Spam comments should produce 'awaiting moderation' feedback

[tellyworth]

Normally, after a user posts a comment, they'll see their comment appear - either as a live comment, or with the message 'Your comment is awaiting moderation'.

However if a spam filtering plugin catches the comment as spam, no comment is shown. This gives feedback to human spammers, because they can easily distinguish between comments that pass the filter and those that are blocked.

This could easily be avoided by producing the same 'awaiting moderation' feedback in both cases. Obscurity aside, it's an accurate description for spam comments, since they are indeed held for moderation (just in a special queue).

[tellyworth]

The enclosed patch does this, and produces the awaiting moderation message with themes that call wp_list_comments().

Themes that use their own comments code will produce slightly different (but not necessarily bad) behaviour: the author will see the comment posted normally without the 'awaiting moderation' message. No one else sees it of course. Themes can adjust their code to the new behaviour by changing their $comment->comment_approved conditional to check for != '1' instead of == '0':

if ($comment->comment_approved != '1')
    _e("\t\t\t\t\t<span class='unapproved'>Your comment is awaiting moderation.</span>\n", 'sandbox')

Please note that this needs further testing, and no doubt theme developers will want to discuss it.

[filosofo]

"Awaiting moderation" is the wrong message for a spammed comment, because unlike comments that actually make it to the moderation queue, a spammed comment is much less likely to get approved. It's going to be lost among thousands of spammy comments. Don't give the commenter false hope.

[tellyworth]

filosofo, the current behaviour is to produce no message or feedback at all. What behaviour would you propose?

[mrmist]

IMO no feedback for spam is the correct behaviour. I don't want spam that's been automatically caught to be flagged as awaiting moderation, that defeats the point. Spam gets bucketed.

Your proposed patch would mean that if I visit a page full of spam comments as an admin, then I'd see them all listed on the page. That's just wrong.

If a large number of your users are being caught by your filter as spam, then you need to either a) educate your users or b) consider changing your spam filter.

Overall -1.

[filosofo]

Replying to tellyworth:

filosofo, the current behaviour is to produce no message or feedback at all. What behaviour would you propose?

Either existing behavior--comment disappears--or say something like "Your comment appears to be spam."

[tellyworth]

mrmist, I think you might have misunderstood what the patch does. Apologies if my description was unclear. To clarify:

The patch does not put spam in the moderation queue. Spam goes in the spam queue, same as before.

The patch does not mean that admins will see spam when they visit a permalink page. I tested that again to make sure.

The problem is not that legit users are being caught by the spam filter. The problem is that real spammers are able to tell when their comments are caught by the filter, learn from that, and find ways around the filter.

The only thing the patch does is change the message seen by the user when they post a comment that is detected as spam. If it has any consequences other than that they are unintentional and I'll fix them.

[tellyworth]

filosofo: the existing behaviour is bad because it helps spammers and confuses legit users.

"Your comment appears to be spam" is worse, because it helps spammers and insults legit users.

[filosofo]

I think it's reasonable to say that comments getting falsely flagged as spam happens much more often than human spammers attempting to game the system of a particular blog, so your solution causes much more harm than good.

And this is not a real solution to the human spam issue. The vast majority of WordPress blogs handle spam using an open-source plugin or a centralized anti-spam service, such as Defensio or Akismet. All your human spammer scientist has to do is set up his own blog using one of the above and test the results; no need to experiment on someone else's blog.

And a spam comment that gets moderated is as good as spammed. Seeing that his comment has been moderated is as good a motivation to try again for the human spammer scientist as seeing that it's been flagged as spam.

[mrmist]

Ahh ok. Yes I since tested the patch and the spam does not appear on the page.

I'm still not really convinced though.

I am afraid that I must agree with filosofo - if you produce a message to the extent that the comment is awaiting moderation, then a legit user whose comment has been spammed might think that it will be moderated out of spam status when it more likely won't be. If, instead, you give any other message then you are not altering the status-quo with regards to human spamming.

Incidentally, I struggle to believe that a spammer spends any time reviewing the post-spam page.

[ryan]

At least legit commenters who are accidentally marked as spammers receive feedback instead of thinking their comment was lost and trying again.

