As you regulars know I love to write code and I do alot of it. I am however stumped on a SIMPLE and effective method to stop comment spam. I have been looking all over the internet for about the last 2 hours doing reading on it and dont see any really good and EASY to implement solution for comment spam. Keep in mind im not using wordpress or any other prebuilt blogging system. I am just looking for some simple way to obfuscate or block those lame-o spammers.

Feedback with links? Thanks Guys and Gals!

ok so i have come up with a solution and am testing it. I will also post the results when im done.

Ok so I have my new comment system setup. Took 15minutes. You can see it in action here http://www.ultimate-fighter.ca/ufc-fighter.php?id=1 on my new "quickie" site.

Basically what I have done is REMOVED the part of the form that processes the comment. Normally to process a post in php you assign it an action. Would look like this.


<form id="add_post" name="add_post" method="POST" action="<? ACTION HERE ?>">

In my case I left the action portion blank. Which means you cant submit the form. THEN I added a jscript function that will add in the action if you are using a browser. The concept? If you are using a scrapper or those idiot bots that dont run jscript, you can not spam my site, but users can post comments with no headaches.

So basically if your a scraper you have no ability to submit my form, if your a user in a browser you can submit the form no problem. Will let you know in a few days how well it works :)

That won't work. It's possible to leave the action attribute empty (like you have), but any browser and probably any spider/bot will automatically default to the current page. Your form handler script needs to be a different script then.

Another problem is that those who don't have JS enabled won't be able to use your form. Minor problem, but it could still lead to frustration among certain visitors.

The easiest solution is probably to simply use blacklists, e.g. a moderation blacklist (any comments that match it will be held back for moderation) and a delete blacklist (any comments that match it will be immediately deleted).

Have a look at WordPress to see how they handle it.

The blacklist fix is not a good fix, its only as good as how often you update it. I started with wordpress in my research.

You sure that the programs that do the spamming can read jscript? I did alot of reading and the consensus is they can not. Good idea on including the jscript in an external file that is an easy update. You think that would work?

The small portion of people using browsers that dont support javascript I am willing to bear :) Thanks for the response.

What about using one of those image things where you have to type in the letters in the (slightly obscured) image?

absolutely i was just looking for the simplest method. :) This implementation took me about 1min.

Hopefully somebody can followup on the javascript option. Its a great option just looking for feedback on if anyone is doing it annd more importantly if it works.

I just updated my comment system and turned it into a full blown forum system. For those looking at the link getting confused :) Never wrote a forum before so decided to do a simple one.

Simple for you or for the visitor?

I think you should just add a captcha.

Both, easy for me and easy for my readers. Captcha is fun and all but its an added annoyance for readers and it would seem you can do what needs to be done with jscript. surely some of the sharper minds here have done it and more :)

Jscript is a very seemless and non-obtrusive method and it would seem it does work from my research but KINGS has hit on a good point and if hes right jscript is useless in this application as i described it.

If it's useless in your application because your form is submitting the form to the same page the form is on then just change your approach a little. Instead of using JS to hide your form action, add an extra form element and use JS to hide that:



<input type=hidden name=submitCheck value=1 />


Then have your php code that processes the form check if isset($_POST['submitCheck']).

I don't think that most crawlers and bots can process javascript, but I think that more and more will begin to have the ability to process at least simple document.write statements to get around things like this. If you want to be extra careful take the javascript you use to output the hidden form element and obfuscate it a little to confuse any bots that look for document.write outputs:



third='k value=1'
second='n name=submitChec'
other='klaslkdfas'
first='<input type=hidde'
out=first + second + third
document.write(out + '>')

thanks westech jump on MSN so I can harass you with a couple questions. You have taken my idea and made it so it works! I just wanna pick your astute javascripting brain! :)

Thanks Kings nad Westech I now got it all sorted out in my muddled head and we will see how well it works.

Your way people can still automatically submit spam. I have done a few to try and stop it. I ended up having to approve all comments by hand.

1. is to disallow http://www. in my comments boxes with javascript.
2. Only allow a certain amount of characthers
3. Since you have got the bots out of the way, use the php function to just print the code, and not allow html in the comments. This will deter people from posting spam manually.
4. If all else false, add a hidden field to throw the comment into a queue and manually approve each one.
5. Do what westech said..

Michael we will see if bots still spam but I stand by the method. With the changes that westech and king have pointed out and I have implemented I feel very confident that I wont be seeing the mass spam. You can never 100% eliminate spam but Westech and Kings methodology is sound and I think will work. We will see in about 30days how much spam I get from it. Westechs variation on my implementation is ingenius and from what I have been reading will work wonders.. but the proof is in the pudding and in about 30days we will see.

At the end of the day you will still have some idiot who comes by to manually spam. That is not something I am concerned about. Its the bots that hit my sites and submit hundreds of daily comment spam I am contending with.

Kudos again to Westech and Kings for helping out on this.

