Episode 297: Talking OOPSpam
Show Summary
Rob Cairns talks to Onar Alili about his product OOPSpam
Show highlights:
- What is spam?
- How to protect yourself from Spam?
- What is OOPSpam?
- Features of OOPSpam.
Show Notes
Hey everybody, Rob Cairns . Today I’m here with my guests Onar Alili and we’re going to talk about OOPSpam am his spam product. How are you today on Onar?
I’m good rob. How are you doing?
I’m doing great, thanks for joining me in a conversation. I think this will be interesting and I know you got an interesting back story, so I want to start by asking you how did you get into WordPress and then I’d like you to tell the story. I’ve seen it on how you got into security.
So I will start with, uh, WordPress. Maybe I will start with security and. Like I first I, I actually when I was in high school I started with security and I did some penetration testing on some websites and including some government websites health with some organization even when I was in high school. So I when I started college I took some classes in securities. And I did my masters and I again I took and did all the security related classes and did project. And and I did some risk and then. I started as a research fellow. And in my university in Italy and we did some research on security side like mostly about network security and analyze the data, try to predict where attack can be can happen. And yeah, that’s all started. And then WordPress part I started WordPress. When I was first I started with help after college I didn’t know what to do and I I thought this was a good idea to start agency. But and so because I, I was I was an academic, so I did all academic work. Then I I didn’t want to go back to corporation. And work. So I thought maybe I should work for myself and start agency. Then I start doing WordPress help people again with the WordPress and I yeah that’s how I introduce myself to WordPress.
That’s how it’s always interesting to find out how people got in to WordPress and and found the CMS and.
Yeah, yeah. I guess it’s go to CMS WordPress. Wherever you search, you always come. Uh, online. It always comes up, WordPress comes first. And yeah, I mean for me WordPress was really good getting started with the what’s I mean? I didn’t know I didn’t have a PHP background. I didn’t wrote any code in PHP, but WordPress was pretty easy to get started and. From the start building websites for customers. But I had an engineering background so 13 years so it was pretty easy to get started. Then I started my company and and that way I also started working on the plugin development and that’s where I got to know more about core WordPress and stuff.
So I have to ask you, you have a a plugin that protects from spam code spam. Do you guys have a? The free version in the repository and then a paid version. Or do you go right to the paid version? And if so, why did you make that choice or? Not make the choice.
So we have a, so we have a trial, uh, up like in works, sends a request to our server so it doesn’t stand alone. It doesn’t work offline so it has to connect to the officer to send. So we have a 40 days, uh no 40 checks, spam checks when you install plugin and you take the if you like from our dashboard and put it in our plugin. You can test it for for 40 spam checks. After that, either you aggregate or wait another month to reset rate limit. So 40 spam checks per month. It’s free, of course it’s not enough. 40 spam check isn’t that much, but we were thinking it as a like for testing purposes. Not necessarily. Actually using it.
OK.
Why we make that choice? We, oops, ma’am started as a API. I mean still it’s main product. The API WordPress plugin we just developed to support WordPress community and get into the WordPress community. But we were initially we started with 40 free trial and that’s how it started and that’s why we went with that with WordPress 2. But I know so many if like and they have freemium’s and they recommend to have premiums to attract their users.
There’s a number of developers I know, like for example. My good friend over at WS Farms, Mark Westgard, he runs a. Free version in a repository that’s kind of scaled down, and then, depending on what you want, or if you want to go right up, in my case, right to the agency license, what the cost will be in it. It fluctuates based on on that. So I understand people make their choices for one reason or. In terms of what your plug in does, let’s talk about functionality. What’s the main function of it and how does it help secure your website?
So, uh, oops Pam. So Usam doesn’t use any JavaScript in your front end, so. Or any cookies or so there is no capture to solve. There’s no challenge to solve for customers, and there is no cookies or no JavaScript on your website. When you install soap spam so so many times that people have problems because of in terms of privacy because of like in user. Cookies or performance problems? Because these plugins don’t loads a lot of JavaScript and. And other files so Usman doesn’t do that, it just works in back end in the server when you get when you get comments or contact form. It’s just in the background. It takes this information and sends us and we analyze it and we send it back to the result. And that’s how some decides to let that contact form submission, for example, to outlaw or. That’s basically how it works and on our end also, when you get a comment or contact from some machine, it stores it locally in your WordPress database. We don’t store it on our end, we store both spam and non spam entries. In local WordPress database we don’t store anything on our end. I think that’s for our customers. Also important in terms of privacy.
