My guestbook has been getting quite a bit of comment spam lately. Someone from *.wanadoo.fr (who isn't POI) is posting comments under a variety of names and urls, all pointing to crappy casino/pharmacy/ringtone sites. I've been letting it slide until now because I sort of admire his/her effort of thinking up new "compliments" about my site, as if they were genuine guestbook entries.
Then there's the repeated buup114 spammer, who, according to my logs, opens entry 1516, posts the same exact comment and leaves again. Never mind that the text is completely indecipherable...
I like how I've maintained an almost zero percent moderation rate with regard to comments (I don't even remove double-posted comments), but I think I will be removing at least the urls from these ones, to discourage further attempts at enhancing ones Pagerank like this.
More discussion on comment spam at Simon Willison, Jeremy Zawodny, JayAllen and dive into mark.
And then I banned the IP Huphtur :-)
I'm no stranger to being crapflooded myself with my history of using the net, so I'm reluctant to incorporate the feature at all.
what would happen if your comment-form would hold some javascript that would set some hidden fields. If the hidden fields aren't there the comment won't be accepted. My guess is the automated spam-script wouldn't be able to run the javascript and just post...
No action required from end users. Your browser just needs to proof it's a browser and not some spam-script.
feedback, ideas?
For instance, Wanadoo ( a popular frensh RTC, ISDN & ADSL ISP ) have 2-3 big IP ranges. The users get a new IP every time they reconnect, and to avoid home made web hosting, Wanaddo deconnect its users every 24H.
Whatever if the comment system is flooded by the same IP or URL ( the ones given by the user and the ones in the comment itself ) they should be temporary banned and noticed to the weblog author who can eventually blacklist them.
Unfortunately the weblog author have to keep an eye on the comments logs.
Feeding some hidden fields with hash values is a good idea, but server side code should be involved 'cause client side can easily be reverse engineered.
The best idea I've heard is to add a text field and ask the user to enter the letters of a random string generated ( with some noise ) via GD. That idea have some accessibility problems :( but it would make spam-bots unefficient.
Finally, IMHO user comments adds a great value to weblogs.
http://www.plasticbag.org/archives/2003/10/a_victorian_responds_to_comment_spam.shtml
(I'm assuming JavaScript ASP here, but it's really simple so any server side language would be ok)
in your form place this hidden field:
<%@ language="JavaScript" %>
...
<input type="hidden" name="t1" value="<%=(new Date()).getTime()%>"/>
on the server the comment-processor should have this:
<%@ language="JavaScript" %>
<%
// Get form-creation time stamp
var t1 = parseInt(Request("t1"));
// Get current time
var t2 = (new Date()).getTime();
// Check whether timing ok (>3 seconds, < 1 hour)
if ((t2 - t1 < 3000) || (t2 - t1 > 3600000))
{
// Stop
Response.end();
}
else
{
// Handle comment submission
// ...
}
%>
Result: only comments that took more than 3 seconds since the page was created are submitted.
Human submitters can never open, read, write and submit a comment within 3 seconds. Automatic script will do it a lot faster. They will get filtered out.
So? Is this an idea worth while testing?
A set of "human like" comments can be used to make believe they come from a lonely soul that have nothing better to do.
and i don't think JS in the browser is a security risk.
and i do think you can't surf the web in a decent way having js disabled. i guess you would be used to having non-functional pages.