[mrmist]

Replying to ryan:

At least legit commenters who are accidentally marked as spammers receive feedback instead of thinking their comment was lost and trying again.

If notifying legit commenters is the intended result, then the message displayed should probably indicate that the comment has hit the spam filter. Suggesting that it's awaiting moderation is too much false hope, given that I expect a lot of people who get a lot of spam just "delete all". Probably something along the lines of "contact the webmaster if you believe this to be in error." or whatnot.

[tellyworth]

"I think it's reasonable to say that comments getting falsely flagged as spam happens much more often than human spammers attempting to game the system of a particular blog"

Sorry but this is not the case.

"if you produce a message to the extent that the comment is awaiting moderation, then a legit user whose comment has been spammed might think that it will be moderated out of spam status when it more likely won't be. "

This is a non sequitur. The patch does not affect the probability that a false positive will be discovered and approved.

"All your human spammer scientist has to do is set up his own blog using one of the above and test the results; no need to experiment on someone else's blog."

This is not true either, at least in the case of Akismet. Akismet produces different results on different blogs.

"Incidentally, I struggle to believe that a spammer spends any time reviewing the post-spam page."

They are, and they know what to look for.

"the message displayed should probably indicate that the comment has hit the spam filter"

Please don't do this.

[filosofo]

Replying to tellyworth:

I think it's reasonable to say that comments getting falsely flagged as spam happens much more often than human spammers attempting to game the system of a particular blog

Sorry but this is not the case.

I'm intrigued. What you say implies that either the number of human spammers is greater than the number of real commenters or that anti-spam systems in general have a false negative rate multiple times greater than their false positive rate.

If it's the former, since you also say that "Akismet produces different results on different blogs," then we're not talking about a human tweaking spam comment variables to succeed across millions of blogs; we're talking about millions of humans each tweaking spam comment variables for a particular blog, and only that particular blog. Is this really what happens? How do we know?

if you produce a message to the extent that the comment is awaiting moderation, then a legit user whose comment has been spammed might think that it will be moderated out of spam status when it more likely won't be.

This is a non sequitur. The patch does not affect the probability that a false positive will be discovered and approved.

Sure it does. People don't check the spam queue very often; it's too much work. They do check the moderation queue. A commenter knows this, so when he sees "comment in moderation" he doesn't do anything, confident that it will be taken care of. But when the comment disappears (or says "spammed"), he is more likely to contact the blog author to alert her to the problem. I've done it myself a number of times.

[Denis-de-Bernardy]

broken patch

[Viper007Bond]

This is plugin material IMO. I definitely don't want to be e-mailed thousands of times each day that spam was posted on my blog and I don't think we need yet another option on the settings page for a feature few would use.

Recommend wontfix.

[Denis-de-Bernardy]

I suspect that quite a few of the repliers haven't fully read the full description.

The ticket is not about treating comments caught as spam as in need of moderation.

The ticket is about showing, to the commenter, a message that goes: Your message is awaiting moderation -- even if it was really caught as spam.

The suggestion is a valid one imo. When you've a $2/hour Indian who is manually posting comment spam on your site, you want him to think he succeeded and move on to the next site.

That being said, it can be done using a plugin, so closing as invalid given the feedback.

[nacin]

Replying to ryan:

At least legit commenters who are accidentally marked as spammers receive feedback instead of thinking their comment was lost and trying again.

This. We had this problem on P2s on make.wordpress.org for a few days (now fixed). It resulted in real people constantly submitting comments in duplicate, triplicate, and quadruplicate.

I'm slating this for 3.7. tellyworth has agreed to get it ready for core again. Please, before -1'ing this ticket, read the whole thing. :-)

Obviously spam-awaiting-moderation-r10466.patch​ needs an update for trunk. But also, I'm wondering if <> 1 actually makes sense, given custom statuses and alternative workflows (e.g. ​http://wordpress.org/plugins/comment-inbox/) — and given 'trash', which was introduced a few months after this ticket was closed. A trashed comment should no longer show as 'awaiting moderation', it's gotten past that. Maybe just 0 or spam is a safer, simpler check. (In the future, custom comment statuses could have a pending flag that we'd use here.)

