Captcha on Netsensei

WP Mollom likes your comments

matthias@netsensei.nl (Matthias Vandermaesen) — Sat, 09 May 2009 18:03:38 +0000

Over the past couple of days, it became apparent that WP Mollom suffers an issue where it “eats” your comment when a CAPTCHA is shown. The result is that only half of your comment is saved. Not good of course. Apart from that, there was also a problem with character encoding.

Of course, this issue needs solving. I could recreate the problem on a testsetup and found the culprit. This issue rears its’ ugly head when a commenter uses double quotes in his/her comment. Because of the way WordPress implements commenting, I have to embed the commentdata in the CAPTCHA form as a cluster of hidden fields. The handling of the encoding was a bit wonky here which causes data to get corrupted.

I fixed the issue and commited the code in the development version of the plugin (trunk). I’m not commiting it to a stable version yet because the adjusted code needs testing against foreign non-western character sets like simplified chinese and such. If your blog is set to use UTF-8 encoding (which it should!), you shouldn’t notice big problems with this update.

If you’re really anxious to get your hands wet, you can download the development version here.

WP Mollom 0.7.2

matthias@netsensei.nl (Matthias Vandermaesen) — Thu, 12 Feb 2009 21:35:26 +0000

I just released version 0.7.2 of WP Mollom. Here’s the changelist

fixed: closing a gap that allowed bypassing checkContent through spoofing $_POST[‘mollom_sessionid’]
fixed: if mb_convert_encoding() is not available, the CAPTCHA would generate a PHP error. Now falls back to htmlentities().
improved: the check_trackback_content and check_comment_content are totally rewritten to make them more secure.
added: user roles capabilities. You can now exempt roles from a check by Mollom
added: simplified chinese translation

So, for the most part, this release is about security related under-the-hood changes. Another great adition is the use of user roles. With previous releases, you didn’t have to pass the Mollom check if you were logged in. Which was a bit of a security issue in it’s own. This release allows you to exempt certain user roles from Mollom scrutiny.

Finally, I owe a big thank you to Donald for the great work he did translating the interface into simplified chinese and his numerous suggestions. Thank you!! I would like to encourage others to translate the plugin! German, French and/or Spanish, if you know them, now is the time to put them to use!

So, go grab it from WordPress Extend or upgrade your installation through the famous one-step intaller in your Dashboard!

WP Mollom 0.7.1

matthias@netsensei.nl (Matthias Vandermaesen) — Sat, 27 Dec 2008 16:23:51 +0000

I just released WP Mollom 0.7.1. Here’s the changelog:

fixed: all plugin panels are now shown in the new WP 2.7 administration interface menu
fixed: non-western character sets are now handled properly in the captcha form
fixed: handles threaded comments properly
fixed: multiple records in the manage module not correctly processed
improved: extra – non standard – fields added to the comment form don’t get dropped
improved: revamped the administration panel
improved: various smaller code improvements
added: the plugin is now compatible with the new plugin uninstall features in WordPress 2.7
added: the ‘quality’ of ‘spaminess’ of a comment is now logged and shown as an extra indicator

Wishing all the best in 2009!

Mollom 0.6.1

matthias@netsensei.nl (Matthias Vandermaesen) — Wed, 24 Sep 2008 18:54:18 +0000

I just tagged version 0.6.1 of WP Mollom in the WordPress Extend repository. Which means in a few moments, you’ll be able to download the latest installment of my plugin.

So, what has changed? Well, this is a bugfix release which means no new features. Here’s the changelog:

Fixed: division by 0 error on line 317
Fixed: if ‘unsure’ but captcha was filled in correctly, HTML attributes in comment content would sometimes be eaten by kses
Improved: the mollom function got an overhaul to reflect the september 15 version of the Mollom API documentation
Changed: mollom statistics are now hooked in edit-comments.php instead of plugins.php
Added: _mollom_retrieve_server_list() function now handles all getServerList calls

Although almost all basic functions are up and running now, there’s still a long road ahead. Today, I’m happy with what I’ve accomplished technically so far, but such things as usability, performance, flexibility,… still need more work. For instance, there’s still no WordPress MU version, i8n support is still missing, the backend needs more simplifying and much more.

But then again, if spam annoys you as much as the mosquitos in my room did me last night, then this is the plugin for you. Download the package, drop wp-mollom.php in your plugins folder, register with mollom.com to get your keys, just configure them in the plugin and you’re all packed with some serious spam stoppage power.

Happy blogging!

WP Mollom “Back to school” 0.6.0

matthias@netsensei.nl (Matthias Vandermaesen) — Sun, 24 Aug 2008 18:15:15 +0000

On the 1st of september, kids go back to school here in Belgium. And so, with a week to go, I was able to get a new release out. I intended it to be a bugfix release with version number 0.5.3, but I got a bit carried away and some feature creep happened. So I decided to give it version number 0.6.0.

