« When Bookaholics Go Bad: a Locked Room Mystery | Main | Geek Love »

Comment spam

posted by Zed on August 18 2004 22:30

After a week of almost no blogging, I’ve had a day chock full of maintaining the blog.

MMG’s host’s sysadmin had updated some Perl modules, and my instance of MT Blacklist broke (I found the fix on this Taiwanese/English blog). And though my automated comment spam had trickled to a minimum after taking steps previously mentioned, those measures have since failed, and I was getting deluged.

So I’ve taken further measures to stay a few steps ahead of the spammers.

While doing so, I thought of a complicated scheme. Require users to preview their comment before they can post it. When they hit preview and the server sends the posting form, it slips in a hidden field encrypted by a PGP public key that contains a coded version of the time, a unique identifier (which the blog software stores together on the server side.) Users are warned that they only have, say, 15 minutes to post their comment after hitting preview (but, of course, they can request another preview, get another unique identifier, and start the clock running again.)

Upon submitting the form, the server decrypts the unique identifier and timestamp, looks up the identifier. If it doesn’t exist, or it was issued more than the given amount of time ago, the comment is rejected.

This means that spammers couldn’t just forge their own forms and submit them to your server (as they easily can today with default Movable Type installations). They’d have to request and parse your preview form first.

Unfortunately, this scheme would work only until a spammer felt like building a robot to automate doing just that, which wouldn’t be any great trick. And it’d cut through all the cleverness with the encrypted timestamp just as easily as it could a dumb hidden magic word field. The only advantage would be their limited time window to spam… which wouldn’t be an advantage once the spammer has compensated for it.

It’s another club solution. It would offer only relative security — it could make it less attractive for them to hit some particular blog in the short run, but once a large plurality of blogs had it, they would all become equally attractive again.

What we really need are omnipotent alien overlords who hate spam. That’d pretty much solve it.

|

Comments

Sorry about that perl upgrade. I thought I had made sure all the installed modules behaved properly after I did it.

Most omnipotent alien overlords that I know see the spam we get as a necessary evolutionary step that must be overcome.

Posted by Scanner on August 18 2004 22:54

zzz... whu? hah? I'm awake, I'm awake, I swear!

Unfortunately, this sounds like the most compelling reason why maintaining a blog of my own wouldn't be worth the trouble.

Posted by Jimcat on August 19 2004 04:34

Well, one could use an obscure blog tool that the spammers haven't targeted yet. Or turn off commenting.

Or, if you're an MT 2.6* user, update your MT-Blacklist's data from the master list on a regular basis.

Still, dealing with these problems makes me glad I'm a web programmer.

Posted by Zed on August 19 2004 08:49

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)