What’s it do?
Spam BLIP is based on DNSBL lookups. DNSBL is ‘DNS Blackhole List.’ Wikipedia has a detailed article on DNSBL. Briefly, a DNS name lookup is used to query a database about an IP address by encoding the address as a host+subdomain with the domain of the database. There are hundreds of DNSBL services. Most of these are meant specifically for email spam. Email spam was the original application of DNSBL, but since weblog spamming has become a big problem too there are some DNSBL domains specifically intended for weblogs.
No, there’s more. A small table is added to the WordPress database. Only a limited number of records are kept so that accessing the table will remain fast. IP addresses that have been found in a DNSBL are added to the table, and it’s checked before doing a DNS lookup, so that the DNS lookups aren’t done repeatedly for persistent spammers. There is a settings page where the number of IP address records kept, and how long they are kept, can be configured. The settings page also provides blacklist and whitelist entry fields for addresses that should never, or always, be allowed. Of course, the settings page also provides the means to set the DNSBL domains that will be used — and something of a ‘micro language’ for interpreting lookup results, but you will probably be fine with the default interpretation, so you don’t need to figure out how to use this feature. The settings page has inline documentation.
The database table is regularly trimmed down according to TTL (Time To Live) and maximum records options. The reason the database table can remain small is that it is not intended to be precious data with permanent or long term storage; it is an expedient to reduce the number of DNS lookups needed (and it does that well). The same IP address typically tries to spam again and again three, ten, twenty times over a span of a few days, or a week or two. You may imagine how storage of such a spamming address in a very quick database table reduces the time waiting for DNS lookups (the time of which varies widely). Spam BLIP may be used in combination with Akismet, the content analysis solution that is included with WordPress. In this arrangement, Spam BLIP is like a pre-filter: Akismet will will only operate on those comments that Spam BLIP has passed. This combined use compensates for downsides of each approach to spam filtering. DNSBL will usually let more spam pass because it is only as effective as the lists it uses are complete. Content analysis at a remote site requires increased network use, and possibly more CPU use. So, Spam BLIP as a first stage will reduce the resources used by Akismet, and Akismet will catch some Spam BLIP misses (because it is very good). There is an important caveat to DNSBL use (Spam BLIP or otherwise). Because it works on IP addresses without knowing the content, there can be false positives. The problem is that a welcome, legitimate blog visitor might be assigned an IP address from their ISP that had been added to a list because the honest ISP had been abused by a spammer that had received the same address. That problem was greater in dialup days when ISP customers would probably get a different address with every dial-in. More recently non-spamming people who keep a broadband modem on all the time are less likely to have an address that lingers in a DNSBL, but it can still be a problem. (Spam BLIP allows whitelisting of addresses and address ranges, but that’s not a real solution). Please consider this before using Spam BLIP.