A new approach to block web spam
This article updated on the august 11, 2010.
Around half a year ago or so I had a unique idea (at least I had never heard or read about it before) on how to block web spam. It is very simple, yet very powerful.
Normally comment spam, false registrations and other such spam are being submitted by bots (evil programs or scripts) that send their spam to millions of web sites and blogs automatically. This is a major problem on the internet. Check out State of Web Spam written on the April 22nd, 2010 by Akismet.com.
My technique does not:
- Use any CAPTCHA or any challenge question
- Depend on javascript to be enabled by the client
- Analyse the submitted data for words
My technique:
- Work with close to zero performance loss
- Is invisible for those with good intentions.
- Also annoy copypaste spam from humans
- Works with all kinds of forms on the web
The solution is so simple you could laugh on it – but yet I have never heard about it before despite all my reading on the subject.
The solution?
Check how long time it took from the page is loaded until the form is submitted. If less than 10 seconds (or whatver you choose) block with a message. 
Example for WordPress
Open up the file comments.php in your theme and just before </form> add this:
<input type="hidden" name="time" value="<?php echo time(); ?>" />
Then open up /wp-comments-post.php in the root and on the top after <?php add:
$minimum_seconds = 10; if (!isset($_POST['time']) or $_POST['time'] + $minimum_seconds > time()) { die("Error: blog post read, comment written and submitted in less than ".$minimum_seconds." seconds. This is meaning that you are either a spam bot or you didn't read the post and wrote a good comment before submitting it. <a href=\"javascript: history.go(-1)\">Go back and try again if you are not a bot and have good intentions</a>."); }
The above code should work on pretty much all PHP powered websites. Just add the hidden input value with the time and then the code on the page submitted to with POST.
111 days of testing (april 22 – august 11, 2010)
I added the above to this blog and deactivated both WP-SpamFree Anti-Spam (over 6K lines of PHP code) and Bad Behavior (insane logging into database) to see how it is going. I also added some small logging.
Now I am after 111 days I update this article with the test results.
Spam comments blocked: 10257
Spam not blocked: 547
Good comments: 245
The spam that was not blocked was mostly from bots and catched by Akismet and some was from humans that commented something stupid just to try to get a link.
That is 94,94% of the spam blocked with 5 lines of code. Not bad.
Caveats
Does not work with caching enabled. ;(
I am using this same technique (along with others) on the contact forms on my free website system N.nu. There are more than 1K 4K active websites and this is one of the techniques I use to block all messages from bots without compromising the user experience.
Let me know what you guys think.
Jim Westergren is a company owner from Sweden who lives together with his wife and son. Some of his interests are SEO, web development, writing and
Not entirely unique, but a very good idea. I have been using this technique since 2001, but haven’t told anyone. Don’t tell anyone I’m doing so. Please destroy this message after you have read it.
Did it work well for you? How many seconds did you use and many percent spam did you stop?
A very good idea,My phone notification a lot messages on my mail.They all come from you.The original is because you are testing.
I opened your n.nu on a website and my friends.
Perhaps, you could easily find us, haha
Hi Ostnan,
Sorry for those test comments – I had to test it
Nice that you are trying out N.nu – I hope you like it.
Jim: I used 15 sec min and 600 sec max. That stopped about 80% Then I later started to encrypt the time stamp I reached 100%
Hi Jim, just discovered you and your site, very interesting & inspiring.
Yes it’s a simple idea. But – just as simple for the spammers to jump over. They just need to increase the time period before they send the spamm .
Of course it’ll work though for a while, and I guess it’s worth it for that. The spammers are always trying to be one step ahead of us.
Killjoy,
How did you encrypt it? Feel welcome to e-mail me.
Hi Kevin,
It’s not that easy …
If a spammer sends a spam to 1 million blogs and has to wait 10 seconds for each one then it would take 115 days for 1 spam comment …
Sorry to tell the “bad” news but this idea is not new. For example there are plugins for vBulletin that does this and xRumer probably beats it already too.
Hi,Jim
I use the proxy to your Twitter.
ShangHai World Expo yesterday, and you have plans to Shanghai?
