I’ve been requiring visitors to create a site account to leave comments on my blog for some time now. I never liked doing it, of course, but my BlogEngine.NET 1.6 spam filtering wasn’t working correctly. I knew BlogEngine.NET’s spam-fighting capabilities were legendary, yet I was still dealing with those soul-less SEO backlink bastards whenever I dropped the site account requirement.
That’s all behind me now, because BlogEngine.NET spam filtering is now doing the job as it was designed to do in BE.NET v1.6, with the complete spam filtering process fully enabled.
To begin my story, I knew something was wrong because my spam filtering statistics were always 0. My Akismet Extension was configured correctly, my site url and apikey were up to date, and yet I was getting no Akismet or StopForumSpam love.
I’m going to walk through the moderation logic before providing the solution, so if you’re not interested in the geeky details feel free to jump to the end of this post.
The heavy lifting for BlogEngine.NET 1.6 comment moderation occurs in the BlogEngine.Core.CommentHandlers class. Comment moderation hooks into the Post.AddingComment global event with the core logic sequence (for our purposes) being
- If the User is Authenticated and if Authenticated users are auto-approved, we’re golden
- BlogEngine.NET’s White list and Black list rules come next, with the user’s email and IP checked against existing comments and handled according the blog’s configured rules.
- The comment then has to pass the blog’s additional filter settings by IP, author, website, etc. We’ll see a screenshot of that in a second.
- If the comment is still not approved at this point, the custom Akismet and StopForumSpam moderators kick in for final inspection.
Pretty thorough, isn’t it? Here’s the source logic in a nutshell.
We're going to step backward a second to display a screenshot of the additional filter settings I mentioned in step 3 to show you how complete BE.NET's spam filtering is.
The Essential Flaw
The essential flaw of the filter logic process (mine, not BlogEngine.NET’s) was in step 2, comparing the new comment properties against the existing comments and applying the White and Black list rules.
Let's look at the White list and Black list rules on the comment filtering panel in BlogEngine.NET Administration.
They're set at "0" here to show you what I did wrong. The reason they should not be set to "0" is probably obvious to most of you but it wasn't to me. Let's look at another slice of moderation code in CommentHandlers.
WhiteCnt was always equal to or greater than the BlogSetting value of "0", so all comments were being approved. The comments were never being custom filtered by IP, keyword, etc., or being sent to Akismet. D'oh!
In case it’s not absolutely clear, if you’re seeing spam in BlogEngine.NET and your custom filter stats are all “0”, the “fix” is to enter a WhiteCount value sufficient to keep the comment moving through the entire filtering process. Something like the values below should do the job for you.
Even though I wasn’t smart enough to configure it properly, I always knew that BlogEngine.NET's spam filtering was the best in the business. Now that all of my filters are firing and my custom filter stats are happily ticking away, I can start to enjoy it as God and Ruslan Tur intended.