet is doing fine for me. I haven’t seen a real blog marked a spam yet. I review all the marked comment and make sure they are all valid spam.
But this case of abusing Akismet is troubling. I hope nobody does it to me.
Hi Saedel,
Akismet has worked quite well for me, particularly on my other blog. I don’t recall ever seeing a false positive over there.
However, I’ve seen about a dozen false ones on OpTempo and that’s with a little over 300 spams total. With a little Googling around, I found out this is becoming more and more common in certain niches, particularly those that cover Internet marketing, meta-blogging and some other competitive or controversial fields. This indicates to me that some people are maliciously gaming the system in order to block people they disagree with.
I forgot to tell you, BloggingZoom.com is marked as a spam by Akismet. Everytime I submit an article, I have to visit the Spam section to de-mark BZ so it will be reflected as a pingback.
That figures, doesn’t it. Just another confirmation of what I mentioned in my article.
My problem was existing (though not clear to me yet) prior to posting over at Michael Martine’s Remarkablogger. He’s the one who confirmed it for me after I used his contact form and was very helpful.
I think that in my case, possibly the previous owner of that domain might have been unfriendly in a spam sense, because I’ve seen old cached copies of a landing page, and I’ve been using the URL for only about 2 weeks, and even my very first posts didn’t seem to show up.
Akismet is good generally speaking, but the handling of false positives needs some work. On my other site, very very few spams have ever gotten through. OTOH, if I get marked as spam, then Akismet’s very success is going to lock me out of a LOT of WordPress and other sites.
Hi Robert,
I rescued you comment from Akismet. I agree that Akismet works good when it’s blocking actual spam because, in reality, it works too well.
I’ve edited the article to better explain what I was trying to say. I didn’t mean to accuse Michael but just to point out the coincidence and that the way one of his posts was worded made me wonder if a hasty, accidental, judgment had been made (looks like that error was on my part in this case).
On the bad domain issue, I wrote this article about that back in October: Do You Know Where Your Web Site Has Been?. It’s too bad that Akismet doesn’t publish a list of domains that they ban so that you can know ahead of time if you’re buying a ‘dog’ domain.
I got your message, but you just sent it yesterday! On a Sunday! Sorry I hadn’t responded yet. The problem should be fixed up now, and don’t worry the situation you describe is not possible with how Akismet works. (Unfortunately that’s all I can say.)
You see, this is the problem, the guy below says you’re a phony. I’m also inclined to think they’re a phony too. The real Akismet has my real email address and neither of you sent an email to it but chose to comment here. Interesting…
Sorry about that, I closed your ticket when I opened left this comment. Mark and I both do support for Akismet, but he does the bulk, so when he didn’t see anything he thought the comment above was from a jokester, when it was in fact me. (A jokester, but associated with Akismet.)
Anyway… Merry Christmas!
Thanks for clearing that up Matt,
I do hope you do have something in place to prevent the kind of attack I mentioned in place. A lot of the programming work I do is in securing medical record systems so potential attack scenarios are something I think through often.
I’d also like to see Akismet address the problem of malicious or angry spam flagging as long as it didn’t compromise your algorithms.
Thanks for your help and Merry Christmas to you too.
Akismet False Positive Problem Resolved
You may be aware of the issue I was having with Akismet generating a false positive for spam on my comments, as detailed in my post HowTo Deal With Akismet False Positives. As detailed in the post, I got in touch with a blogger or two who agreed I wa…
Hi, I don’t know who the ‘Akismet’ person above is, but you can ignore them. They have nothing to do with Akismet.
For a variety of reasons, not least because being open about how Akismet works would give the spammers more knowledge, we do not divulge the exact manner in which it works. We also work hard to ensure that people deliberately sending people to spam do not succeed. In a system dealing with over 12 million spams a day mistakes will happen but fixing them is a high priority.
If you have any concerns, please send a message through the form at http://akismet.com and we will get back to you.
I apologise for this happening and the obvious trouble it has caused.
