I am writing this post in anticipation of the question: Why bbProtection? Why not simply write a MOD for phpBB (or insert-board-here) using the Akismet API instead? It’s a fair question, and one that I think should be reviewed. After all, if someone else has already done the hard work, why not reuse it?

What is Akismet?

I will start with a brief overview for those that might not be familiar with Akismet. This package is an extremely popular plugin for Wordpress. It comes from the same minds that brought us Wordpress, so it was understandable that it should focus first on blog comment spam. To use it a blog owner has to register for a key. I assume that the key is part of the data submitted to the Akismet server. The Akismet process reviews the comment and determines if it looks like spam or not. If it determines that it’s not spam, the comment is approved. If it thinks it might be spam, the comment is held in a queue for later review. The specifics of the process used behind the scenes to tag a comment as spam are not available to the public, and for obvious reasons. If spammers knew what triggers to watch out for, the effectiveness of the service would be drastically reduced.

The name comes from a combination of Automatic and Kismet. Kismet is related to fate or karma… the idea is that spammers get what they deserve. If they hit enough different blogs with the same (or similar) content, then they are quickly identified and prevented from making further public comments. The real strength of the system is the fact that comments from blogs around the globe are all fed to Akismet for analysis… a true-life example of “strength in numbers” in action.

How is bbProtection Different from Akismet?

The bbProtection service (in its first rollout) provided a way for board owners to use a shared database to compare registration and post data with other boards. At first glance the general purpose of bbProtection appears to be very similar to Akisment. The target audience is different (bulletin boards versus blogs) but is that enough? Why not just use the Akismet API and write a bulletin board interface? I believe there are several advantages to a board-specific solution.

The first important distinction that I would like to call attention to is that Akismet does not process user registration attempts. For many years the bane of a phpBB2 board owner was the never-ending stream of users that would register just to get their web site listed in the member listing. Many of those users would never even bother to activate their account. At one point I verified that nearly 20% of my board members were created by registration bots rather than by real humans. I suspect without proper prevention features in place that percentage would be even higher today.

Since most bulletin boards are very similar the bbProtection service should be able to compare user registrations from just about any vendor. The fields that are targeted by spammers (website, location, any other similar fields) should be mapped by function rather than by specific fieldname in the database. By comparing registrations on boards from different owners, vendors, and subject matter across the Internet it becomes easier to identify and eliminate spammers.

Summary So Far

The key thing here is that many registration bots never tried to post. Without a posting it becomes a different sort of challenge, and one that I don’t think Akismet is equipped to handle. While that is one very important difference between Akismet and bbProtection, is it enough? I think that it is, but I have more thoughts on the subject to share in my next post.