What are some non-captcha methods for blocking spam on my comments?
+4
A:
1) Adding session-related information into the form Example:
<input type="hidden" name="sh" value="<?php echo dechex(crc32(session_id())); ?>" />
then at postback, check whether session is valid or not.
2) Javascript-only. Use Javascript injection at Submission. Example:
<input type="hidden" id="txtKey" name="key" value="" />
<input type="submit" value="Go" onclick="document.getElementById('txtKey').value = '<?php echo dechex(crc32(session_id())) ?>';" />
3) Time-limit per IP, User or Session. this is quite straightforward.
4) Randomizing field names:
<?php
$fieldkey = dechex(crc32(mt_rand().dechex(crc32(time()))));
$_SESSION['fieldkey'] = $fieldkey;
?>
<input type="text" name="name<?php echo $fieldkey; ?>" value="" />
<input type="text" name="address<?php echo $fieldkey; ?>" value="" />
Then you can check it over at the server side.
thephpdeveloper
2009-10-16 13:02:40
In my experience, 1) and 3) completely ineffective since mny bots behave like normal users as far as sessions are concerned, and requiring JavaScript for basic functionality is inacceptible.
Michael Borgwardt
2009-10-16 13:14:03
@michael: Your anti-javascript attitude is antiquated. Less than 5% of all users have their javascript deactivated. And if you've got it off, then it's your own fault. Besides, just put in a no-script warning to these folks that they can't submit.
The Wicked Flea
2009-10-16 14:44:15
Javascript is noadays the #1 source of virus infection, botnets and thus ultimately, spam. If you have it on indiscriminately, or require it for basic functionality. then you are part of the problem.
Michael Borgwardt
2009-10-16 14:52:21
Even if the peopel with js disabled is less than 5%, i dont like to bind a webpage functionality to something that can be not enabled or -aware- be **easly fooled and manipulated** by the user. However in this case, i'll assume that the 99.99% of the target use javascript, and this use dont have any dangerous drawback.
DaNieL
2009-12-14 15:27:34
A:
Disallow links. Without links, spam is useless.
[EDIT] As a middle way, only allow links to "good" sites (usually your own). There are only a handful of them, so you can either add them at the request of your users or hold a comment until you verified the link. When it's good, add it.
After a while, you can turn this off and automatically reject comments with links and wait for users to complain.
Aaron Digulla
2009-10-16 13:04:03
this doesn't work unless you just discard any posts containing links, which means sometimes valid users are going to lose their posts for no apparent reason. if you remove the links but allow the text you'll probably still get spam (at least that was my experience)
Kip
2009-10-16 13:20:02
Links are nearly the only reason why automated comment spam exists. By disallowing posts that contain links, you'll catch close to 100% of all spam. You don't have to swallow them silently either; display an explicit error message "sorry, no links allowed in comments". But still, it does make comments less useful.
Michael Borgwardt
2009-10-16 13:47:35
bots will still post spam, even a text only link is better than nothing.
Malfist
2009-10-16 14:17:42
+2
A:
Naive Beyesian filters, of course:
http://blog.liip.ch/archive/2005/03/30/php-naive-bayesian-filter.html
NickAtuShip
2009-10-16 13:04:07
A:
You could try looking at using a third party like Akismet. API keys are free for personal use. Also, The Zend Framework has a package for this.
Kieran Hall
2009-10-16 13:05:30
+5
A:
Akismet has an API. Someone wrote a wrapper class (BSD liscense) for it over at: http://cesars.users.phpclasses.org/browse/package/4401.html
There's also a Bayesian filter class (BSD Liscense as well) http://cesars.users.phpclasses.org/browse/package/4236.html
easement
2009-10-16 13:06:08
A:
Most bots simply fill out the whole form and send it to you. A simple trick that works is to create a normal field that you usually hide with the aid of javascript. On the server side just check whether this field has been filled. If so -- then it is spam for sure.
clops
2009-10-16 13:07:03
hiding the field with the aid of CSS would be better... then any non-JS users wouldn't see it either.
Kip
2009-10-16 13:32:05
+3
A:
There is the Honey Pot Theory as well. I enjoy coupling honey pots with other forms of spam reduction for best results.
reactivePixel
2009-10-16 13:07:46
+27
A:
In my experience the currently most effective methods are honeypot input fields that are made invisible to users via CSS (best use several different methods, such as visible:false, setting a size of 0 pixels, and absolut positioning far outside the browser window); if they're filled anyway you can assume it's a spambot.
This blog describes a rather complex method that I've tried out myself (with 100% success so far), but I suspect that you could get the same result by skipping all the stuff with hashed field names and just add some simple honeypot fields.
Michael Borgwardt
2009-10-16 13:08:29
+1 this worked on my blog too, mostly. every now and then there will be a spammer that submits to *every* form on the page though...
Kip
2009-10-16 13:21:10
+1. Working for the Government we have to be award of Section 508 issues, and your visual CAPTCHAS run afoul of those guidelines. A honeypot field in our external web forms has worked quite well.
Al Everett
2009-10-16 13:31:22
+1. Very cool. I also like the time limit idea. If a "user" submits a comment 74 milliseconds after requesting the page then you know something's up.
Steve Wortham
2009-10-16 13:43:59
@Steve - yes, but unfortunately it's too easy for spambots to defeat.
