Clear-cut spam: what it actually looks like

Most spam comments combine two harmless-sounding sentences with a link or contact detail that doesn’t belong to the person named. Three patterns cover the bulk of what shows up in a moderation queue.
The first is generic praise plus a link: a comment that says something like “great article, very informative, thanks for sharing” attached to a commenter website field pointing at an unrelated store or service. The praise alone wouldn’t flag anything; the mismatch between a content-free compliment and a promotional link is the tell.
The second is the keyword-stuffed pitch: a comment that reads as an advertisement in comment form, listing products or services (“personal loans, business cash advances, quick approval”) with no connection to the post it’s attached to. These rarely try to sound like feedback at all.

The third is the template artifact: text that still contains its own generation syntax, such as unresolved brace-delimited synonym options (“I {think|feel|believe} that you {could|can} do with…”). These are rarer now than a decade ago but still appear when a spam script misfires.
A fast way to check any of the three: search the exact phrase from the comment in quotation marks. Boilerplate praise and templated text tend to return dozens of identical or near-identical hits across unrelated blogs; a genuine comment almost never does. If your platform lets you mark a comment link as user-generated instead of editorial, Google’s developer documentation recommends the rel="ugc" attribute specifically for links inside comments and forum posts, which is worth setting as a default before you even get to manual review.
Does adding rel=”ugc” to comment links actually stop the spam?
No. It tells Google not to treat the link as your editorial endorsement, which removes the SEO incentive for link-building spam, but it doesn’t filter or block anything from appearing on the page. It’s a link-attribution setting, not a moderation tool.
Why the old checklist is aging: comment spam is catching up to AI

The checklist above (irrelevant praise, template syntax, poor grammar) was built for a specific era of spam production. That era is already shifting, and the volume behind it is larger than most moderation guides acknowledge.
Akismet alone has processed over 571 billion pieces of spam across its more than 100 million protected sites. CleanTalk’s own network recorded 66,771,464 anti-spam blocks, 659,567,368 SpamFireWall blocks, and 114,415,543 SecurityFireWall blocks in June 2026 alone.
For a sense of how the old-style templated spam actually got made: in April 2013, developer Scott Hanselman documented a case where a spam bot misfired and posted its entire comment-generation template, verbatim, into his blog’s comment field, an incident he wrote up in detail on his own site. That single accident is the reason the brace-delimited synonym pattern became a recognizable signature across a decade of comment moderation guides.

What’s changed since then is the production method, and the clearest sourced signal of that shift comes from a different but related channel: email, not blog comments. A large-scale analysis by Barracuda Networks found that by April 2025, 51% of spam emails were generated by AI rather than a human, up sharply from before ChatGPT’s release. That’s an email-spam figure, not a comment-spam measurement, but it’s the best available indicator that AI-written text has become the default production method for spam broadly, and comment spam runs on much of the same underlying tooling.
| Trait | Templated/bot spam (2010s style) | AI-generated spam (current) |
|---|---|---|
| Grammar and spelling | Often broken by synonym substitution | Typically fluent, few errors |
| Relevance to the post | Usually generic or off-topic | Can reference the post’s actual subject |
| Exact-phrase search test | Often matches dozens of other sites | Frequently unique, no match |
| Detectable artifact | Brace syntax, repeated phrasing | No fixed template to spot |
| Production cost | Low, one script serves many sites | Low, one prompt serves many sites |
This table settles one specific point: the exact-phrase search test from the first section loses reliability against AI-generated text, because there’s no shared template to match against. Grammar and topical relevance, the two signals every moderation checklist leans on hardest, are exactly the two an AI model no longer gets wrong.
| Country | Share of tracked spam traffic (Aug 2025 to Jun 2026) |
|---|---|
| United States | 30.07% |
| Netherlands | 12.43% |
| Germany | 6.05% |
| China | 4.33% |
| Singapore | 4.12% |
The United States generates roughly three times the tracked spam traffic of the next-largest source, which matters if you assumed most comment spam originated overseas.
Can a spam comment really pass every grammar and spelling check now?
Yes. Fluent, topically relevant text no longer costs a spammer anything extra to produce. Grammar and topical relevance are still useful signals against older bot traffic, but they’re no longer reliable on their own against current AI-generated submissions.
A weighted way to decide, not just a list of red flags

