I installed to Akismet this weekend, to deal with a new flood of comment spam that had been getting by mod_security and my other measures. It literally took me 15 minutes to install, thanks to the libraries already available for it. In my case, I used the PHP5 library from Aching Brain dot Net. So far, its correctly identified potential comment spam, although I haven't had any real comments in quite a while, since I've been lazy about writing. I guess, I'm asking for real comments then to help test.

So full up front discolure - I'm not a baseball fan by any strech.  Partially for two reasons, my only memory of professional baseball when I was younger is that it would throw a giant monkey wrench into my afternoon TV watching habits. Also, I was a terrible player during my little league career, mostly cause I couldn't motivate myself much to stand in the grass or sit on a bench. What brings this up? This little news blurb from ESPN, which I'm posting because its about my wife's hometown team the Orioles. Seems fans are none to pleased with where Angelos' ownership has taken the team and it all culminated in a walk out protest during yesterdays game.

Baltimore is in the midst of its club-record ninth consecutive losing season, all of them under the leadership of Angelos, who gained control of the franchise in 1993.

Poking around, like you do on your server, I noticed that php session files weren't being deleted, even after a few days. Turns out, PHP's automatic garbase collection is disabled on Debian. Instead, its replaced by a cron script that cleans out the /var/lib/php5 directory, which is where sessions are saved by default. If you're a security conscious PHP developer, you give each php application its own session save path. If you do that on a debian box, make sure you reenable garbase collection by setting seesion.gc_divisor to a positive integer.

; Define the probability that the 'garbage collection' process is started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.

; This is disabled in the Debian packages, due to the strict permissions
; on /var/lib/php5.  Instead of setting this here, see the cronjob at
; /etc/cron.d/php5, which uses the session.gc_maxlifetime setting below
;session.gc_probability = 0
session.gc_divisor     = 100

Also, the README.Debian file spell this out, shame on me for not reading it, but it should also contain instructions for handling the above situation.

    Session files are stored in /var/lib/php5.  For security purposes, this
    directory is unreadable by non-root users.  This means that php5 running
    from apache, for example, will not be able to clean up stale session
    files.  Instead, we have a cron job run every 30 mins that cleans up
    stale session files; /etc/cron.d/php5.  You may need to modify how
    often this runs, if you've modified session.gc_maxlifetime in your
    php.ini; otherwise, it may be too lax or overly aggressive in cleaning
    out stale session files.