A new approach to block web spam
This article updated on the august 11, 2010.
Around half a year ago or so I had a unique idea (at least I had never heard or read about it before) on how to block web spam. It is very simple, yet very powerful.
Normally comment spam, false registrations and other such spam are being submitted by bots (evil programs or scripts) that send their spam to millions of web sites and blogs automatically. This is a major problem on the internet. Check out State of Web Spam written on the April 22nd, 2010 by Akismet.com.
My technique does not:
- Use any CAPTCHA or any challenge question
- Analyse the submitted data for words
- Work with close to zero performance loss
- Is invisible for those with good intentions.
- Also annoy copypaste spam from humans
- Works with all kinds of forms on the web
The solution is so simple you could laugh on it – but yet I have never heard about it before despite all my reading on the subject.
Check how long time it took from the page is loaded until the form is submitted. If less than 10 seconds (or whatver you choose) block with a message.
Example for WordPress
Open up the file comments.php in your theme and just before
</form> add this:
<input type="hidden" name="time" value="<?php echo time(); ?>" />
Then open up /wp-comments-post.php in the root and on the top after
The above code should work on pretty much all PHP powered websites. Just add the hidden input value with the time and then the code on the page submitted to with POST.
111 days of testing (april 22 – august 11, 2010)
I added the above to this blog and deactivated both WP-SpamFree Anti-Spam (over 6K lines of PHP code) and Bad Behavior (insane logging into database) to see how it is going. I also added some small logging.
Now I am after 111 days I update this article with the test results.
Spam comments blocked: 10257
Spam not blocked: 547
Good comments: 245
The spam that was not blocked was mostly from bots and catched by Akismet and some was from humans that commented something stupid just to try to get a link.
That is 94,94% of the spam blocked with 5 lines of code. Not bad.
Does not work with caching enabled. ;(
I am using this same technique (along with others) on the contact forms on my free website system N.nu. There are more than
1K 4K active websites and this is one of the techniques I use to block all messages from bots without compromising the user experience.
Let me know what you guys think.