Saturday, March 6, 2010

Defectieve Yeti Ponders Comment Spam

Sorry, with potential headline material like that, it was hard not to write about this sort of thing. There is a great blog known by "Defective Yeti" - the author is a former Amazon employee, recent dad, and very funny guy.

He has a recent post up discussing a glitch in his site he was noticing which turned out to be related in a roundabout way to comment spammers.

In the process of talking about how he had wanted to close his site to limit bandwidth, and how the front page kept popping up (due to the indexes being rebuilt after comment spammers snuck in through the open mt-comments script), the author stumbles onto the idea of the hidden field to avoid comment spam.

This is not a new idea, and is a very good idea. The concept of course being that if they (comment spammers) are just spewing data at a script on your site, they aren't actually populating any forms and submitting them the way humans do. So if you add in a hidden field which must be passed in from the UI for the comments to work, then the spammers won't know about this and therefore their scripts will get rejected.

The obvious way around this of course is that the spammers can easily start submitting the data for that hidden input as well - that is easy. But they key is that spammers are trying to reach as wide an audience as possible, with as little work as possible - so they don't bother customizing their scripts for sites unless the site really offers them enough potential gain to merit the extra work. (not to mention that spammers tend to be rather dumb and are just using a script that they found to do it - script-kiddies really - so many of them likely wouldn't even know how to adjust the script to take it into account anyway)

So while this isn't a foolproof plan, it is a very good one which would certainly reduce the spam as long as you had a unique hidden field from everyone else and no spammers wanted to target you specifically.

If it is such a good idea, then why haven't we implemented it on Spamblogging and other sisters sites of ours? Good question. And the answer to that is a perverse combination of laziness and being fantastically busy.

(On a side note, we did try installing MT-Keystrokes - it works by tracking keystrokes in the fields, which is a similar way of thinking to the hidden field - and didn't have much luck with it. It was blocking certain browsers and generally not playing nice due to browser incompatibilities with its Javascript requirements - so if you are going to go the plug-in route, that is along those lines, but not the best idea)

No comments:

Post a Comment