My site statistics are, frankly, insane. Of the 5.8 million hits I’ve received since May of last year, a staggering 16% of visitors arrive to see my Xbox 360 FAQ. Coming in a distant second is the Photography category because people want to download one of my high res wallpapers. Then there’s a smattering of WordPress plugin seekers and results start getting noisy with spam and other things.

What it boils down to is I don’t really have a readership. I blame myself, obviously, because if I had things to read that had merit readers would come. Funny how that works! I have grazers, really. Lots of them. Which is dandy in that I get clicks and make enough money to pay my hosting, but I haven’t developed any kind of community following aside from a few stalwarts.

Then I had an epiphany: I’ll BRIBE you! That’s right, I’ll give you money just for reading. Well, reading and commenting. Well, reading and commenting and getting a question right.

How I’ll bribe you to visit

“That sounds (pathetic) great, ColdForged! How exactly do you plan to accomplish this?” you may ask.

Easy. At the end of every post I make there will be a highlighted question. Be the first person to comment and correctly answer the question and I’ll put $1 in your Paypal account. That’s all there is to it. As a technical note I’ll verify your email address upon winning and send the money to whatever Paypal account you desire.

Obviously the first people to see the question will have a better opportunity to answer correctly and get money. As such, you may wish to subscribe to my feed. That’s entirely up to you. I don’t have a posting schedule. I post when it’s convenient and whenever I have something to post, apparently regardless of quality. I may not — and almost certainly won’t — post every day. I may post multiple times a day. But for every “ColdForged’s $1 Question of the Day” you see, someone will get a buck. NOTE: make sure to get it right the first time as only your first answer will count. For instance in today’s question you can’t simply leave two comments each with one of the players names.

I should note that I have comment moderation enabled. If you’ve never left a comment before, your comment will drop in the moderation queue. Fear not! It’s there. The only winning criteria is that you have the correct answer first. This could also explain why the answer isn’t there when you comment and you may think you’ve won only to find out later another comment was sitting in moderation. I am the final authority on who is the winner of any particular question.

So, why am I doing this? I figure it will, if nothing else, be an interesting experiment. I get enough from my Yahoo Publisher ads to cover it. And if I drag a few more people in here for the actual content then it ain’t all bad.

I know there will be detractors. “He can’t get people to read his site, so now he’s paying them!” True, I came right out and said it. I know it’s quite frankly a silly plan. But I can’t get the idea out of my head and it’s just the kind of thing that hits me right. I’ve never claimed to be anything but silly.

How long will this go on?

I don’t know. If no one ever answers the question it won’t last long. If the same person wins for 6 months straight, well, it might be time to rethink. If it seems like fun and gets some traction I’ll keep it going indefinitely.

When does it start?

Right now. We’ll start off with a relatively easy one. I make no guarantees about future questions.

ColdForged’s $1 Question of the Day: Which of the two Carolina Hurricanes players that went to the All Star game scored first in that game?

The first correct commenter gets the money, no catches.

WINNER! ByTor scores the correct answer with Eric Staal.

Apparently the spam hammer isn’t being felt solely by me. That’s heartening. I don’t want to turn off comments but neither do I want to have to try to find a better host than I already have, especially as I wouldn’t be able to do much differently.

One thing that I noticed after I had turned off comments and gotten things calm was that I still had mod_security logging turned on for requests that got denied as I was still debugging my plugin. I racked up a little over 75 megabytes of logs. That’s a load of logging and quite likely the single most resource-hogging part of the whole thing. Had my logging been off I almost certainly wouldn’t have been suspended. As such, it’s very tempting to try again. Maybe I’ll wait a while so as to get off ASO’s shit list, though. I also need to merge in some changes that SK2’s author, DrDave, provided.

It’s been a good run. Since I started this blog I’ve received 4408 comments. I value them highly and am glad for every single one of them. Sadly, there will not be a 4409th comment. I’m throwing in the towel. Spammers, you’ve succeeded. I’m finished, I quit, I give up. I’ve fought against you valiantly, I’ve done everything I know how and learned new things to try to keep up with you, but there’s one thing I simply can’t battle: your shear numbers.

Those of you that have been around a while know that I haven’t taken this quietly. I wrote a plugin a while back almost solely for the purpose of paging though the mountains of submitted comments to separate wheat from chaff. I’ve made a career out of keeping referral spammers from chewing up resources. I’ve swapped hosting providers 4 times after using up too many server resources fighting the fight. I finally find a hosting provider that appears to want to work with me and deal fairly with me, so I want to deal fairly with them.

The Proverbial Last Straw

Then this morning hits and I find my account suspended. “Oh joy, what is it this time?” After hearing the explanation (too many resources used, my comment script being the culprit) I figure my recent mod_security plugin was gumming up the works. I agree to remove the plugin and follow up on it, they reinstate the account. I do my part and off we go again. I decided to take a gander at the server logs to see what was going on. That was an eye-opener.

