Add better support for Akismet

[mmistakes]

I'm currently using the honey pot method but around 3-5 spam comments slip through every day. It's not the end of the world to close these out, but it does junk up my Pull Request stream.

In the beginning I got a lot more spam when I had a website field in the comment form. Eventually took that out, but whoever trained the bots to constantly hit my site must have adapted. Now I get Markdown links in there with messages almost always phrased in the same way.

I see Akismet is an option but wasn't sure if that was available to the public instance of Staticman or not. If enabled I could see it pulling out a good bunch of these comments since they seem to follow a common pattern.

If I can get reCAPTCHA working that would probably solve the issue, but having some snags there too.

[eduardoboucas]

Our implementation of Akismet needs some work done. It's currently set to use whatever key is supplied in the Staticman API, which means one single Akismet account is used to filter spam on all sites. Akismet accounts have usage limits, so I believe it's disabled completely in the public Staticman instance.

We could take the same approach we used with reCAPTCHA and allow each site to supply their own Akismet API key, now that we support encryption.

@zburgermeiszter is this something you'd like to have a go at?

[deadlydog]

I don't see anywhere in the staticman.yml config to put an Akismet API key. Is there any way to use Akismet when not using the public shared instance? Thanks!

[PhuNH]

@deadlydog the Akismet's site and key are configured for Staticman, not for the site, so they are not in staticman.yml. You can set them in config.{ENV}.yml file or using env vars (which are both on where you host Staticman).

[deadlydog]

Thanks @PhuNH , I found which environment variables I needed to add here (AKISMET_SITE and AKISMET_API_KEY), and added them to my Heroku instance.

I've also modified my staticman.yml to include this section:

  # Akismet spam detection.
  akismet:
    enabled: true
    author: "name"
    authorEmail: "email"
    authorUrl: "url"
    content: "message"
    type: "comment"

I know these fields are documented here, but I'm still not entirely sure what they're for besides the enabled one, so I think those docs could be clarified a bit; I'm guessing they'll show up in Akismet somewhere once it starts blocking some spam comments.

I figured I'd document the process a bit in this thread, as I couldn't find any other documentation for it.

Thanks!

[PhuNH]

To collaborate with @deadlydog on documenting the process:
The site URL set up on Akismet and the akismet.site config should both be the URL of where you host Staticman. The comment form sends form data to Staticman at this URL, Akismet also tries to catch spams at this URL, those mentioned fields are for Akismet to know what data it receives.

[willymcallister]

@PhuNH, @deadlydog -- I host Staticman at Heroku.
Is ASKIMET_SITE the same as (or a shortened version of) staticmanUrl?
Example:
staticmanUrl: https://spinningnumbers-staticmandev2.herokuapp.com/v2/entry/willymcallister/willymcallister.github.io/master/comments
[I will add this info to https://spinningnumbers.org/a/staticman-heroku.html]

[PhuNH]

@willymcallister it has to be the URL you use when adding a new site in your Akismet account. You can use the same one as your staticmanUrl, or just the domain name part of it as in the example. Staticman only uses this URL and the API key coming with it to make a call to Akismet, so it can be anything as long as it matches the registered one.

[pingu8007]

It can be working around by updating siteConfig.js schema and modifying lib/Staticman.js to use parameters from it rather than config.js.
However, since reCaptcha is done within controller/process.js while Akismet is parts of lib/Staticman.js, I guess there need some refactoring in the future.