pf » How I block comment spam

July 19, 2005

How I block comment spam

web

You would think that by having custom written blogging software (only two other blogs out there are using this code), and not allowing HTML in comments, that comment spammers would not waste their time on me. But they do.

Why do they bother with me?

Even though their URL will not be hyperlinked on my blog giving them pagerank, they still spam because they are hoping for the following:

  • They want me to click on the link before I delete it.
  • They are hoping that people subscribed to the comment thread will click on the link.
  • They are planting keywords on my pages so that someone searching for the term in google, may find my page, and copy and paste the url.

When I was at the bloggers BOF at cfunited, people mentioned that when using Ray Camden's blog CFC software they didn't get much if any comment spam. I think that is because the comment form is located in a popup window launched by javascript. So it's more of a hassle for spammers to spam them. I however would rather keep my comment form on my entry page, so it's easier for readers to post comments.

What I do to block comment spam

Here's what I do to block comment spam on this blog:

  • Check HTTP Referrer to make sure it's coming from my site. I know some people like to turn this off in their browser, but they won't be able to post comments unless they turn it on.
  • If the comment contains a HTML link I reject it, giving the user a detailed message that tells them to just post the url.
  • Check for a set of bad words - my list is very small only about 10 words currently.
  • Check for [url] - a lot of comment spammers try to pass the links as [url]http://foo[/url]
  • Look for more than 5 url's in the comment. Comment spammers often try to post 10-20 urls at a time, so I just reject them. I use this regular expression REFindNoCase("(http:.*){5,}", form.comment)

| Add Comment | add to del.icio.us | Tags: , ,

Related Entries
8 people found this page useful, what do you think?

Trackbacks
Trackback Address: 411/038CCD77105DD3C2DB54800BF6CFB034
Comments
On 07/19/2005 at 5:13:55 PM MDT fredo wrote:
1
test

On 07/19/2005 at 6:44:05 PM MDT Mike Rankin wrote:
2
I think you are probably right about the pop-up. I've only had one comment spam in the past 6 months on my blog hosted on blogger.

On 07/19/2005 at 7:31:03 PM MDT Dan G. Switzer, II wrote:
3
I was having the problem as well (using my own custom Blog software.) I fixed this by building a simple spam filter. When I get a piece of spam, I move it to a spam filter table. All my spam was coming in from basically the same e-mail address and the same Urls, so my filter basic looks to see if these is a bad comment and if so silently rejects it.

While I was getting a handful of spam messages a week, I've dropped down to zero.

On 07/19/2005 at 11:51:08 PM MDT Michael Dinowitz wrote:
4
A small modification to your regex to deal with https and to make it non-greedy.

REFindNoCase("(https?://.*?){5,}", form.comment)

On 07/20/2005 at 4:24:29 PM MDT Doug wrote:
5
You should NEVER be checking the HTTP_Referer. Your assumption that you are preventing only those valid users who know how to change/spoof their HTTP_Refer is grossly mistaken. You are hindering many valid users who have installed software that supposedly protects their privacy by hiding this info. There are quite a number of software suites that change or prevent reporting of the referer. Granted, this is stupid and pointless effort by these software vendors and they have done things to break stuff on the web in other ways as well, but it is something users likely do not have the knowledge to fix and creates unsuspecting victims rather than the techie tinkerer that you envision who knows why he can't post.

The #1 goal of any measure to prevent malicious use should be to not hinder the legitamate user, which your solution does indeed.

I use some other methods like datetime-generated stamps cross-checked with a salted hash to disallow someone from ripping my form off and submitting from another location. Of course if they scrape the page in real-time, that is the hardest trick to defeat, but then you can do things like freqeuency capping, mass deletions, or other means of authentication (captcha, email verify if not logged in).

On 10/17/2006 at 2:39:01 PM MDT notebook dell parts, battery and accesories wrote:
6
I have been looking for sites like this for a long time. Thank you!

On 10/20/2006 at 9:07:07 PM MDT All about stock market wrote:
7
I have been looking for sites like this for a long time. Thank you!

On 10/22/2006 at 11:50:21 PM MDT Attorney for you wrote:
8
I visited your web site.

On 10/28/2006 at 8:12:12 PM MDT Fine hotels here wrote:
9
Thank you for your site. I have found here much useful information...

On 12/16/2006 at 3:25:11 PM MST mavines wrote:
10
Write your comments here, please.

On 04/17/2007 at 2:24:58 PM MDT tenuate wrote:
11
Crosby leads the in points and assists and is near the top in goals.

On 06/29/2007 at 11:48:26 PM MDT celexa wrote:
12
I want to say - thank you for this!

On 07/31/2007 at 1:53:57 AM MDT alex wrote:
13
Thank for making this valuable information available to the public.

On 08/27/2007 at 2:20:09 AM MDT Tim wrote:
14
very helpful, thanks!n

On 09/27/2007 at 8:09:23 AM MDT Tim wrote:
15
Very good web site, great work and thank you for your service.+

On 10/03/2007 at 12:15:54 PM MDT yamomoto wrote:
16
excellent texture.l

On 10/10/2007 at 9:41:31 AM MDT bek wrote:
17
simple but quality, thanks!d

On 10/18/2007 at 3:57:59 AM MDT mason wrote:
18
Thank for making this valuable information available to the public.

On 10/18/2007 at 7:02:12 PM MDT dgykj wrote:
19
http://www.forex.co.ir http://www.meta-fx.com forex ?????

On 10/30/2007 at 2:35:11 AM MST non wrote:
20
Hi. m0pi0l4b0xg@yahoo.co.uk

Post a Comment



  



Spell Checker by Foundeo

Recent Entries




Subscribe to my RSS Feed: solosub RSS
Tags