Stopping Website Visitor Comment Spam.
IF you have a blog and want visitors to easily add a comment to an item, you will also get spam – lots of it – unless you, traditionally, forced visitors to create a login before commenting, or you used a captcha. As one guy said, “It’s really disgusting the stuff I have to block from my blog every 2-3 days.” You can force visitors to create a login before commenting, but most visitors won’t do it, they will just leave. Fortunately that is not necessary.
[ also read about “silent spamming” at
http://www.theadminzone.com/forums/showthread.php?t=684 ]
No captcha needed
Almost all auto-spammers run in less than 2 to 4 sec., If you save the time ypur page came up, and compare it to the time your program starts to check the comment and save it, you can stop all automated spam, and some “testing the waters” spam without bothering your visitors with problematic “captcha” questions.
If they did not stay on the page for at least a mniute, they did not read your article(!):
in your comment function:
$_SESSION['comment_time'] = time();
# save the time they arrive
turn on sessions, if it is not on already
in the top of your comment processing program: (turn on sessions here also)
if ( !isset($_SESSION['comment_time']) ) { $timediff = 0 ; } else { $timediff = time() - (int)$_SESSION['comment_time'] ; } if ( $timediff < 60 ) { echo '<h3> Please return and wait a minute so that we know this is not machine generated spam. </h3>' ; exit; }
Out of 27 spamms, 23 were all less than 10 seconds. 4 were between 10 and 30 sec., Of the 23, there were 4 in which the timer was not even set.
in wordpress, your comment processing program is wp-comments-post.php
Captcha: add or subtract 2 random numbers, in a “natural language” sentence.
The simplest captcha works. You are correct in thinking that you don’t need to use images that are so jumbled that even you cannot read them easily, “overkill to the extreme”. Spammers have not attempted OCR, and there are 10 times as many sites with no captcha at all – so they haven’t bothered. (see above)
For the high-profile, high traffic, sites, who might have spammers trying to read their captcha images, one amateur spamm writer (bragging how he used OCR to read just about any captcha image he encountered) suggested a better defense: ask natural language questions.
on your comment page (function), add
< ?php
$Rnum1 = rand(20, 200); # the range is inclusive.
$Rnum2 = rand( 1, 5); # the range is inclusive.
$_SESSION['comment_math'] = $Rnum1 - $Rnum2 ;
? >
then, below, ask your question:
Captcha sentence:
You had < ?php echo $Rnum1; ?> apples and gave away
< ?php echo $Rnum2; ?> leaving you with
< input type="text" name="captcha" id="captcha"
size="4" maxlength="40" />
(the answer; to stop automated spam)
If you are up on wordpress 3.x then you need to put the code in wp-includes/comment-template.php in the function “comment_form”, near the bottom.
$Rnum1 = rand(20, 200) ; # the range is inclusive.
$Rnum2 = rand( 1, 5) ;
$_SESSION['captcha_rt_ans'] = $Rnum1 - $Rnum2 ;
$_SESSION['comment_time'] = time();
$captcha_label = 'Do the arithmetic to stop automated spam: < br>
Start with ' . $Rnum1 . ' and give away ' . $Rnum2 . ' to keep ' ;
and I added this to the $fields array
'captcha' => '< p class="comment-form-captcha">
< label for="captcha">' . __( $captcha_label ) . '< /label>' .
'< input id="captcha" name="captcha" type="text" maxlength="40" size="4" />< /p>',
maxlength=40 is just to fool the auto-bots again.
Congratulations, you are now asking natural language questions, the one thing that the proudest hacker admitted could not be defeated. (see my comment form below, the spamm-bots are not even coming close to figuring it out. … a few people have forgotten and had to click return and go back to answer it)
using htaccess to stop spam: I tried it and it only stopped a few. The spam-bots have already wised up to it.
# protect from spam comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
WordPress
What disappointed me about WordPress was that the first thing its form action program wp-(comments-post.php) did, was to load a dozen or more modules – all the overhead of every page on the blog, before it even looked to see if the comment was legit or not. A DoS attack would have a party. (plug-ins add even more overhead)
First, because WP does not start “sessions” unless a person logs in, it has been wisely advised that, in the top of your wp-config.php file, put
# sessions for stopping spam-bots.
if ( !session_id() ) session_start();
It will have to be put somewhere, and wp-config.php is the best place. It is your file for your configuration settings.