My Ruby on Rails blog application is getting a lot of comment spam for a particular blog post even though comments are closed and the comment form is no longer there. The comments are filtered by Akismet so they're not visible, but I'm not sure how my app should best respond to these requests.
I thought about simply redirecting to the post page, or responding with an HTTP 404 or perhaps a 422. What do you think is the best course of action?
If your only goal is to thwart attempted spammers, any error result code would be fine. The spammer software isn't going to even look at it anyway.
Since you are not accepting comments any longer, you wish to spend as little resources as possible on those requests.
As soon as you detect a POST request, return 404 code or just close the connection.
Make your action like action="/some-strange-post-address-41345234523-something"
And add action attribute using javascript.
Most of spammers do not run javascript engine (since it is very hard to develop one) thus they would not know the action address for posting information...
For my blog it reduced the spam from 10-20 messages per day to 2-3 per year, and all of them seems to be added by real human beings.
Maybe this brings you some information: http://stackoverflow.com/questions/1193566/gem-idea-automatic-spam-protection-with-captcha-in-beforefilter-when-http-metho
Since you have control over the application, you can simply ignore the comment post, and return a 200 code anyway. Why give the spammer even the information that there was a problem?
If you want to try other techniques to prevent spam in the future, I've had great luck with Stopping Spambots with Hashes and Honeypots.