Most people who run blogs have issues with comment spam in their blogs and there are all sorts of fixes. Marc Perkel at ctyme.com – my host — was floored, he said, when he realized a simple command to the Apache software would kill most of it — and it does indeed work!
Here is the short code running on the ctyme server for my dvorak.org using WordPress-based blogging software. Altering it for other blog software and other blogs should be simple for anyone running Apache.
< location /blog/wp-comments-newpost.php >
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^.*dvorak.org/.*
RewriteRule ^.* http://www.ctyme.com/comment-spam.html
< /location >
Essentially it makes the basic condition for any post rigid: it has to be coming from a link within the blog itself, the “comment” link. Most spam does not.
My spam count on the blog has dropped from 50-100 to 2 per day without any other tricks.
Like everyone said manual spam seems to be the only problem after a hack like this. The problem with that is there are companies in India that you can pay very small sums of money and they have 5-10 people who will just sign up onto forums and blogs and leave the spam comments for you. I imagine we’ll see more and more of this as the spammers get tired of fighting the great filters that keep coming out.
i manually changed the field names and the variables to the page that they are submitted to. That stops the scripts in its tracks….
SpamKarma is the only spam plugin I’ve used on any of my blogs for months now, and it’s killed all but maybe 10 spam posts (and those 10 were completely random letters – not even a poker link) with only 2 false positives in that time. It even nails trackback and pingback spam
So this pretty much just blocks autospamming bots? It seems to me like this is something that blogging software should come built with. It should be checking that it only allows connections to the comment posting script from a file within the website.
What about people that come on and post links to their free ipod referal sites?
I’ve pretty much killed comment spam on my WP site recently by using both Bad Behavior and Spam Karma 2. They’re pretty invisible to 95% of users, and they’re been very effective so far.
What about using Capatcha and the Referer trick, plus I like the idea of using tokens, Session can’t be seen by anything on the client side, so if you put an aways changing token on the form and also in the Session heh you have a fix there, for one alot of these bots don’t support cookies and a session won’t work without a cookie. So basically in theory it would be bullet proof, but you aren’t going to stop a human spammer, cause they will always pass these tests.
Yes – they could spoof the referrer but then they lost the diverse source IPs they get with the current proxy tricks. Then I can just block the IP. So it’s not as easy as you think.
A few months ago I did some research into anti-spam techniques for the b2evolution blogging software. It was in regards to referer spam for which this absolutely doesn’t work but I still looked at, evaluated and rejected this option as a general anti-spam measure for the following reasons. It is also important to remember I was doing said research for the b2evolution community not just myself so if it caused problems for basic users or could not be included by default it was unworkable.
1) As others have mention the referer is client suppllied and easy to change, especially in an automatic spamming script.
2) In addition, some site visitors intentionally block the referer via software on their PC (which they may not even know they have) and this prevents them from commenting.
3) This relies on your Apache installation supporting mod_rewrite not all installations do. Even among those that do there is some debate in the community as to how much of a blow it is to server resources to implement such a solution.
4) Making such modification requires either a dedicated server with access to the httpd.conf file OR support for .htaccess files which are also not supported by all hosts.
In conclusion, while the technique may work for some people for a while it is far from an end all be all solution, is not usable by many people with basic shared hosting plans and has been discussed in the blogging community before and generally rejected.
sorry to ask, but would you think there would be an alternative version in .asp ?
Didn’t pay much attention to this at first because I dont have a blog. But when I heard you talking about it on TWiT I came back to it. What about people that link to your page from a different place. For example the new Google Personalized. I try to link form there to here. But it comes up with nothing but the headers. However I just have to reload it to make it work. Not a big deal, but something to think about.
I use SpamKarma – it’s astounding. I get NO spam!
http://unknowngenius.com/blog/wordpress/spam-karma/
It’s worth noting that a number of so-call “internet security” products (Norton is one) will actively strip the HTTP_REFERER from outgoing HTTP traffic. Some firewall devices are configured to do this too.
The end result being that valid users may not be able to leave comments due to this technique. You’re effectively introducing a chance of false-positives.
You can’t trust REFERER, it is client supplied. You’ll probably do better checking for a valid session cookie…
Okay….so I’ve read the comments and PLENTY of propellerheads think this is just a tiny bandaid fix, but NOBODY explains HOW to do it. So….it would be VERY HELPFUL if there was a step by step for implementing this (or any other for that matter) bit of code.
This is working for me on ASP pages:
function stopSpamScumbags(inField)
stopSpamScumbags=InStr(inField,”Content-Type:”)
end function
if ( stopSpamScumbags(Request.Form(“Form_Name”)) > 0 ) then
‘ this is more than likely a Spam
else
‘ OK, lets process the form
end if
Hope this helps others.
I just hope the government doesn’t get involved. I think we have already lost alot of free speech. We don’t need the govenrment telling us if we add a link to a comment it’s “comment spam” and you’re going away for 10 years! I believe this is how police states are created. There has to be a way without involving the government. It’s really no good anyways because the spammers just go offshore. Economically not good because advertising dollar go to other countries.
Francisco Barcenas
Just my 2 cents.
9/11 the same happy few music were also on the spot to point foto the finger of blame at everyone mp3 but themselves – as soon as they felt safe wma/
You can’t trust REFERER, it is client supplied. You’ll probably do better checking for a valid session cookie…