Comment spam and HTTPS

09.03.2015 21:15

Moving this site to HTTPS-only back in November had one unexpected side effect: the amount of attempted comment spam fell significantly.

The graph below shows the number of submitted comments on this blog that were caught by different spam filters over time. Majority of submissions are blocked by the simple textual captcha that is shown by the orange line. The sharp drop on the graph corresponds exactly with the date I reconfigured the site to be served through HTTPS.

Blog comment submissions versus time.

Immediately after I noticed this change I had two theories: either most spam bots do not implement HTTP 301 redirects that I send on the old HTTP URLs or they in fact skip HTTPS sites. If the first theory was correct, I was expecting the spam to quickly ramp up again as bots rediscover my blog on the new, HTTPS URL through crawlers or what ever other process they use to find victims. However, as you can see, the spam rate shows no sign of increasing after four months.

I don't think lack of support for encryption could be the reason. I'm pretty sure all reasonably modern HTTP libraries transparently support HTTPS as well. My server is also setup in a relatively backwards-compatible fashion as far as SSL ciphers are concerned. It is probably more likely that secure sites are simply not considered a worthy target at the moment. Not that I'm complaining.

Anyway, if you run a website, this might be another reason you might want to switch to HTTPS-only.

Posted by Tomaž | Categories: Code

Add a new comment


(No HTML tags allowed. Separate paragraphs with a blank line.)