Mark,
While I find it odd that you didn’t contact me privately via email but only through a comment on this post, the problem seems to be resolved. If you were the one who took care of this, I thank you.
Note that my transparency complaint has more to do with your public face than your behind the scenes algorithms.
First, you need to make it more user friendly to report a false positive. I could figure out pretty easily but I could imagine a less computer savvy blogger having trouble with it.
Secondly, I’m quite concerned with the apparent ability for a single person to blackball a blogger they don’t like for some reason. Vic, who’s a pretty controversial character, gets his comments marked as spam regularly. While I understand that you don’t want to reveal your inner workings so far as a threshold or weighting of a complaint is concerned, I do hope that you give someone who falsely reports a spam comment a reduced level of credibility in the future. Making it clear that filing false reports will incur a “boy who cried wolf” penalty should discourage this kind of malicious and angry flagging without compromising your algorithm.
Lastly, I hope my Automated Akismet Attack scenario I mentioned in the article can’t happen. I hope that you’ve already taken this into account and have figured out how to deal with it algorithmically. I think that and other automated ‘dirty trick’ attacks are the greatest threats to the credibility your system.
Matt took care of my situation and one of the WordPress.com support guys independently contacted me just a couple hours later, as he’d seen me mention the situation on the Akismet blog. That’s a super quick response time for the time of week and time of year, so you can color me a happy camper, and it surely beat my expectation of how long it’d take. Kudos to them.
Hi Robert,
I think I’m working OK too. I was able to leave a comment as ‘myself’ on your blog but I’ll have to comment a few other places to make sure.
I’m glad they were responsive to this situation. Of course, running a major Internet operation is a 24/7/365 job so a quick response is expected, even on holidays. As a programmer, I’ve been on call or had to go in to work on a holiday just about every year out of the past 10 years. It’s good to see the companies I’ve worked for aren’t the only ones asking programmers and other techs to “come in on Sunday too”
Geezz spend a day with out visiting and have to spend an hour reading comments LOL.
I am so glad to see Askimet actually come up and clear things up.
Happy Holidays Frank!
Zoom
Vic
Hi Vic,
This comment will make it the most commented post on OpTempo.
Have a great holiday season Vic.
[…] I really, really hope that none of Automattic’s investors run into this post about people using Akismet as a weapon against commenters who piss them off, because not only is it, well, about the potential for Akismet abuse, but there’s some […]
[…] I need you to realize — your actions when clicking that "Delete All Spam" button may be affecting legitimate commenters. Unfortunately, it seems that the Akismet system may be very open for a malicious troll to drop the […]
Up until a few months ago I used Akismet as well. Not anymore.
I have read this blog and the others complaining about Akismet’s malfunctions. I am truly disgusted by their shitty attitude. The reply by some chick from Akismet to the complaint by the Smart Startup blogger is all you need to know about these people. The blogger complains about a real problem and the Akismet chick only whines about being misidentified as a receptionist by him instead of addressing the problem. This company blows in my humble opinion.
The sooner it goes down the drain the better.
Hi Blogger,
I do think the service they offer is useful, just that they need to make some improvements in the area of false positives and improve the public face of their service.
Agree 100% and you’re not the first person to point this out. This kind of revenge by Automattic has been known for many months. I used to be a strong supporter and volunteer with wordpress, wordpress multiuser, and wordpress.com. In fact, Matt even gave me one of the pro account to use with my own wordpress multiuser install. (He bragged a number of times about how the license was $500 a month and I was getting it for free.) In June, I got blocked by Akismet and my license was no longer usable even though Matt commented publicly that all was well. There has been no resolution since that time even though I have contacted Automattic and Akismet a number of times. Email to their CEO went unreturned. (Why Tony is running for Best startup CEO, I have no idea.)
In August, we banned Akismet and removed it from all of our client servers. Cost us nearly $6k in support fees to do all that. We worked up a solution that uses a simple IP check to match the site against the IP address against when the contact comes from for trackbacks as well as using Spam Assassin rules. A lot less false positives, we’re able to make adjustments, and we’re able to control what is occurring. That’s a lot less headaches for us and our clients.