[nacin]

<?php
function wp_comment_is_pending( $comment ) {
    $comment = get_comment( $comment );
    $pending = '0' == $comment->comment_approved || 'spam' == $comment->comment_approved;
    return apply_filters( 'wp_comment_is_pending', $pending, $comment );
}

[knutsp]

-1

Spammers should not be given any feedback, even if they are manually entered. Giving feedback could encourage spammers to become more clever at crafting a comment that will not be regarded as spam.

And if feedback is given, awaiting moderation is not the case. Regarded as spam is the case.

Having trouble with legitimate comments being regarded as spam is not something core should paper over in any way.

[nacin]

Replying to knutsp:

Spammers should not be given any feedback, even if they are manually entered. Giving feedback could encourage spammers to become more clever at crafting a comment that will not be regarded as spam.

Well, at the moment, the comment disappears, at which point they immediately know it got caught as spam. If anything, current functionality is giving them exactly the feedback they need. Yes, I am saying: This would help annoy spammers.

A better solution would be to be ambigious: if the comment is awaiting moderation, or if it is awaiting moderation in the spam queue, they get the same result: "Your comment is awaiting moderation."

If a comment is stuck in moderation long enough, a user might contact the site author letting them know their comment is stuck in moderation, at which point they can check both Pending and Spam. Right now, the user (or a spammer) is literally presented with an error condition. That can't possibly be desired. This change does nothing to help spammers, while at the same time helping legitimate commenters ensure their comment is seen and that they don't post the thing multiple times, fearing the browser ate their comment.

[Viper007Bond]

I'm with nacin on this one. As tellyworth describes, it's giving spammers less information, not more.

Plus the important thing is here is people not spammers.

[knutsp]

Replying to nacin:

A better solution would be to be ambigious: if the comment is awaiting moderation, or if it is awaiting moderation in the spam queue, they get the same result: "Your comment is awaiting moderation."

For ages the ambiguity has lied in the "comment disappears" experience. I have regarded this as the best possible, under different settings. If it ain't broken, don't fix it.

Rethinking, this response/message may be the most ambiguous possible in any setting the site uses, even if it doesn't use comment moderation. A spammer wouldn't know or be able to guess.

Usually not so conservative, but I fear unforeseen side affects of this change, but I trust you if you can't see any. This is a very old ticket, but it was closed (for a wrong reason) for most of the time. Let it go in early.

[mark-k]

-1 to the patch as it lies to the user and there is nothing worse then that. Imagine someone sends me an important information in a comment and get the message "your comment in moderation" while it went to spam. What will I tell him later when he will ask me why havn't I acted on it? Maybe if he had known it went to spam he would have called me or tried to contact me is some other way but since the message says that the comment will be read by a human,why should he do that?

real life example, I could never comment on "make core", none of the comments were published and I didn't get any indication why. At the end I figured it was something to do with spam, but what would I have thought if I always got a "waiting for moderation" message but the comments are never published? that it is not a technical problem, I am just not welcome there.
Don't forget some site are without moderation at all.

I also highly doubt that this will stop any manual spam, my experience is that akismet can't identify manual spam, (I would assume spammers first check the message on their own WP install) therefor this will not help in any way the fight against spam.

This ticket is open for 5 years, if this was an effective measure against spam surely one of the antispam plugins would have adopted it by now, but AFAIK none do it.

[knutsp]

As mark-k points out, there is a downside to lying in the feedback. It may confuse or annoy spammers, because they see the feedback as ambiguous, but to the legitimate commenter the feedback will be regarded as a positive one.

I know for myself that I usually just hit "Delete Spam" without going through them one by one. That is also the reason I use an anti-spam plugin.

So the argument that a legitimate commenter may eventually detect that his comment is "awaiting moderation" for an unreasonably long time is moot. The comment will probably be deleted by then. There are also those plugins that let you automatically delete spam comments on certain conditions, like if the post is old.

So, while I agree with the ticket author, and other commenters here, that the most ambiguous message to spammer is to lie, I say with Viper007Bond: "Plus the important thing is here is people not spammers."

[nacin]

I uploaded a tentative patch here (8968.diff​). Probably doesn't cover all of the cases. This has a potentially big effect, as it involves changes to queries, templates, and themes.

[knutsp]

No interest in two years. Suggest close as wontfix or maybelater.