Posted: 10/14/2003

Easy ways to combat comment spam

In light of the recent comment spam epidemic, I have come up with a few unusual methods to combat such unsavory efforts.

1. Use ROT13 to obscure/unobscure submitted text on the browser side as well as the server side.

If you check out this JavaScript ROT13 example, you will probably notice what I did: the same ROT13 function can be used to obscure and unobscure text. So here's what you can do: after someone types in a comment and associated data (email address, URL) and presses the Submit button, the browser scrambles this information using ROT13 before sending it to the server.

So, if I am a legitimate commenter, using a browser which supports JavaScript (most modern browsers do), I would type in a comment such as:

You make a good point. But I like Firebird more than Opera.

After the Submit button is pressed and before it is sent to the server, the text would be transformed into:

Lbh znxr n tbbq cbvag. Ohg V yvxr Sveroveq zber guna Bcren.

Then, the server side PHP script would run the same ROT13 function on the submitted text, converting it back to its original form, before storing it in the database.

Now, if a spammer comes along and configures his spambot to post to my comment form, he would post it without obscuring his text using ROT13. So his spam comment would like this:

Ohl zl Iv@ten! Nyy angheny! Raynetr lbhe z@au00q! Ivfvg zr ng uggc://jjj.zlfcnzfvgrsbehfryrffcvyyf.pbz

Now you ask - "what if the spammer knows that you are using the double ROT13 trick ?" Well, then it won't work - but the thing is that many other sites will not be using this trick, so he'd need to verify personally which sites do or do not using this technique. Any kind of human intervention makes spamming a bit more expensive, and therefore less attractive.

2)Use a required hidden form field, with an ever changing set of acceptable values.

You could have a hidden form element such as:

When someone loads the comment form, the server side script generates a JavaScript snippet between the head tags such as :

Thus, the JavaScript snippet replaces the blank value of the required hidden form field with the value of the code. If the form is submitted with this field blank, then an error will be returned, and the comment will not be entered. Typically spambots do not understand JavaScript, so this trick will typically fail when a spambot tries to submit a comment form without having entered the value of a valid code in a hidden form field.

There is also a MySQL table of 10 acceptable codes, from which this code was chosen.

After the form is submitted using this randomly chosen code, it is deleted from the code table, and a new randomly generated one is inserted into the table. So even if a spammer stakes out a site personally, and notes which code is inserted, that code is only good for one submission.

3)Ask for the answer to a question which only a human can understand.

Example:

Yuor job is to undersatnd tihs sentecne. Then write it in a text box.

So, a list of such obscured, human readable quotes is put in a database table and each is given a unique ID.

Then a text field is made, such as:

And a quote is presented before this field, with instructions to decipher it and re-enter it into the above mentioned textbox.

For example:
To prevent automated entries, we ask that you rewrite the following proverb with its correct spelling in the box below:
An alppe a day kpees the dcotor aawy.

The source code for a correctly filled text input box would be:



When the form is submitted, the PHP script checks to see if the entered proverb exists in the table. If so, the comment is allowed to be entered.

There you have it - three easy techniques for spambot protection. If all three are used together, they might make submitting comment spam a bit more difficult - and expensive - for a potential spammer. If submitting comment spam requires writing complex custom scripts, potential spammers might just go back using poorly formatted email messages again.

I plan to add these to Rilke CMS as soon as I have a free moment.



Posted by jay_sheth. Edited by jay_sheth: 10/14/2003