Here is the code for anyone else who wants to try it out, hum over it or improve it. Rememeber to put a check into your php or your comment/forum code wont work at all :)




<script type="text/javascript">
hidden field or do math */
third='k value=1'
second='n name=submitChec'
other='klaslkdfas'
first='<input type=hidde'
out=first + second + third
document.write(out + '>')
</script>



Fire the code within the form to add an extra element. If others have their own methods and dont mind sharing them i would be interested in seeing it, and I am sure folks can learn alot about this. Including myself.

Very good idea. I think I'm going to go buy the php bible, I know a little php but not enough to make my own applications, I'm getting tired of modifying other CMS's to suit my needs.

doesnt take alot of php know how to make a cms. Be sure to try this code to prevent comment spamming and see how it holds up.

As you regulars know I love to write code and I do alot of it. I am however stumped on a SIMPLE and effective method to stop comment spam. I have been looking all over the internet for about the last 2 hours doing reading on it and dont see any really good and EASY to implement solution for comment spam. Keep in mind im not using wordpress or any other prebuilt blogging system. I am just looking for some simple way to obfuscate or block those lame-o spammers.

Feedback with links? Thanks Guys and Gals!
I made a comments component for Joomla with the following features that relate to spam control:

Toggle "registered users post only"
Toggle "force comment preview"
Toggle linking to commenters website (when turned off, the link is a rel=nofollow
Toggle "email mandatory"
Review comments yes/no

On my website I have all these options turned off, except for the email one. I used to get dozens of spam mails on various topics, then I put in the following function in, and since then I am getting no spam messages at all.
In the mean while, friendly visitors can publish feedback on the site instantly.



if (eregi($common_spam_pat,$mc_comment_name) || eregi($common_spam_pat,$mc_comment_email) || eregi($common_spam_pat,$mc_comment_homepage) || eregi($common_spam_pat,$mc_comment)) {
mosRedirect("index.php?option=content&amp;task=view&amp;id=$id&amp;Itemid=$ Itemid", _COM_C_SPAM);
}


This functions compares the form input fields to an array of trigger words, these are my trigger words:

.
.
.
.
/* Profanity warning for the faint-hearted */
.
.
.
.
.

$common_spam_pat= "sleepdeprivation|sleepdisorders|insomnia|phentermi ne|phentemine|vicodin|hydrocodone|levitra|ultram|u ltram|cialis|soma|soma|diazepam|gabapentin|celebre x|viagra|fioricet|ambien|valium|zoloft|finasteride |lamisil|meridia|allegra|diflucan|zovirax|valtrex| lipitor|proscar|acyclovir|sildenafil|tadalafil|xen ical|melatonin|xanax|herbal|drugs|lortab|adipex|pr opecia|carisoprodol|tramadol|shemale|gangbang|cock |anal|orgy|cock|anal|orgy|singleschristian|datingc hristian|cumeating|creampies|cumsucking|cumswappin g|cumfilled|cumdripping|krankenversicherung|cumpus sy|suckingcum|drippingcum|pussycum|swappingcum|eat ingcum|cum|cum|sperm|christiandating|jewishsingles |sexmeetings|swinging|swingers|personals|sleeping| libido|grannies|mature|enhaement|sexual|gayteen|te enchat|gaychat|adultfinder|adultfriend|friendfinde r|friendadult|finderadult|finderfriend|discreteeou nters|cheatingwives|housewives|sex.|snowballing|fa t|fat|diet|pills|weight|supplement|texasholdem|pok er|casino|blackjack|mortgage|refinaing|cashadvae|c ashmoney|payday|netwasgroup.com|nic4u.com|wear4u.c om|foxmediasolutions.com|liveplanets.com|aeternate ch.com|continentaltirebowl.com|chemsymphony.com|in folibria.com|globaleducationeurope.net|soma.125mb. com|mitglied.lycos.de|foxmediasolutions.com|jround up.com|feathersandfurvanlines.com|conecrusher.org| sbjbroadcasting.com|edthompson.com|codychesnutt.co m|artsmallforsenate.com|axionfootwear.com|protzonb eer.com|candiria.com|bigsitecity.com|coresat.com|i starthere.com|amateurvoetbal.net|alleghanyeda.com| xadulthosting.com|datashaping.com|zick.biz|newprie ton.com|dvdsqueeze.com|xopy.com|webdevboard.com|de vaddict.com|eatoni.com|whiteguysgroup.com|guestboo kz.com|webdevsquare.com|indfx.net|snap.to|2y.net|a stromagia.info|jixx.de|freesms";



You can add any terms to the list to fight spammers that still get through, and you might have to remove some words if the topic of your site in related to any of em.

great usage peach. I am trying to avoid using a source file to match words against but I am sure many will find your usage very handy.

Yea thanks, that's great! Your list is pretty good, it even includes some vulgarities I have never even seen. ;)

thats the fun part of the list method coming up with all the idiotic things people can do and say :P