blog.gkaindl.com

nerd nouveau

Spam-Bots Outsmarted

19/04/07

Yesterday, I’ve written about a way to limit the amount of SPAM comments that make it into the Askiment moderation queue.

To quickly come to the answer everybody’s most interested in, yes, it works super-well! This morning, I only had 3 pieces of Trackback SPAM in my Askimet queue, but not a single SPAM comment! Since the plugin hooks into the posting process after Askimet, I can still see the Askimet counter grow, but without actually having to moderate any SPAM comments! Awesome!

Also, Paul Butler, the author of JSSpamBlock that I’ve been talking about yesterday, has posted a good comment about the one thing I’ve been overlooking in my discussion: My implementation can be circumvented by a SPAM-bot really easily if they wanted to, just by slightly changing the POST request it sends to the wp-comments.php file. The original implementation, on the other hand, forces a SPAM-bot to at least download and parse the page before it would be able to bypass the plugin.

Still, I don’t want to use an additional database table, so what I did is this: Rather than storing the verification number in the hidden field, I’m computing a hash out of the random 4-digit number and a pseudo-secret. For this secret, I use the exact date of the post at hand (year, month, day, hour, minutes, seconds). A SPAM-bot cannot get this date easily, it would have to at least parse the post page (even then, the full post date may not appear there, depending on the theme) or the RSS feed if it’s a recent post (comment SPAM often targets old posts as well). Still, it would be pretty annoying for a SPAM-bot author to implement this.

To sum it up, my new solution is a lot harder to circumvent than what I had yesterday. It’s still not as strong as Paul’s, where the SPAM-bot is required to parse the page for every comment it wants to post (in my implementation, a bot would only have to parse the post page once to be able to post an unlimited number of SPAM comments), but the point is that it still has to parse the page at least once. That’s one more time than SPAM-bots do it right now. The advantage of not having to use a dedicated database table and access it every time a comment page is viewed clearly outweighs this minor flaw for me. Also, my approach still works very well in a WP-Cache environment, without the need to keep the comment form dynamic.

I’ve e-mailed my code to Paul, so that he can probably include something based on it in the official JSSpamBlock plugin, maybe a user option that switches between the two different implementations. In the mean time, you can download my version below (I *do* not support it, you’re on your own).

Download simpleAntiSpam plugin

1 Comment

Comments are closed | Comments RSS
  1. Paul Butler.org » JSSpamBlock Modifications wrote on May 21, 2007 at 19:22

    [...] is woth the small cost of time), he released a JSSpamBlock modification as a new plugin called simpleAntiSpam. He also came up with a clever way to require that the form be parsed once by the bot for each post [...]

About

Hi, how are you? My name is Georg Kaindl, and I'm a twenty-something from Vienna, Austria. During the day, I'm a CS student at the Vienna University of Technology, but at night, I turn into an independent software developer for the Macintosh platform, social nerd, lazy entrepreneur and intuitive researcher.

I like to write about everything that matters to considerate technology enthusiasts, but humbly retain the right to go off-topic from time to time.

My posts are licensed under a Creative Commons Attribution 3.0 License.

Contact

You can reach me by email if you have something to say that's not related to a blog post or that you don't want to have publicly available as a comment to a post.

However, you'll have to prove that you are human! Even though I personally like robots very much, I'm less of fan of SPAM. It's just a simple riddle to solve, but a SPAM bot won't cut it!

To get my email address, take the word before the .com in my domain name first (Hint: The word you are looking for starts with a "g" and ends with an "l"). Next, simply attach @mac.com to this word.

Boom, there's my email address. Simple, isn't it?

Powered by WordPress

Comments RSS

Entries RSS