Simple anti-comment spam measure

In: Blogging|Web development

5 Nov 2004

Thanks to Patrick Strang who pointed me to Steven Geen’s simple anti-comment spam measure for MovableType, I managed to stem the current flow of “Please approve this comment” emails flooding my inbox. This has been happening since last Saturday! Argh! Why are they doing this even when everything goes into the moderation queue?

Anyway, it’s so simple to get this into WordPress – just edit wp-comments.php and wp-comments-post.php to add the field to the comment form (see below) and die() when the correct “letter of the day” isn’t entered. (Though die()ing isn’t the most elegant way, but WordPress does this for the other fields as well.)

Screenshot of anti-spam field


Check out the comment form if the picture above is too small. Sorry to have to put you commentors through this, but it’s really for my sanity. At least it isn’t one of those randomly-generated graphical thingies that really ensures you are human (or an equivalent intelligent lifeform).

14 Responses to Simple anti-comment spam measure

Avatar

Tijs

November 5th, 2004 at 6pm

Why not simply rename wp-comments-post.php? solves you problem right away without bothering any of your visitors…

Avatar

Cheah Chu Yeow

November 5th, 2004 at 6pm

Well, that is a good idea, but I doubt it will solve the problem since spammers seem to be hitting me by actually posting. At least, that’s what my access logs seem to tell me. Or maybe I’m totally off-base. I’ll find out for sure if and when another steady stream of comment spam arrives. I’m pretty sure this is only stop-gap. If it gets worse, I’ll get down to business ;).

Avatar

Terry Orio

November 5th, 2004 at 7pm

Avatar

nick

November 5th, 2004 at 9pm

I just renamed the file and then edited the one of the other comment files to go along with the renamed file and that solved ALL my problems.

Avatar

test

November 5th, 2004 at 9pm

test

Avatar

Bernie Zimmermann

November 5th, 2004 at 10pm

Another thing to keep in mind is that for a popular site like yours, spammers might be willing to do a quick scrape of your source to determine what the “letter of the day” is before they automatically fill out your form and post. I think this is why using a graphic might be more appropriate. A spammer then has to either look at the graphic, or figure out what your naming scheme is for the images you use for the “letters of the day.”

I’ve been thinking about options to use on my site (yes, even though it’s not very popular and I use my own CMS I still get spammed) and have yet to decide on anything definitive. I’m leaning toward creating a bunch of graphics that contain random words (not as predictable as the 26 letters of the alphabet) and having the commenter type the word in a text field. Once a month or so I could then rename the files and update my authentication accordingly so I can always keep the spammers guessing.

Believe it or not, the work involved would be much less time consuming than scouring my blog for spam and then removing it.

Avatar

minghong

November 6th, 2004 at 12am

If the spammer program is smart enough, it can get the XHTML file, then get the “secret letters” by using something like DOM.

Of course little spammer programs will do so…

Avatar

Patrick

November 6th, 2004 at 1am

When it was at its worst I got 10-16 spam comments a day from spam robots. But since I installed the extra text field I haven’t received any. So far it’s working – the day it gets defeated I’ll probably enhance it further.

Avatar

CarLBanks

November 8th, 2004 at 10pm

I like this idea.

Avatar

CarLBanks

November 8th, 2004 at 10pm

Hmm it’s giving me the wrong letter in the error message. It’s telling me today’s anti-spam letter is R but the error message says please put in C.

Avatar

CarLBanks

November 8th, 2004 at 10pm

Sorry for triple commenting but what code do I add?

Avatar

Nathan Wong

November 10th, 2004 at 11am

My goal: Keep my site completely reader-less so that nobody spams it. Yay! :) Working well so far.

Avatar

CarLBanks

December 17th, 2004 at 5am

What do I add back again? I accidentlly overwrote comments-post.php and now spam is rampant again.

Avatar

fernando

December 19th, 2004 at 8am

I adore this hack!

However, it’s admiration from a far…

can you write up ecatly what code you added where? i, for one, and definitely too stupid to figure out what to do exactly…

and yet, the solution is exquisite and i would seriously dig having it on my site instead of the fiercer measures which can inadvertantly ban people who are only trying to add something.