After a week of almost no blogging, I’ve had a day chock full of maintaining the blog.
MMG’s host’s sysadmin had updated some Perl modules, and my instance of MT Blacklist broke (I found the fix on this Taiwanese/English blog). And though my automated comment spam had trickled to a minimum after taking steps previously mentioned, those measures have since failed, and I was getting deluged.
So I’ve taken further measures to stay a few steps ahead of the spammers.
While doing so, I thought of a complicated scheme. Require users to preview their comment before they can post it. When they hit preview and the server sends the posting form, it slips in a hidden field encrypted by a PGP public key that contains a coded version of the time, a unique identifier (which the blog software stores together on the server side.) Users are warned that they only have, say, 15 minutes to post their comment after hitting preview (but, of course, they can request another preview, get another unique identifier, and start the clock running again.)
Upon submitting the form, the server decrypts the unique identifier and timestamp, looks up the identifier. If it doesn’t exist, or it was issued more than the given amount of time ago, the comment is rejected.
This means that spammers couldn’t just forge their own forms and submit them to your server (as they easily can today with default Movable Type installations). They’d have to request and parse your preview form first.
Unfortunately, this scheme would work only until a spammer felt like building a robot to automate doing just that, which wouldn’t be any great trick. And it’d cut through all the cleverness with the encrypted timestamp just as easily as it could a dumb hidden magic word field. The only advantage would be their limited time window to spam… which wouldn’t be an advantage once the spammer has compensated for it.
It’s another club solution. It would offer only relative security — it could make it less attractive for them to hit some particular blog in the short run, but once a large plurality of blogs had it, they would all become equally attractive again.
What we really need are omnipotent alien overlords who hate spam. That’d pretty much solve it.