A flat list of warning signs doesn’t tell you what to do when two of them point in opposite directions. The table below ranks the signals from the sections above by how much weight each one deserves on its own.
| Signal | Strength as a standalone indicator | Notes |
|---|---|---|
| Link or contact field unrelated to commenter’s stated name | Strong | Close to disqualifying by itself |
| Comment matches other sites verbatim (exact-phrase test) | Strong | Reliable against templated spam, weak against AI-generated text |
| Generic praise with no post-specific detail | Moderate | Common in real short comments too; weigh alongside other signals |
| Poor grammar or spelling | Weak | Also common among non-native English speakers; not disqualifying alone |
| New or first-time commenter | Weak | Expected behavior for genuine first-time visitors, not a red flag |
| Topically relevant, fluent text with no link | Near-zero | Increasingly the profile of a genuine comment; don’t overweight fluency as reassurance |
The takeaway this table supports is specific: a missing or mismatched link carries more weight on its own than grammar or fluency do combined, so when those signals conflict, follow the link, not the writing quality.
Getting this wrong has a real cost in both directions. Reject too aggressively and you lose a genuine reader’s engagement, sometimes permanently, since most people don’t resubmit a comment that vanished. Approve too permissively and a spam link sits on your page, associated with your content, until you catch it. Akismet’s advertised 99.99% accuracy figure is a blended number across all the spam it processes; it isn’t a guarantee against your specific queue, and a small share of legitimate comments will still get caught by any automated filter.
What happens if I mark a real comment as spam by mistake?
Most comment systems, including WordPress’s native moderation queue and Akismet’s own dashboard, let you review the spam folder and restore a comment by marking it “not spam,” which also feeds that correction back into the filter for future submissions.
The hard cases: when the signals disagree

The two scenarios below are constructed illustrations built from the signals discussed above, not captured real comments, since no verified public dataset of genuinely borderline cases turned up in research for this page.
First: a short, sincere comment from a non-native English speaker, containing grammar mistakes and no post-specific detail, but no link and no contact-field mismatch either. Weighed against the signal table above, the missing link outweighs the weak signals, and the safer default is to approve it.
Second: a comment that reads as fluent and specific, correctly naming a detail from the post, but attached to a commenter website with no plausible connection to the topic. Here the link mismatch is the strong signal and should override the otherwise convincing text.
Neither case resolves cleanly from a single rule. Both resolve the same way once the weighting from the previous section replaces a scan for the loudest individual red flag.
Beyond WordPress

Everything above concerns the comment text itself, which doesn’t change by platform. What changes is where the moderation controls live: WordPress groups them under Settings, Discussion; Disqus and Facebook Comments handle link and profile checks inside their own dashboards; and native comment systems on Shopify, Squarespace, or Ghost typically fold spam filtering into a single toggle. Only the settings location changes; the signals and the weighting above apply everywhere.
Does the rel=”ugc” recommendation apply outside WordPress too?
Yes. It’s a general HTML link attribute recognized by Google regardless of platform, not a WordPress-specific feature, so it applies equally on Disqus, Shopify, Squarespace, Ghost, or a hand-built comment system.
Keeping the queue manageable

Once you can classify a comment confidently, filtering does the volume work for you. A moderation-hold threshold on comments with two or more links catches the keyword-stuffed pattern from the first section automatically. A third-party filter (Akismet and CleanTalk are the two with public, current statistics cited above) catches most of what a manual link-count rule misses. Marking comment links rel="ugc", per Google’s own recommendation, removes the SEO incentive behind link-building spam specifically, even for the submissions that make it through.