Your Motherland is Swedish right? I want to see your country venues.
This is my N.NU’s Blog:www.ostnan.n.nu
Hi David,
Thanks for that info – then I learned something new. I have been running the above code for a while now and it blocks around 90% of the spam which is quite good but not good enough. Later when I have the time I will make some adjustments.
Hi Ostnan,
Yes, I live in Sweden at the moment and sorry no I don’t have any plans on coming to Shanghai. Good luck with your N.nu site and just ask if you get any questions.
Hi!Jim
What a pity! You don’t this plan.I think we have a dream around the world, although it isn‘t practical. But people still yearn.
World Expo is a great platform, It helps me understand some of the country inaccessible.
It is very attractive.
If you have the opportunity I will go to Sweden, just let me fascinated by her name.
If you plan to come to China, be sure to tell me, I think I would be a good guide.
I have been here for a night, perhaps you there will be a sunny weather.Good night or good luck day?
Yea, I’m seeing lots of innovation in this area. One idea I like also is having a separate url that is just for comments, keeping the main url completely free of external links. Calculated Risk Blog does this.
Is this David as in “dvduval” – Administrator of phpLD?
Nice to hear from you – I have been using your script since 2005. Thanks for making it or help to make it.
Yes, having it on another URL is one way – but ugly in my opinion.
Smashingmagazine.com are using another approach – not displaying any author URL.
it’s new for me. thanx for sharing….
Yes, that’s me.
I also really like the Disqus addon. It not only helps protect from spam (I think everything is in javascript). It also makes it easy to track conversations across multiple blogs.
Finally! An even handed and informative discourse on this interesting and diverse subject. Here’s hoping the author re-visits the issue with more information in the future
@David,
Yes, I am actually seriously considering to implement Disqus on this blog. I am running it as a comment system for the websites on http://www.N.nu and it is great.
Web spam is web evil. All people must fight with it.
Not bad information. Great.
It is very difficult to fight with spam. We can help on the site
Web studio MicrowebNET
I’m re-thinking what I thought I knew before reading this. Thanks for a well written piece that breaks through the fog to present a clear picture on a fascinating subject.
great info tutorial,super thanks a lot
Nicely done. I’ve had to integrate CAPTCHA’s in to my clients’ sites and it stops 100% of the spam.
Nice blog, Glad to see this!SEO Ranking Solutions is renowned as the leader in the scenario of search engine optimisation by providing excellent, cost effective services. SEO is a highly competitive marketing tool requiring intense focus and intact knowledge in the working of search engine algorithms and robots. Internet is used as the optimal device to search for diverse products and services. Millions of searches are performed to find out particular information.
When you can stop spam with captcha but there are some tools which recognize then captcha and attacks you.
Hi Jim! Just discovered your method and i like it very much. I have some idea too. I use it with forms in my sites with user-generated content and it protects them well. I call it multilayered captcha, look for details here http://makebusiness.ru/idea/49 (russian lang., but there is working example+google translate will help). It also have some potential to extend..
Well my personal opinion is that no matter what we do, we cant totally stop it. There are various captcha verification software and session creating apps which can fail our checks.
Very interesting idea on how to block spam. Sometimes the easiest solutions are the simplest one (I think that is a quote from the movie “Contact”). Anyway, nice post as usual.
Thanks
Hi, I clicked your blog link from phplinkdirectory signature. I really love this trick you have here. And it is easy to understand and should work on those autoposters. I friggen hate the world of spam. Are you signing up with that new project honeypot cloud thing?
Yes i appreciate your words,its really very great one this one very helpful blog for the business men.the i’ll absolutely get lot’s of information regarding seo process that how it works.
I amazed how Matt Cutts handle all the spam team of Google. Really its one of the main tough task to maintain all the spam. I appreciate your knowledge,its really very great one this one very helpful blog for the business men. Wonderful post, I really enjoyed reading it! The people you meet when you travel really are often the best part of it all!
Jim, this is an awesome idea, will definitely use it for some of my blogs!
I just updated this article with some stats.
Web spam is really annoying which troubles me a lot.Thank you for the article I will test the sugestions you provide.