Michael Borgwardt
2009-10-16 13:50:55
also check out "detecting stealth web crawlers": http://stackoverflow.com/questions/233192/detecting-stealth-web-crawlers
Jacco
2009-10-16 13:55:28
A:
On my other site -- posting all forms via Ajax cuts off all the spam (literally)
clops
2009-10-16 13:12:18
A:
On my blog, I have a kind of compromise captcha: I only use a captcha if the post contains a link. I also use a honeypot input field. So far, this has been nearly 100% effective. Every now and then there will be a spammer that submits something to every form which contains no links (usually something like "nice site!"). I can only assume that these people think I will e-mail them to find out who they are (using the e-mail address that only I see).
Kip
2009-10-16 13:27:40
+2
A:
Another common approach is to give the user a simple question ("is fire hot or cold?" "what is 2 plus 7?" etc.). It is a little captcha-like, but it is more accessible to users with vision disabilities using screen readers. I think there must be a WordPress plugin that does this, because I see it very frequently on WordPress blogs.
Kip
2009-10-16 13:36:58
A:
As lot of people already proposed : use a honey pot input field. But there are two other things you need to do. First, randomize the name / id of which input field is the honey pot. Store the state of usefull fields in session (as well as a form token, used against CSRF attacks). For exampe, you have these fields to get : name, email, message. In your form, you will have "token" which is your token, "jzefkl46" which is name for this form, "ofdizhae" for email, "45sd4s2" for message and "fgdfg5qsd4" for honey pot. In the user session, you can have something like
array("forms" => array("your-token-value" => array("jzefkl46" => "name",
"ofdizhae" => "email",
"45sd4s2" => "message",
"fgdfg5qsd4" => honey"));
You just have to re-associate it back when you get your form data.
Second thing, as the robot has lot of chances to avoid your honey pot field (25% chances), multiply the number of pots. With 10 or 20 of them, you add difficulty to the bots while not having too much overhead in your html.
Arkh
2009-10-16 13:37:15
in my experience, most spambots blindly submit to the first form on the page. a few submit to every form. i haven't noticed any picking one at random (though i'm sure there are some)
Kip
2009-10-16 13:43:03
Sure, at the moment they don't pick randomly because not a lot of people use the honey pot method. But give it 2 or 3 years and some will.Let's get a little ahead of bots while it's possible.
Arkh
2009-10-16 13:51:09
I don't really understand what multiple forms have to do with honeypots, but the blog post I linked to describes how you can randomize field names *without* needing a session. However, I suspect that this extra effort is wasted: simple bots right now will go for honeypot fields with non-random names as well (or does anyone have data that contradicts this?), and if they're forced to become more sophisticated, it would not be all that hard to analyze the lexical page structure and use that to decide which fields to fill and which to skip.
Michael Borgwardt
2009-10-16 14:58:01
Not multiple forms, multiple hidden fields.With one bad field for 3 good ones, a bot could just bruteforce trying to get past with one field not completed at each try. So you have 25% of spam still going through.With 10 pots, it has to leave 10 fields blank out of 13.
Arkh
2009-10-16 15:32:31
A:
along with using honey pot fields, we can ban there IP automatically (which don't work for dynamic IPs) and especially any links posted back by bots.
Sanil
2009-10-16 14:04:03
A:
Akismet is a good alternative, they check your posts for spam and works very efficiently. You just need to load their librabry. http://akismet.com/development/
WebRaider
2009-10-16 14:09:30
A:
I have reduced about 99% of spam on my website through a simple mathematical question like the following:
What is 2+4 [TextBox]
The user will be able to submit the question/comment if they answer "6".
Works for me and similar solution works for Jeff Atwood from Coding Horror!
azamsharp
2009-10-16 14:31:53
A:
checkout some wp antispam plugins for examples and ideas
there're many nice antispam without using captcha.
some i'd recommend: hashcash, nospamnx, typepad antispam. all these using different methods blocking spam and i use them all. hashcash+nospamnx block almost all spambot. and typepad antispam block most human typed spam.
these are also good ones: spambam, wp-spamfree, anti-captcha, bad-behaviour, httpbl, etc
also with simple .htaccess that block any bot direct POST that do not come from your own site (check referer)
or, simply outsource your comment system to disqus and sleep tight.
DennyHalim.com
2009-10-20 00:22:06
+1
A:
ATLBL have an API at http://www.atlbl.com that you can use to detect and combat comment spam.
Mark
2010-09-20 12:48:48
A:
Regular CAPTCHAs are spam-bot solvable now.
Consider instead "text CAPTCHAs" : a logic or common knowledge question, like "What's 1 + 1 ?" or "What color is General Custard's white horse?" The question can even be static (same question for every try).
(Taken from http://matthewhutchinson.net/2010/4/21/actsastextcaptcha )
I think Jeff Atwood even uses a validation like this on his blog. (Correct me if I'm wrong)
Some resources:
- Text Captcha site & services : http://textcaptcha.com/demo
- A plugin : http://matthewhutchinson.net/2010/4/21/actsastextcaptcha
- More about text Captcha's with non-working code : http://www.thesamet.com/blog/2006/12/21/fighting-spam-on-phpbb-forums/
rlb.usa
2010-09-29 19:46:13