Much stronger defenses needed against aggressive persistent comment-spamming

[justinacolmena]

The blog is useless without an adequate defense architecture in place against nation-state-political-censorship-motivated and highly aggressive commercial comment-spamming.

[justinacolmena]

There are too many options for sending out arbitary emails. I cannot allow my blog to be used as an email spam engine.

[onli]

Well, one time verification are a legal requirement in Germany. You can disable them by disabling comment subscriptions completely, under Configuration -> General Settings.

For comment spamming s9y has a couple highly effective anti spam settings, which can be further extended by anti spam plugins. The recommendation is a combination of the built-in spablock plus spamblock_bee and spamblock_bayes, or alternatively to enable Akismet.

Though of course, a personal project like a personal blog can not be expected to really defend itself against state sponsored spam attacks. If that is really your concern tackle that at a network level, by running the blog behind cloudflare for example.

[justinacolmena]

On Monday, November 21, 2022 6:35:01 AM AKST, onli wrote:

Though of course, a personal project like a personal blog can not be expected to really defend itself against state sponsored spam attacks. If that is really your concern tackle that at a network level, by running the blog behind cloudflare for example.

By "state sponsored" do you mean the actual governments or local districts of places like Germany and Poland and Denver, Colorado where we get a lot of these international standards on the internet from?

[onli]

Neither really. Just sophisticated spam attacks, of which there are only a few sources.

Though the origin does not matter much. I hope that with the plugins and settings you find an acceptable-to-you setup.

[justinacolmena]

I had previously had good luck making small site customizations to the captcha.

It appears Serendipity is popular enought that custom attacks against it are propagating in the wild. I much prefer PostgreSQL to MariaDB/MySQL as I find it easier to administer, back up and restore on a VPS, but other people have hosted solutions where PostgreSQL is not available except as paid SaaS. There's a 500 error thrown on a failure to connect to the database if I choose PDO::pgsql rather than plain Pgsql on the config menu, but apparently PHP's old "pgsql" extension has been retrofitted and reprogrammed to use the newer PDO database abstractions for older PHP code. I am using PostgreSQL 15 which is very newly released. I avoid sequence numbers and UUID's in tables as much as I can, since posting date and title should be enough to ensure uniqueness for blog postings, unless there's Part 2 of an article or something. I like a human-readable permalink scheme of /archives/%year%/%month%/%day%/%title% and nothing else for articles to published on a "periodical" basis online.

PostgreSQL has really neat full text search capabilities it would be nice to take full advantage of -- which would be an interesting project for a more advanced search plugin.

[onli]

PostgreSQL has not seen much development work in recent time, I think because the typical setup uses either MariaDB/MySQL or SQLite. But if someone would provide development work to get Postgres into a better state, that would be appreciated and merged. So if you want to work on this, please just go ahead :)

I will close here for now though, just to keep some order in the issues. If you have questions please don't hesitate to contact me, or to open a new issue here or discussion thread in the forum. Or if there is really something that can be done about better spam protection, then please re-open here.