Interaction design • webdevelopment • web art • photography

October 2003

My guestbook has been getting quite a bit of comment spam lately. Someone from * (who isn't POI) is posting comments under a variety of names and urls, all pointing to crappy casino/pharmacy/ringtone sites. I've been letting it slide until now because I sort of admire his/her effort of thinking up new "compliments" about my site, as if they were genuine guestbook entries.

Then there's the repeated buup114 spammer, who, according to my logs, opens entry 1516, posts the same exact comment and leaves again. Never mind that the text is completely indecipherable...

I like how I've maintained an almost zero percent moderation rate with regard to comments (I don't even remove double-posted comments), but I think I will be removing at least the urls from these ones, to discourage further attempts at enhancing ones Pagerank like this.

More discussion on comment spam at Simon Willison, Jeremy Zawodny, JayAllen and dive into mark.

Calm_Pear wrote on 2003/10/04:
I haven't yet encountered this on my weblog, luckily... I think we should think of something simple to prevent this from happening, something cunning... I don't know yet... I'm still workin' on it. (no, not something like where you have to register first... it must be more clever than that)

huphtur wrote on 2003/10/05:
what about banning the ip?

jimmy wrote on 2003/10/05:
Two weeks ago somebody pasted about 50 urls, about penis-enlargments!, in an entry from 5 months back. Probably he didn`t know I get an email when somebody posts a comment. Otherwise I would never have found it.
And then I banned the IP Huphtur :-)

Kethinov wrote on 2003/10/05:
This is the biggest reason why I don't include comment features on my weblog. But I've started working on a new open source php/mysql weblog based on the source code for mine and I'm thinking of including commenting abilities. But depending on what kind of weblog you maintain, how popular it is, and what kind of person you are you may get varying degrees of crapfloods.

I'm no stranger to being crapflooded myself with my history of using the net, so I'm reluctant to incorporate the feature at all.

Lon wrote on 2003/10/05:
these comment-spammers obviously use some sort of automated script to do this...

what would happen if your comment-form would hold some javascript that would set some hidden fields. If the hidden fields aren't there the comment won't be accepted. My guess is the automated spam-script wouldn't be able to run the javascript and just post...

No action required from end users. Your browser just needs to proof it's a browser and not some spam-script.

feedback, ideas?

P01 wrote on 2003/10/05:
Alas, few ISP offers static IPs so IP banning may kick some real users.

For instance, Wanadoo ( a popular frensh RTC, ISDN & ADSL ISP ) have 2-3 big IP ranges. The users get a new IP every time they reconnect, and to avoid home made web hosting, Wanaddo deconnect its users every 24H.

Whatever if the comment system is flooded by the same IP or URL ( the ones given by the user and the ones in the comment itself ) they should be temporary banned and noticed to the weblog author who can eventually blacklist them.

Unfortunately the weblog author have to keep an eye on the comments logs.

Feeding some hidden fields with hash values is a good idea, but server side code should be involved 'cause client side can easily be reverse engineered.

The best idea I've heard is to add a text field and ask the user to enter the letters of a random string generated ( with some noise ) via GD. That idea have some accessibility problems :( but it would make spam-bots unefficient.

Finally, IMHO user comments adds a great value to weblogs.

Caroline wrote on 2003/10/05:
See also today's entry at

Lon wrote on 2003/10/05:
OK, how about this:

(I'm assuming JavaScript ASP here, but it's really simple so any server side language would be ok)

in your form place this hidden field:
<%@ language="JavaScript" %>
<input type="hidden" name="t1" value="<%=(new Date()).getTime()%>"/>

on the server the comment-processor should have this:
<%@ language="JavaScript" %>

// Get form-creation time stamp
var t1 = parseInt(Request("t1"));

// Get current time
var t2 = (new Date()).getTime();

// Check whether timing ok (>3 seconds, < 1 hour)
if ((t2 - t1 < 3000) || (t2 - t1 > 3600000))
// Stop
// Handle comment submission
// ...

Result: only comments that took more than 3 seconds since the page was created are submitted.
Human submitters can never open, read, write and submit a comment within 3 seconds. Automatic script will do it a lot faster. They will get filtered out.

So? Is this an idea worth while testing?

milov wrote on 2003/10/05:
Are people really getting automated comment spam? Seems to me that most of it is just manually entered, requires relatively little effort anyway for instant result (a link to your site).

Mr. Anonymous wrote on 2003/10/05:
Milov:: concerning the comments there are many discussions going on. According to the Dutch blog of Adam Curry they also discussed the comments on the Bloggercon. Maybe you can wait en see what he will write about it in his report about it. He promised to do so...

P01 wrote on 2003/10/05:
I was thinking of spam-bot as a mean to increase the pagerank of a naughty site. Those sites have the ressource to do that. They already spam mail boxes with poor results. At least spamming some weblogs have a noticeable effect and may increase their ad. incomes since they get better places on search engines.

A set of "human like" comments can be used to make believe they come from a lonely soul that have nothing better to do.

Maarten wrote on 2003/10/07:
Using JavaScript to prevent spam is a very bad idea. A lot of people disable JavaScript by default, because it is a security risk.

Lon wrote on 2003/10/07:
who's using javascript to prevent spam? if you were referring to my proposal: it's javascript, but purely server-side.

and i don't think JS in the browser is a security risk.
and i do think you can't surf the web in a decent way having js disabled. i guess you would be used to having non-functional pages.

Kid A wrote on 2003/12/27:
You are all spamers , you don't even understand that

FreeChat wrote on 2004/02/09:
Thanks! Enjoed the time on your site! Sincerly yours, <a href="http://bilder.llil.deSPAM">Bilder</a>