Oh, I forgot to mention that Matt and crew have stated a number of times that they don’t need an ethic policy. Between this and the recent discovery that they were putting in what appeared to be sponsored links on one of their sites while removing themes that had such links, it’s just proof once again that they need such a policy.
Hi DrMike,
Your follow-up comment got caught by my anti-spam measure, moderating all comments with a link in them. I’ve found this to be an effective way to stop spam comments that Akismet doesn’t.
Sorry to hear about your problems with WordPress. Your signature link is showing a 403 error right now for some reason, BTW.
I think a lot of this goes back to the question of how can you earn money from open source or free software and the ethics surrounding it.
[…] of my favorite posts so far: Akismet: Heading Toward Failure? This post is fantastic! Great discussion, he even gets some Akismet devs joining in! Big Honkin’ […]
Interesting and not something I was aware existed. I have noticed that almost all tackback comments on my blog get caught in the spam filter. I actually check mine every day as part of my comment approval process and just delete the real spam at the same time. That way my queue stays clear and its easier for me to pick out real comments from the junk.
One another note, I’ve noticed a big decrease in the amount of spam I get lately. I use dot get at least 30 a day promoting various medications to make my life complete, but latley I don’t see a lot.
Hi Bruce,
This one got sent to the filter but the one on the other post didn’t. I guess they’ve cleared your name.
That’s what I do here, check it regularly for false positives. I usually get less than 20 spam comments a day here. On my niche blogs, I’ve gotten as many as 100 in a day which does complicate weeding out false positives.
[…] way to silence a person you don’t like: train a distributed anti-spam network like Akismet to mark this person’s posts as spam. Wow, that’s a downside to distributed spam-checking I had never considered. We encountered […]
I am the victim of an Akismet false positve for two months now. Several bloggers have marked me as not spam. I myself mark the trackbacks to my own blog as not spam on a weekly basis. But nothing happens.
Let’s see how it goes with this comment
Hi Harald,
Your comment came through OK, I think.
It appears I am back on their black list. I certainly don’t spam comments but sometimes I will state my opinion strongly. This causes some malicious individuals to mark my comments as spam out of spite.
Yep, my comment here came through right away. But nevertheless I have to get my trackbacks out of the junk folders on my own blog one by one, cause Akismet says: Spam.
Great article ! Thanks for sharing this ! I didn’t know that akismet could flag you in this manner. They sure need to take action !
Hi Dan,
I think they’re trying to improve but given their low staff numbers dictated by their low/no cost service it probably makes it difficult for them.
I agree. But in that case they should cry out for help. I’m sure plenty of coders will offer their services for such a noble cause.
Sadly, the problem is that many of those who would like to have insider knowledge so that they could game the system would also offer their services.
I seem to notice none of my comments (which are all legit)are showing up on blogs all of a sudden and now wonder if I might have been tagged as a false positive as well (I probably will be in your folder sigh). Hopefully Akismet will help me out as I have sent them a request to help investigate.
Hi SB,
This comment seemed to come through OK.
Sometimes the blog owner may use filtering techniques other than just Akismet. For example, I automatically place any comment with a link in it into moderation. Others have other validation techniques, such as CAPTCHAs, that don’t properly display in Internet Explorer or Firefox while showing up correctly in the other. I’ve encountered this a few times.
I’ve just been told by Vic that I have been flagged. I think anyone who supports Vic is a potential target.
This one came through OK so maybe they fixed it up for you.
I’ve had 3 bans myself, probably two for the reason you mentioned. The one mentioned in this article and another one back in March. I had, and probably still have, one for trackbacks only, and that’s one of the reasons why I no longer do free blog reviews.
I’ve been testing aksimed behavior during last two weeks and I think that URLs in the comments seems to be the key factor used by Aksimet to mark a comment as SPAM. I think they should have a black list with banned address and all comments having one of those URLs is sent directly to Aksimet SPAM Folder.
I have one reader that is constantly, but not always, caught as a spammer by Askimet. Driving me crazy…