nicholasjon.com :: Comment spam {11/28/2006}

Comment spam

Being on the receiving end of comment spam sucks. I use two techniques to try to slow it down, but some still manages to get through.

The first of my techniques is wrapping the actual comment posting form in an ajax request. This weeds out bots that can’t handle javascript or XMLHttpRequests. The second is a double-encoded hidden form field in the actual comment posting form. Both the name and the value of that form change every few minutes, rendering old name-value pairs useless and basically preventing comment spam posting without actually hitting the site immediately beforehand.

Like I said, some manages to get through anyway. But I’m trying to do what I can without resorting to blacklists or capchas — which I think are tantamount to giving up, though I admit they may be in my near-future.

Begin Advertising

End Advertising

Comments

Posted by Quix0r at 2:59am on 11/29/2006

Hi! How did you do what with the name-changing? I have also written an anti-spam plug-in called “CPR” which adds an auth-key to the “action” value of the comment form. I’m interested in including your script in mine and giving you back something we can discuss about… ;) What about trackbacks? Or some textlinks?

Posted by Nick at 7:15am on 11/29/2006

Setting the name of the form field is just as easy as setting the value. The only trick is picking a name that, when decoded, is identifiable to your app. I’m not going to tell you what I use for obvious reasons, but even using something as simple as the title of your post to seed the encryption or the current timestamp will get you moving and thinking in the right direction.

Loading comment form Please wait...