Comments on: Blog Comment Spam Fix

By: Bannerdesign

Bannerdesign — Wed, 06 Dec 2006 03:01:22 +0000

You can’t trust REFERER, it is client supplied. You’ll probably do better checking for a valid session cookie…

By: Franz

Franz — Fri, 11 Aug 2006 12:39:28 +0000

9/11 the same happy few music were also on the spot to point foto the finger of blame at everyone mp3 but themselves – as soon as they felt safe wma/

By: openmls

openmls — Mon, 24 Apr 2006 18:01:22 +0000

I just hope the government doesn’t get involved. I think we have already lost alot of free speech. We don’t need the govenrment telling us if we add a link to a comment it’s “comment spam” and you’re going away for 10 years! I believe this is how police states are created. There has to be a way without involving the government. It’s really no good anyways because the spammers just go offshore. Economically not good because advertising dollar go to other countries.

Francisco Barcenas
Just my 2 cents.

By: TXprogrammer

TXprogrammer — Fri, 02 Dec 2005 15:31:38 +0000

This is working for me on ASP pages:

function stopSpamScumbags(inField)

stopSpamScumbags=InStr(inField,”Content-Type:”)

end function

if ( stopSpamScumbags(Request.Form(“Form_Name”)) > 0 ) then
‘ this is more than likely a Spam
else
‘ OK, lets process the form
end if

Hope this helps others.

By: Eric Nentrup

Eric Nentrup — Fri, 14 Oct 2005 12:44:10 +0000

Okay….so I’ve read the comments and PLENTY of propellerheads think this is just a tiny bandaid fix, but NOBODY explains HOW to do it. So….it would be VERY HELPFUL if there was a step by step for implementing this (or any other for that matter) bit of code.

By: N A

N A — Thu, 29 Sep 2005 11:54:25 +0000

You can’t trust REFERER, it is client supplied. You’ll probably do better checking for a valid session cookie…

By: Drew McLellan

Drew McLellan — Wed, 28 Sep 2005 12:49:03 +0000

It’s worth noting that a number of so-call “internet security” products (Norton is one) will actively strip the HTTP_REFERER from outgoing HTTP traffic. Some firewall devices are configured to do this too.

The end result being that valid users may not be able to leave comments due to this technique. You’re effectively introducing a chance of false-positives.

By: Squozen

Squozen — Wed, 28 Sep 2005 07:08:44 +0000

I use SpamKarma – it’s astounding. I get NO spam!

http://unknowngenius.com/blog/wordpress/spam-karma/

By: 0x1d3

0x1d3 — Wed, 28 Sep 2005 00:28:15 +0000

Didn’t pay much attention to this at first because I dont have a blog. But when I heard you talking about it on TWiT I came back to it. What about people that link to your page from a different place. For example the new Google Personalized. I try to link form there to here. But it comes up with nothing but the headers. However I just have to reload it to make it work. Not a big deal, but something to think about.

By: E Mooney

E Mooney — Tue, 27 Sep 2005 08:31:21 +0000

sorry to ask, but would you think there would be an alternative version in .asp ?

By: Ben Franske

Ben Franske — Tue, 27 Sep 2005 03:09:51 +0000

A few months ago I did some research into anti-spam techniques for the b2evolution blogging software. It was in regards to referer spam for which this absolutely doesn’t work but I still looked at, evaluated and rejected this option as a general anti-spam measure for the following reasons. It is also important to remember I was doing said research for the b2evolution community not just myself so if it caused problems for basic users or could not be included by default it was unworkable.

1) As others have mention the referer is client suppllied and easy to change, especially in an automatic spamming script.

2) In addition, some site visitors intentionally block the referer via software on their PC (which they may not even know they have) and this prevents them from commenting.

3) This relies on your Apache installation supporting mod_rewrite not all installations do. Even among those that do there is some debate in the community as to how much of a blow it is to server resources to implement such a solution.

4) Making such modification requires either a dedicated server with access to the httpd.conf file OR support for .htaccess files which are also not supported by all hosts.

In conclusion, while the technique may work for some people for a while it is far from an end all be all solution, is not usable by many people with basic shared hosting plans and has been discussed in the blogging community before and generally rejected.

By: Marc Perkel

Marc Perkel — Tue, 27 Sep 2005 01:48:25 +0000

Yes – they could spoof the referrer but then they lost the diverse source IPs they get with the current proxy tricks. Then I can just block the IP. So it’s not as easy as you think.

By: BlueBoi

BlueBoi — Tue, 27 Sep 2005 01:04:11 +0000

What about using Capatcha and the Referer trick, plus I like the idea of using tokens, Session can’t be seen by anything on the client side, so if you put an aways changing token on the form and also in the Session heh you have a fix there, for one alot of these bots don’t support cookies and a session won’t work without a cookie. So basically in theory it would be bullet proof, but you aren’t going to stop a human spammer, cause they will always pass these tests.

By: Vince Anido

Vince Anido — Tue, 27 Sep 2005 00:46:50 +0000

I’ve pretty much killed comment spam on my WP site recently by using both Bad Behavior and Spam Karma 2. They’re pretty invisible to 95% of users, and they’re been very effective so far.

By: Ryan

Ryan — Mon, 26 Sep 2005 21:57:06 +0000

So this pretty much just blocks autospamming bots? It seems to me like this is something that blogging software should come built with. It should be checking that it only allows connections to the comment posting script from a file within the website.

What about people that come on and post links to their free ipod referal sites?