From roughly 6:00PM last night until 10:42AM this morning there were 9,938 posts to my comment script. That looks like a typo. Let me reiterate: there were nine thousand, nine hundred and thirty eight posts to my comment script. In less than 24 hours. At times there were 5 and 6 per second. Distributed IPs, of course. My mod_security rules caught them, they didn’t get through but the server was, simply, crushed under the weight. I just can’t keep up with that and I certainly can’t ask A Small Orange to keep up with it.

So, the comment script is gone, comments and trackbacks have been turned off for all posts. This will almost certainly remain the case for eternity. I’m considering adding a contact email address but we all know what happens to those.

Thanks to all my past commenters and I am truly sorry it came to this.

UPDATE: Please do note that there’s now a contact form available if you’re so inclined (thanks Ryan).

Happy Thanksgiving to all my readers! I hope you are amongst friends and family and that it’s a day of rest and peace for you all. We’re spending a quiet day with my Mom, cooking turkey and just relaxing. We’re not the kind to spend the entire day in the kitchen — it’s happened in the past but that’s not the vibe we wanted today — so it should be nice. It’s our first Thanksgiving since my father died but I think we’re all in a relatively good place.

I survived a reduction in force at work yesterday — though several of my favorite people didn’t — so I can use a bit of peace and quiet (he says as his daughter watches Cars in the other room).

An update on the plugin

I’ve gotten some good feedback on the proposed Spam Karma 2 mod_security plugin. The best feedback was from SK2’s creator, DrDave, who gave me some insight into his architecture and suggested some improvements and direction. Many thanks, DrDave! I’ve since modified the plugin to do the following:

• Block outright any IP address in the IP blacklist with a score greater than 90. Any request from them will get a 412 precondition failed.
• Block any domain in the domain blacklist with a score greater than 90 from appearing in a POST request. In other words, if someone tries to post a comment to the blog with one of the domains, they’ll get a 412 as well.

With these in place, my daily comment spam take has dropped from an average of 400 per day to an average of 3… two whole orders of magnitude. I like that. There are still a few things to do with it before it’s ready for external testing.

• Provide adjustable strength like the rest of the SK2 plugins for people not quite as nasty as me. Strength will affect both the minimum score a blacklisted item must have before it’s blocked as well as possibly changing whether domains are blocked at all. For instance, on “weak” strength we’d only block IPs with a score of 99 or higher and not domains. On “fearsome” we’d block what I currently block.
• Add in aging of blocked entries, reducing the score of items that are currently blocked so they can eventually be discarded from the blocked list. SK2’s scoring can’t account for this as it’s dependant on still getting the requests or spams… if I block them it can’t do it’s scoring adjustments. I just need to give it some help with that.

I’m really pleased so far. I’m going to be doing some access log mining to get some better statistics.

I’ve used Spam Karma 2 on this blog forever, as it’s an effective and glorious piece of software that does its job well, as evidenced by the ~90,000 comment spams eaten. It’s elegantly designed unlike most of my plugins, and actually built to be extended by others with its plugin architecture.

I’ve been playing around with mod_security recently — though I’ve pined over it for quite longer — as it provides some rather hefty and glorious functionality for smacking spammers. I didn’t do this before because Dreamhost didn’t provide mod_security access. A Small Orange does, so I’ve converted most of my referral spam handling over to mod_security. That’s nice, but doesn’t do much over what mod_rewrite offers.

So I set about experimenting with fighting comment spam with mod_security since it’s capable of scanning POST payloads. It should be faster than Spam Karma 2 as it’s a compiled and linked module running in Apache rather than a interpreted — even though PHP and Zend do happy things with byte code compiling PHP code — script. I had a whole post written up similar to my original article based on mod_rewrite discussing what mod_security does, how to use it and how to keep up with the spammers.

Sharing resources

But then I had a sudden flash… why should I manually keep up with spammers? I’ve got some hot software that does it for me in Spam Karma. If I could leverage SK2’s blacklisting and moderation handling and automatically generate mod_security rules for me, wouldn’t that be much easier? I mean, SK2 has a ready list of over 4,800 domains that it has quite aptly determined are used for no good. Wouldn’t it make sense to scan all POST requests to my blog and screen out all of them that contain those domains? It does to me.

Thanks to a truly wonderful plugin architecture, it was a relatively painless endeavor. I have a working plugin in place now that keeps my mod_security rules in sync with my SK2 domain blacklist. It is relatively naive right now as, though he had great foresight in most of his plugin architecture, DrDave provided no hook into the blacklist insertion triggers. To his credit, I’m sure there was no evidence of need. But it would be helpful in this case.

Concerns

I do have some concerns and they’re all security-related. In order to allow the plugin to do its work the .htaccess file has to be writable by Apache. Most people do that anyway so WordPress can install permalink rewrites, but I typically don’t. I’m truly interested to hear what others think of the idea and the security implications. I don’t much care about false-positives… at all. I’m more interested in the merit of the idea and any possible downsides, before I release it for even limited release. I don’t mind being a Guinea pig on my own site, but it’s a whole separate thing when it’s in public release.

Any comments welcome.