A Few Upgrades

After having to delete a few hundred spam comments from my weblog this week, I finally admitted that my blacklist wasn’t stopping any spam. Apparently domains have gotten too cheap for blacklists to be a viable deterrent anymore.

So, today I upgraded the blog to WordPress 1.5.1.3, and taking a cue from Jeremy Zawodny I’ve included an extra field people need to fill out to post comments:
New required field for commenting.

The idea here is that most comment spam is automated by programs (call them bots or spiders) which look for installations of common blogging software. These spiders look for a “signature” they recognize, like the fields in a comment posting form, that let it identify which blogging software is being used on the site. From there, they can guess where they need to send automated requests to post comments, and what the values of the various form fields need to be. By simply adding another field that needs to be filled out with a specific value, most comment spam can be stopped. Or, that’s the idea.

If everyone were to start doing this, writing spam bots would suddenly become much harder, as they’d essentially need to start passing arbitrary Turing tests. That, or spammers would need to use human labor to customize their bots for each site they wanted to spam. The hope is that that would get very expensive very quickly.

In a sense, this is one step backwards from Captchas, which are programs designed to automatically generate these simple tests. However, the point of vulnerability for captchas is that they too are programs, with their own signatures that bots can pick up on. If enough people use the same captcha in the same way, then at some point it makes sense economically for a spammer to specifically target that captcha, either by writing a program to solve the captcha, or through clever social engineering efforts.

So, if a spammer starts customizing their bots for my site, the logical next step is to either change my one-off customization by asking a different question, or to write a custom captcha to increase the marginal cost of customizing a bot to spam me. Personally, I’m leaning towards automatically generating visual puzzles that would be difficult for a person to solve, let alone a spambot, and seeing how they like that. 🙂

In the meantime, the code I added to do this was very simple, and I’d encourage people to try customizing their own site with a different test.

In wp-comments-post.php, I added:
$comment_turing = trim($_POST['comment_turing']); if (stristr($comment_turing, 'andrew') === FALSE) { die( __('Sorry, you must enter Andrew\'s first name to post a comment.') ); } Download this code: /code/17a.txt

and in my comments template I added:
<p> What is Andrew's first name? <input type="text" name="comment_turing" id="comment_turing" tabindex="4" /> <small>(required)</small> </p> Download this code: /code/17b.txt
and changed the next couple of "tabindex" attributes to be higher so tabbing between fields works correctly.

Enjoy!

Update:
Peter took this idea and ran with it, harnessing the power of his commenters to compute pi. Check it out.

9 Responses to “A Few Upgrades”

  1. Jonathan Deutsch Says:

    Test + I’ll have to use this on my blog, since I think the captcha is sometimes hard to read.

  2. ridiculous_fish » Blog Archive » Spam Says:

    […] […]

  3. Emily Hambidge Says:

    Great idea!!! Thank you so much! You have just helped me solve a major problem I have with my blog.

  4. A Serendipitous Intention » Blog Archive » New Comment Question Says:

    […] I can’t explain how he did it because I have no idea, but I do know that it’s working wonders! I got this idea from Andrew – a total genius. As he says The idea here is that most comment spam is automated by programs (call them bots or spiders) which look for installations of common blogging software. These spiders look for a “signature” they recognize, like the fields in a comment posting form, that let it identify which blogging software is being used on the site. From there, they can guess where they need to send automated requests to post comments, and what the values of the various form fields need to be. By simply adding another field that needs to be filled out with a specific value, most comment spam can be stopped. Or, that’s the idea. […]

  5. The Robservatory » New comment spam blocker installed Says:

    […] I took the advice of Andrew Wooster, linked by Simon Manganelli in comment #3 on the original captcha post, and created a personalized spam blocker using an additional field on the comment form. I also tweaked it just a bit, to provide some benefit to registered users. So as of today, here’s how comments will work going forward: […]

  6. Sam Says:

    where is the code?

  7. fanof don lapre Says:

    This is a really interesting idea, I’m suprised that more programmers and designers haven’t thought of this before.

  8. ridiculous_fish » Blog Archive » Spam Says:

    […] But I called this post "Spam." What for? Well, as Andrew Wooster points out, stopping spam can be as easy as adding an extra field to the comment form. Have you guessed the punchline yet? […]

  9. 412 Precondition Failed Says:

    […] […]

Leave a Reply

Please spell "response" backwards: (required)