Here’s the changelog:

fixed: html is preserved in a comment when the visitor is confronted with the captcha
fixed: handling of session id’s in show_captcha() en check_captcha() follows the API flow better.
fixed: broken bulk moderation of comments is now fixed
fixed: the IP adress was incorrectly passed to the ‘mollom.checkCaptcha’ call
fixed: the session_id is now passed correctly to _save_session() after the captcha is checked.
improved: more verbose status messages report when using the Mollom Manage module
improved: cleaned up some deprecated functions
improved: handling of Mollom feedback in _mollom_send_feedback() function
added: approve and unapprove options in the Mollom Manage module
added: link to the originating post in the Mollom Manage module
added: if a comment had to pass a CAPTCHA, it will be indicated in the Mollom Manage module
added: plugin has it’s own HTTP USER AGENT string which will be send with XML RPC calls to the API
added: detailed statistics. You can find these under Plugins > Mollom

My personal favourite are the new statistics. I like shiny bar graphs. Dries and Benjamin let me use the flash object to generate statistics based on the data of their Mollom services. But I decided to keep some statistics on the ‘client’ i.e. your site’s side.

How to install this shiny new version?

If you have Akismet running: shut it down in the plugins panel.
Upload wp-mollom.php in your plugins/ folder and activate the plugin.
Get a public/private key by registering your site on mollom.com.
Go to ‘settings’ in the WordPress Administration and configure the plugin.
That’s it… your blog is protected by the forces of Mollom.

The idea is that Mollom takes away most of your moderation needs. But from time to time, you might get confronted with a false positive. In the ‘comments’ section of your WordPress Administration panel, you find the Mollom Moderation Module which gives you lots of control.

What are you waiting for? Just give it a go!

WP Mollom 0.5.2

matthias@netsensei.nl (Matthias Vandermaesen) — Sun, 20 Jul 2008 18:28:32 +0000

So, I wrapped up version 0.5.2 of WP Mollom today. This release is all about fixing several bugs.

fixed: passing $comment instead of the direct input from $_POST to the show_captcha() and check_captcha() functions.
improved: implemented wpdb->prepare() in vunerable queries
improved: mollom_activate() function now more robust
changed: mollom_author_ip() reflects changes in the API documentation. This is to catch up on the abuse of proxies by spammers. If your host uses a reverse proxy and you know the ip(‘s), just enter them in the dashboard. The plugin takes care of the rest.

I tried to make the plugin compatible with the WP OpenID plugin over the past weeks. But no dice. Stable version 2.1.9 of WP OpenID doesn’t deal with extra fields added to the HTTP POST by other plugins when a request is send to wp-comments-post.php. This causes WP Mollom’s CAPTCHA form and subsequent checks to malfunction.

The good news is that Will Norris of WP OpenID is aware of the problem. The development version does contain a fix for this problem and is actually compatible with WP Mollom. You can check out a copy from the DiSo Project’s Google Code repository if you really want OpenID and Mollom support on your site.

As always: refer to the documentation regarding all the in’s and out’s.

Mollom vs Netsensei

matthias@netsensei.nl (Matthias Vandermaesen) — Thu, 10 Jul 2008 21:29:52 +0000

Over the past days, there were some hiccups with WP Mollom on my blog. Comments that were kept back and the likes. I had an little bit outdated version of the plugin running. Of course, over the past weeks since 0.5.1, I received quite some feedback. And over the weekend, there was a small adjustement in the Mollom API.

So I took action and during my daily commute from and to Leuven, I took the time to fix things up. I’m now running a test version of 0.5.2 on my blog. I improved the SQL yet again (thanks, Ben!) and a bug in the CAPTCHA form.

So drop a me line in the comments and if things don’t work out, don’t hesitate to contact me!

If you’re really willing, you can always give the development version a go. It contains all the latest changes and updates, but might not be so stable.

WP Mollom “Holiday Edition” 0.5.1

matthias@netsensei.nl (Matthias Vandermaesen) — Tue, 01 Jul 2008 22:19:00 +0000

I just released a minor update of WP Mollom with some bugfixes. This is the changelog:

Fixed: minor issues with the Captcha not being rendered correctly
Added: mollom_manage_wp_queue() function which adds Mollom support to the default comment administration panel
Improved: updating from a previous version is now more robust

More info and download on WordPress Extend

Mollom workflow

matthias@netsensei.nl (Matthias Vandermaesen) — Sun, 01 Jun 2008 11:26:36 +0000

Dries made me a nice diagram on the process flow of Mollom. It shows the order in which your Mollom programmable should excute the different API calls.

Note: You should never try to save data to the database before all the Mollom checks including the CAPTCHA have been cleared. The idea is that through the challenge-response flow, the contributor has to validated him/herself as a human instead of forcing the administrator to make an educated guess.

As for the plugin itself: I noticed several small booboo’s myself over the weekend and sorted them out. A public release should be very soon-ish.

