Just the ones I’m interested in please (basically none)
Background
In the process of tweaking a thing or two behind the scenes, I changed how spam was being handled. I now use the very functional Antispam Bee (or ASB, if you’re short on time but long on initialisms):
(interestingly, a other pages outrank ASB’s own homepage; I had to find the WP plugin page from ASB’s GitHub†)
ASB has been working well enough in detecting spam; but it’s also been real noisy on the email front:
Gmail apparently caps those threads at 100. As you can see from the screenshot, there’s at least one unread email in that century of notifications. The were just too many, and the traffic on this blog is basically zero, considering this is a world where six-second footage of someone doing a dance gets tens of millions of views, or so I’m told.
Spambots have no discretion and mercy:
Quietening ASB by Not Sending Some Emails
I haven’t run the numbers yet, but spam tends to be a mix of things with a couple of strong themes. Without wanting to mention the content directly lest I inadvertently give the spammers a platform, a few frequent offenders were:
- a kind of book or document you would need if a domestic device was malfuncitoning
- a place, traditionally a building where people spend money with the chance to win more and where you might take in a show
- alternative forms of monetary exchange
Some more recent ones include:
- a supposed preview of the much-anticipated sequel to a very popular game which has been released across several generations of consoles and PC
- access to a popular suite of tools that you now need to rent access to instead of a one-off purchase
The actual goal here is to not see emails for obvious, barn door, unmistakable true positive spam. I definitely do want to see emails for actual useful comments held in moderation. For that we can leverage the “disallowed list” (formerly the comment blacklist).
I wonder about running things through the disallowlist before ASB- my gut says a simple disallowlist lookup might be quicker than the various levels of ASB; but on the other hand most spam falls straight into the honeypot by filling out a field that is hidden to humans, so it is probably an early exit there. In any case, ASB hooks the comment cycle earlier than the disallowlist check. Really, it’s maybe worth benchmarking the two approaches- though I suspect for a low-traffic blog like this the result is a wash. Larger sites on the medium scale might benefit. Massive sites probably need a very well tuned approach, if they haven’t simply disabled commenting completely or farmed it out to the likes of Akismet or others.
Since ASB hooks earlier than native WP checks, my first thought was to write a small plugin to check the disallowlist first and nuke the comment if so. I asked in #wordpress, and tex suggested:
2025-07-28 14:09:54 tex https://github.com/pluginkollektiv/antispam-bee/wiki/en-Hooks 2025-07-28 14:09:59 tex antispam_bee_notification_recipients 2025-07-28 14:10:06 tex that it? 2025-07-28 14:10:16 bertieb (1) comment caught with spamsite.xyz [on blocklist] → no email from ASB; (2) comment caught with no blacklisted site → email 2025-07-28 14:10:18 bertieb lemme check 2025-07-28 14:11:56 bertieb so I could hook that filter to remove a recipient if the comment body matches the discussion blacklist; but keep admin email if not? 2025-07-28 14:12:16 tex seems reasonable assessment 2025-07-28 14:12:17 bertieb s/a/the/ 2025-07-28 14:12:40 bertieb okay cool, I could look at doing it that way 2025-07-28 14:13:06 tex alternatively you can hook into pre_/wp_mail and devnull it before it's sent out 2025-07-28 14:13:13 bertieb sure 2025-07-28 14:13:26 tex https://developer.wordpress.org/reference/hooks/pre_wp_mail/ https://developer.wordpress.org/reference/hooks/pre_wp_mail/https://developer.wordpress.org/reference/hooks/wp_mail/
Nullrouting the email instead.
The Quick Hack
In the end when I came to implement it, I split the difference: added a check to send_mail_notifications():
// skip email notif if the comment is in the disallowlist
if ( wp_check_comment_disallowed_list(
$comment['comment_author'],
$comment['comment_author_email'],
$comment['comment_author_url'],
$comment['comment_content'],
$comment['comment_author_IP'],
$comment['comment_agent']
) ) {
// debug log an "error" noting this so I can see if it happens in log
error_log( sprintf( 'Antispam Bee: Skipping email notification for comment ID %d as it is in the disallowlist.', $id ) );
return $id;
}
As you can see I added a little debug print to the error log. This was important for a couple of reasons. Firstly, I typo/thinko’d the WP function wp_check_comment_disallowed_list() as wp_check_comment_disallowed() causing a fatal error (whoops). I also managed to invert the logic- in my head it was a check of the comment, ie allowed → true, disallowed → false. I blame complete unfamiliarity with the API and a bit of carelessness. But by checking the log I could catch that:
I could also check that the plugin was functioning as expected:
So it works, and I can remove that set of training wheels.
Next on the wishlist: integrating ASB with the digest plugin…
†: surely a couple links from this titan of a website will boost the sites in the ol’ search rankings‡
‡: “the ol’ search rankings” is how true SEO gurus• refer to them
•: they also use multiple nested footnotes with characters chosen in Unicode sequence‣
‣: this one’s code point 0x2023 ^_^