Most people who run blogs have issues with comment spam in their blogs and there are all sorts of fixes. Marc Perkel at ctyme.com – my host — was floored, he said, when he realized a simple command to the Apache software would kill most of it — and it does indeed work!
Here is the short code running on the ctyme server for my dvorak.org using WordPress-based blogging software. Altering it for other blog software and other blogs should be simple for anyone running Apache.
< location /blog/wp-comments-newpost.php >
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^.*dvorak.org/.*
RewriteRule ^.* http://www.ctyme.com/comment-spam.html
< /location >
Essentially it makes the basic condition for any post rigid: it has to be coming from a link within the blog itself, the “comment” link. Most spam does not.
My spam count on the blog has dropped from 50-100 to 2 per day without any other tricks.
This will block the stupid bots, but the smarter bots that spoof the referer will have no problem. Good tip though.
This is only a temporary fix. It’s very easy to fake the Referer Header.
This post should have included a link to the “I get no spam” audio clip. What the hey, I could have saved it and used it as the “new email notification” sound event because “I get no spam” as well.
I’d like to have that ‘I GET NO SPAM’ logo in a bigger format so I could make a t-shirt. Can it be arranged?
Oooops, there goes a nice merchandising idea…
But I’d really like to get the logo…
Bravo, Marc!
So, John, now it’s “I get ALMOST no spam”?
Twitfully yours,
ZC
Works for now, but spammers will adapt the minute the method becomes widely used enough for them to notice. In this case all these need to do is spoof the Referer: header, which is technically trivial.
Glad to hear that’s working out for you. It should be noted, however, that the “referer” field is actually part of HTTP GET or POST requests that are made by comment spammers, and as such, would be trivial to bypass for most software by making sure that the domain they are spamming is also included in the REFERER POST header.
Frankly, I’m surprised they aren’t already doing this. But then, nobody ever said spammers were smart.
That’s awesome. I’m gonna put this on http://michaelcotterell.com/blog/ !
Nice Job
Dvorak = NO SPAM AT ALL
Lol
Surely if the re-write engine is seeing the referrer sent by the user-agent this is easily bypassed by spoofing the HTTP referrer.
In PHP you can use a token method to prevent bots posting forms. First create a random token, (say use the rand in PHP and then use MD5 on it) put this into a hidden form field and also write it to the PHP session.
On receiving the form data if the hidden field token doesn’t match the one in the session then the form wasn’t sent from that site and it can be safely denied.
Not exactly related, but there is a photo of a young man at the SPX (Small Press Expo) in Bethesda Maryland with a shirt that says “The Dvorak Zone”. http://209.198.111.165/thebeat/
I agree this fix will fade if implemented by too many people. As a test I recommend nobody use it but me!
And, yes, I have looked at numerous special fixes and have tried most of them. Eventaully I’m sure I’ll have to use the “post code” trick where you type something that appears in a box.
This is a great hint and will definitely help combat some of the stupider spam bots. Like people have said so far, the referrer is trivial to spoof. At this time, if a smart spam bot were developed, I’m not sure there’s much to do except moderate any comments that have URLs in them.
That famous episode of TWIT with the “I Get No Spam” conversation is what made me check out this blog. I must say it is my first stop every day now! Thanks John, always informative and hilarious!
great job! now if you could only find a way to stop subjecting us readers to your spam advertising ..
It’s actually possible, as long as you are willing to sacrifice a few potential posts by requiring javascript to be enabled. The solution is HashCash (also on Wikipedia).
The basic idea is to challenge the client machine to solve a time consuming problem where the answer is a key that will allow the post to pass through. The HashCash system was originaly developed for combating email spam but the idea is the same.
If I remember correctly there is even a WordPress plugin available.
I think they call that a Turing test. Now, where can I get a big ‘I get no Spam’ logo? C’mon?
WP Hash Cache uses a token method and stops spam dead. Pretty much the only spam it can’t stop is manually entered spam… and that’s basically impossible to stop.
No need for any extra input boxes, just works.
I tried to add the code to my .htaccess but I now get a Internal Server Error on every page.