Statistics for Mollom

matthias@netsensei.nl (Matthias Vandermaesen) — Thu, 29 May 2008 10:45:51 +0000

Because numbers and graphics can express so much more then words: a visualisation of how Mollom is protecting my blog against spam. I’ve been testing my plugin on and off for the past 2 weeks on my own blog.

The new beta release is almost ready by the way. Just need to pack and ship it to the testers tonight. So here’s what’s new:

Decoupled moderation from the CAPTCHA test. Moderation is now optional. If you fail to complete the CAPTCHA, your comment is not saved to the database.
Major improvement of the error handling. I dove into WordPress’ error handling. I think people should make more use of the WP_Error class in combination with wp_die(). Maybe I’ll do a small item on that one.
I added trackback support. Of course, displaying CAPTCHA’s for trackbacks isn’t going to work. So after discussing it with Dries, instead of trying to solve the CAPTCHA problem, those trackbacks are blocked as well.

As things get finalized, I’m thinking about doing a very first public beta release sometime next week. I had very few feedback from testers so far in fact. If people are still interested in joining me for a last spin: drop me a line!

To moderate… or not?

matthias@netsensei.nl (Matthias Vandermaesen) — Sun, 25 May 2008 14:48:44 +0000

Well, I adjusted some of the plugin code over the weekend. The comments’ data (name, e-mail, url, content) isn’t stored in the database anymore but embedded in the CAPTCHA form as a collection of hidden fields. As I don’t want to store the data clientside (cookies and the likes) this seems to be the best way out. The comment is saved only if the CAPTCHA test was succesfully completed.

A particular issue I face are special characters like backslashes, quotes,… things you might encounter in URL’s and such. Luckily, WordPress is quite flexible as it takes this into account during the process of saving a comment in the database. The issue I have to focus on is not breaking the HTML CAPTCHA form itself. This will probably need some extensive testing.

The new version is already protecting this blog against comment spam. If everything goes well, the moderation queue should stay empty of unprocessable spam. In fact, it changes the usage of the queue entirely: instead of an indispensable tool, it becomes an optional means to teach Mollom if a message contains spam, profanity,… You don’t need to use it, but it allows you to correct Mollom in those few cases that may slip through.

Next up: implement functionality against trackback spam. I hope to get that part finished near the end of next week so I can put out a new betaversion of the plugin.

To moderate… or not?

matthias@netsensei.nl (Matthias Vandermaesen) — Fri, 23 May 2008 17:00:48 +0000

Today, I had an e-mail discussion with Dries and Benjamin over the use of a moderation queue within the context Mollom provides. I have on implemented in my plugin. The idea is that ‘unsure’ comments that don’t get through the CAPTCHA test, land in a moderation queue… sort of.

Mollom was actually designed to get rid of the queue. Checking if a commenter is human or a spambot happens through the CAPTCHA test. Early on in the process of posting a comment. That makes a queue where an administrator has to do the check after the facts quite unnecessary.

The problem is that the way I designed the plugin forced me use a moderation queue altogether. ‘Unsure’ labelled comments happen to land in the database, before the CAPTCHA check. Two months ago, that seemed the logical way out to me. Dries gave me some more insight in the workings of the Drupal module and was able to convince me to seperate the CAPTCHA check from the moderation queue. (I am not nearly into Drupal as I am into the workings of WordPress!)

So. It’s a bit back to the drawingboard for me as this means some parts of the plugin need to be reviewed.

Mollom vs Trackback spam

matthias@netsensei.nl (Matthias Vandermaesen) — Tue, 13 May 2008 16:30:01 +0000

Hum. The plugin in WordPress doesn’t support trackback checking yet. No big deal? Well, I have 24 spams in my moderation queue, the majority of them are trackback spam.

So… yet another feature to implement. Just wondering how the flow of operations should look like. Moreover: how/where do I implement a CAPTCHA? Is it necessary to do this implement? Given the 99.8% accuracy Mollom claims, is it a bad thing if a trackback would be identified as a false positive and the CAPTCHA step is skipped altogether? One can retrieve the false positive through the moderation queue altogheter, no?

Anyway, adding trackback support should be fairly simple.

Mollom voor WordPress ii

matthias@netsensei.nl (Matthias Vandermaesen) — Tue, 29 Apr 2008 10:29:49 +0000

Zo. We zijn een half dagje verder. Dit is de tussenstand: 0 spammers door de mazen van het net gegelipt. 7 spams in de moderation queue waarvan er 3 door jullie werden achtergelaten. 1 spam (Houbi) per ongeluk in de moderation queue blijven hangen. Niettegenstaande de mens legit is.

Kijk, voorlopig laat ik alles daar even hangen. Ik moet nog een feedback module in mijn plugin hangen zodat ik de Mollom servers kan terugsturen waarom iets wel of niet spam/profanity/unwanted/… is.

Tenslotte blijkt er inderdaad iets loos te zijn met het tonen van de image CAPTCHA’s. Da’s alvast doorgegeven.

Al bij al een klein succesje denk ik dan zo.