The Robservatory

Robservations on everything…

 

New comment spam blocker installed

As a follow-up to the captcha post, I think I've implemented a near-ideal solution to allow fast and easy commenting while still blocking the spambots.

I took the advice of Andrew Wooster, linked by Simone Manganelli in comment #3 on the original captcha post, and created a personalized spam blocker using an additional field on the comment form. I also tweaked it just a bit, to provide some benefit to registered users. So as of today, here's how comments will work going forward:

  • If you're logged in: There's no change from how things worked before. Just fill in your comment and submit it. I'm going to assume that the spambots aren't going to take the trouble to register prior to spamming the site :). If that turns out not to be true, I may have to make the below process apply to everyone.
  • If you're not logged in: You'll see one new field on the comment submission form. This field is required, and it's a text field to hold the answer to one of five very simple questions. How simple? They're so simple that the answer is given in the questions themselves. Here's a sample question: "What is Tommy Sample's first name?" Type in the answer, and the comment will be published just as before.

I think this is about the most painless spam solution available, so let's see how it works. Registered users will feel no pain at all, and everyone else will have just a slight (a few characters typed into one text box) hassle, with none of the captcha's side effects. Please let me know if you have any troubles with this new solution.

Update: There are now five randomly-presented questions, as well as a cleaned-up layout. Hopefully the questions are all as simple as they should be; if you're thinking about the answer, you're trying too hard!

15 Comments

  1. Do I hear the the sound of spambots everywhere adding support for the Rob field?

    Seriously, should it not ask one of a variety of questions?

  2. "What is Rob's first name?"

    I give up. What is it?

    I don't see how we're supposed to know the finer points of trivia about Rob.

  3. Very nice idea...it's simple yet should be effective (for a while anyway).

    Tho why a spam bot wants to post to a blog site is well beyond my understanding.. I really don't see what benefit it has.. specially if it's just posting drivel

    ---Zed

  4. Two enhancements:
    1) Add a link from "Rob" in the question to a page with bio of Rob (something that seems to be missing - would be good to add a link on the sidebar to this as well)

    2) Add a link from "This is required" to a page explaining why this is required (to defeat spam-bots).

  5. I'll definitely be interested to hear a followup of how successful this is. It's so simple, yet effective since it requires comprehension of the sentence to know what is required. Granted, if everyone uses the technique, spambots will just start echoing back words in reverse order from what is closest to the input field, but saving yourself trouble for 6 months is good in any spam battle.

  6. Thanks for the feedback. Good ideas on the links; I'll add them later today. I've also got an enhancement planned -- randomized simple questions. I'm going to create a series of very simple questions, and then write a little PHP routine to randomly choose one each time an unregistered user brings up the comment form.

    Since I'll be able to add to and change the question list at any time, hopefully this will be enough to keep the bots out, yet still not inconvenience the real users.

    -rob.

  7. what about 1 + 1 = [field] It doesn't require so much reading and is a little bit easier question:o) I don't think they are going to modify spambots to do math in near future:)

  8. Adrian (#2): Simply using one question will probably defeat most of the spam because spambot creators are not going to go around looking at the questions on every single weblog out there and code the answers into their spambot. That would be ridiculously ineffective. As Andrew Wooster points out in the linked post, once people start implementing even a single question CAPTCHA, spambots will have to start passing arbitrary turing tests. That's still a pipe dream for computers at this point, which is why even a single question will cut down spam significantly.

    Of course, randomizing the questions doesn't hurt. :)

  9. Petr (#10):

    I thought about math, but it is completely possible that spambots may already be capable of this. The problem with simple math is that it would be fairly simple to parse a math question. By definition, it must contain at least two numbers and an operator. So stripping "6x5" or "six times five" out of a sentence would be pretty simple.

    And no, nobody will modify their spambots to handle a math problem on just my site. But if it became more widespread, I think we would see such beasts. With customized questions, every spambot would have to be custom coded for every site. And the questions can be changed easily and often, making such bots worthless.

    -rob.

  10. Possibly you could "up" the spam"bot" a little bit, by adding complexity... I could see, how finding the answer to "what's Rob's first name?" would be hard on some, but others enjoy spending time on solutions to trivia - so why not have trivia questions thrown in, preferably random: "What's the square milage of Oregon State, divided by 1.2?", "the birth year of Lincoln retracted from the alleged birth year of Plato?" and some such. Would spice things up a bit. 8-)

  11. KK:

    I thought about doing things like that, but I didn't want to annoy folks too badly. I have, however, updated the spam blocker a bit, and I'll cover the changes in a future post.

    The new system will more easily allow me to add and modify questions, so it's possible I could add some more challenging ones. Perhaps I can do so, and include a "Hit Reload if this question is too challenging" button or somesuch :).

    -rob.

Comments are closed.

The Robservatory © 2020 • Privacy Policy Built from the Frontier theme