No, I I would agree. I mean, the big problem with storing stuff everywhere else is the privacy and what degree those SaaS products take to lock down their sites. And that’s a big deal, so I’m 100% in in that agreement. What would you say your success rate? Is embarking bots because we know with most contact form submission most spam is caused by bots, not individuals, right? How successful is your product and blocking bots versus using a CAPTCHA or some other format?
So yeah, we have a. Like uh, 99 point. 8-9 percent we get success rate, but of course that depends what kind of like spam you get, that’s like. If you calculate that. Based on for example, every month you get let’s say 1000 and we see so OK 99. 999 detectives correctly detected and that’s how we know that we rate accuracy. But sometimes it can go down. Sometimes that accuracy can go down or up. It depends on what kind of spam we get. It’s of course it’s easier to detect spam when they are bought. I think one difference that we also have is that we have a spam is a content based content based spam filter. So if you contact forum or your comment has a message field when we also check that content against our machine learning model so. That helped us to even like if someone entered manually spam. We’re able to detect this kind of spam too, but like a capture or edge capture is kind of solution. They just track they track and they see if this activities are like robot boats or not.
Yeah I I would say like from a user perspective because I sit on both sides right? Three sides, actually I’m a web designer. I’m certainly deep into security. I think I shared with you before we went to record a couple weeks ago that I’ve. And manage over 300 sites from a security perspective. And then I’m a user. And I’ll tell you, from a user perspective, Captchas are like the bane of my existence. I hate them. I understand why they’re there. From the technical side, but oh do. I hate doing them. And they are.
Yeah, yeah.
They are just a pain. I think one of the more constructive. Captures I’ve seen lately is on a couple of websites where you’ll slide like a. A square or circle to go on top of the square circle on the screen. I find that way better than the here’s 10 pictures and choose the three that have the fire hydrants and the and the two that had the mountains and you. Know have that coast right so?
Yeah, there is so many issues with that, like another issue, for example most overlooked is like let’s say recapture appears and says that choose mailbox and mailbox looks different in every. Country and and they usually show the USA mailbox and some customers they don’t know. OK, which ones are mailbox and sometimes pictures are similar to each other. That time has the issue like accessibility issues and privacy is another topic they’re working with.
And that’s always the problem with security. When we get into these protection solutions is how do we handle accessibility and how do we handle that whole side of it? In the US, that’s a big issue. More so than here, but we do have mandates here that if, like certainly in Ontario, if your website is a government website or a funded by government or a nonprofit, you must have accessibility in place so that that’s a big issue, right?
Yeah, I mean, lots of I heard that I’m in agents web agency community group and I see a lot of people. Clients sometimes get like layer from law firms that we are not accessible with. Ada, so that’s certainly an issue accessible. I mean because many people can distinguish pictures even like people without disabilities. There’s still a lot of issues with them, sometimes are hard to distinguish what’s a picture, or I mean which score you have to click. It’s just. There’s too many things to decide.
Oh I, I wholeheartedly agree with you, so you’re kind of your background is. That you guys protect. Many many, many websites and. How is it typically one offs? Or is it agencies getting on agency plans? Who are doing websites for their customers or kind of? How’s your customer based kind of sport? If you don’t mind sharing.
No, it’s OK. Most of our customers are agencies and after Lancers that works with that work within multiple clients. So basically our agencies and they just need wiper. All of our plans comes with unlimited websites and that’s another things they like because they don’t want to. Pay per website is this use one key for unlimited websites and most of them are agencies and some organization like we have. Some organization like nonprofits. The standalone companies also uses it. And we have some interesting like Spotify, sorry, Shopify, Shopify app like judge me. It’s a review system. One of the top apps on Shopify. They are like they are not agency but they process a lot of reviews. They are one of our customers. Yeah, so not. Not all of them are agencies but majority agencies.
Yeah, and typically what does your product run out cost wise? What do you guys charge?
So our lowest plan is 49 per month.
OK.
And that goes then 6 to 9 and goes up like.
This OK and what’s? What’s the difference between the plan levels? Is it features, is it? Number of licenses what? What do you? How do you distinguish?
So there’s one key. You get one API key, and that’s all distinguished based on API calls. How many calls you can make to our server. So first one is 100K requests and the second one is 300 K, so so you just pay for a PR. Calls and there is some features included. Each plan, but uh, like more like it’s based on say, number of API calls you can make and the key you can API key. You can use unlimited websites. You don’t have to pay for every.
Website Yeah yeah. Pay by the calls instead of by the websites so so and how do you distinguish what? Do you guys distinguish? Typically that takes one API call? I know that’s been technical, but if they’re charging by calls, what do you consider? What triggers a call?
Uh, so basically if you install WordPress plugin for example and your you get submission contact form submission.
