Most people who run blogs have issues with comment spam in their blogs and there are all sorts of fixes. Marc Perkel at — my host — was floored, he said, when he realized a simple command to the Apache software would kill most of it — and it does indeed work!

Here is the short code running on the ctyme server for my using WordPress-based blogging software. Altering it for other blog software and other blogs should be simple for anyone running Apache.

< location /blog/wp-comments-newpost.php >
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^.**
RewriteRule ^.*
< /location >

Essentially it makes the basic condition for any post rigid: it has to be coming from a link within the blog itself, the “comment” link. Most spam does not.

My spam count on the blog has dropped from 50-100 to 2 per day without any other tricks.

  1. It’s worth noting that a number of so-call “internet security” products (Norton is one) will actively strip the HTTP_REFERER from outgoing HTTP traffic. Some firewall devices are configured to do this too.

    The end result being that valid users may not be able to leave comments due to this technique. You’re effectively introducing a chance of false-positives.

  2. N A says:

    You can’t trust REFERER, it is client supplied. You’ll probably do better checking for a valid session cookie…

  3. TXprogrammer says:

    This is working for me on ASP pages:

    function stopSpamScumbags(inField)


    end function

    if ( stopSpamScumbags(Request.Form(“Form_Name”)) > 0 ) then
    ‘ this is more than likely a Spam
    ‘ OK, lets process the form
    end if

    Hope this helps others.

  4. openmls says:

    I just hope the government doesn’t get involved. I think we have already lost alot of free speech. We don’t need the govenrment telling us if we add a link to a comment it’s “comment spam” and you’re going away for 10 years! I believe this is how police states are created. There has to be a way without involving the government. It’s really no good anyways because the spammers just go offshore. Economically not good because advertising dollar go to other countries.

    Francisco Barcenas
    Just my 2 cents.

  5. Franz says:

    9/11 the same happy few music were also on the spot to point foto the finger of blame at everyone mp3 but themselves – as soon as they felt safe wma/

  6. Bannerdesign says:

    You can’t trust REFERER, it is client supplied. You’ll probably do better checking for a valid session cookie…


Bad Behavior has blocked 8878 access attempts in the last 7 days.