That’s one call.
That’s one call, yeah?
OK, that that, that’s actually pretty reasonable. So if you’ve got so, the the moral of the story is if you got a couple of high volume websites, you’re probably gonna go through the number of calls more than somebody who’s got 50 websites that are all low volume and very low contact form submissions, right so?
Yeah, most of our customer even agents. We have a freelance plan, agency plan and business. Like most of our business, like web pages, customers are subscribed to freelance plan because hundred NK. Usually, if enough for them.
OK.
But big yeah, big car. For big companies organizations, they subscribe to bigger plan just to get extra documents, process or get faster support and.
Yeah, that’s pretty typical, so that’s that’s good on that end, and you mentioned the. The other thing is, how helps with? If I recall, is comment spam correct and? I think I think a lot of. I think something like this would have probably been a bigger use like 10 years ago or 15 years ago, and I hate I hate to say that because I think a lot of websites, just frankly just turned off the comments now, so that’s not as much an issue anymore.
Yeah it it’s used to be like I’m used to. Be many website I had. Uh, comments section, but now most of them just turned off and they don’t even have a comment section. But it’s sometimes if you have. If you’re blocking actively and it’s just helpful to have community, you can. You can ask questions. And discuss with you.
The site, like WP Tavern gets. Because it’s a new site and probably the most known new site, new WordPress space probably gets way more comments. I mean, I know from my perspective. Oh, ten years ago I was probably averaging. 304050 comments a week, and when I turned them off I was averaging 1A week and either it was one I can guarantee. It’s 3/4 of them or comment for or comment spam and pharma links and crypto links and everything else and I just said no. I don’t want to deal with this anymore, I’m done. Turn them. Off because I think I think most of the comments actually now take place on social media and not on your website. I think that’s the way it’s gone.
Yeah, social made. Yeah, definitely not. Comments went to the different platforms also like they most of them are not. I think comments, spams are now more like reviews, spams that you can see from Amazon to different platforms. They just moved there and just they post their spam there and they become also smarter. Like they are not anymore like more crypto or similar. They are more like advanced they commands. Where they use. AI to write search in like human like you can’t. You cannot tell like it is written by boat or by someone manually submitted this kind of spam that we work on. This kind of spam to detect with machine learning model. Of course it’s harder because.
Because they use.
Also, similar models to write text that sounds like someone real.
Yeah, and and like to be fair, I I think being in the security space and understanding it products like this are are necessary. But there are. There are really hard sell because they’re not sexy like I hate to say use that term, but they don’t. You know they don’t appease. Do something and they don’t. They’re not, uh, really hard on the sexy side. Like it’s not like something that makes something pop out at you or something. And I and I would say that’s true of every product in the security space their heart sells to clients sometimes don’t you think?
Yeah, I agree, I mean. It’s first you have the. Client for in terms of agency perspective client has to like believe that security is important and we just. I think we’re just starting. See that people started blaming the security why they need it and it’s hard to sell because I mean I cannot. Send e-mail uh like weekly e-mail to the my customers because they don’t want to hear about spam all the time. But if you. Have some kind of different plug-in that’s compresses image or I don’t know, maybe more like fun plug in that probably people like to heard about them more than heard about for which gate?
Yeah, it’s so true. What is next on the radar for oops spam? Do you have a bit of a road map on what you’re gonna include? What you’re not gonna include and where you’re going?
So we had it, uh, we’re adding more contact form integration as of now and testing on WordPress 6.1 and making sure that it works everything. And also if we’ve updated our infrastructure to like because we recently. Denial of service attack and we’re making sure that it doesn’t happen again and. In general, just we just focus on infrastructure and our current customers. And and also working our workforce plugin and trying. Also we have plugins for apps for Zapier and make and different automated platforms, automation platforms and work on answers apps to.
Me too.
To make sure they also. I mean it’s hard to get in because there’s so many apps in those platforms. We’ll see how our plugin works is. On those platforms so.
Have you looked at? Branching out to any other CMS’s like Joomla or Drupal or anything like that.
No, no, really, we didn’t, uh, we don’t have any. We didn’t develop any integration with those platforms like not Drupal or Joomla, but, uh, we don’t. We just focused on WordPress. Looks like it’s more most popular. Yeah, uh, yeah, it’s we still provide API’s. So if someone wants to integrate to their website they could. Of course it’s nice to have when companies they provide the already built in already. The apps for those platforms.
So true Onar, thanks for joining me today and talking a little bit about the product OppSpam
Thanks so much and I wish you all the best with. The product have a great.
Yeah yeah yeah, thanks so much.