A new approach to block web spam
This article updated on the august 11, 2010.
Around half a year ago or so I had a unique idea (at least I had never heard or read about it before) on how to block web spam. It is very simple, yet very powerful.
Normally comment spam, false registrations and other such spam are being submitted by bots (evil programs or scripts) that send their spam to millions of web sites and blogs automatically. This is a major problem on the internet. Check out State of Web Spam written on the April 22nd, 2010 by Akismet.com.
My technique does not:
- Use any CAPTCHA or any challenge question
- Depend on javascript to be enabled by the client
- Analyse the submitted data for words
My technique:
- Work with close to zero performance loss
- Is invisible for those with good intentions.
- Also annoy copypaste spam from humans
- Works with all kinds of forms on the web
The solution is so simple you could laugh on it - but yet I have never heard about it before despite all my reading on the subject.
The solution?
Check how long time it took from the page is loaded until the form is submitted. If less than 10 seconds (or whatver you choose) block with a message. :)
Example for WordPress
Open up the file comments.php in your theme and just before </form>
add this:
<input type="hidden" name="time" value="<?php echo time(); ?>" />
Then open up /wp-comments-post.php in the root and on the top after <?php
add:
$minimum_seconds = 10;
if (!isset($_POST['time']) or $_POST['time'] + $minimum_seconds > time()) {
die("Error: blog post read, comment written and submitted in less than ".$minimum_seconds." seconds. This is meaning that you are either a spam bot or you didn't read the post and wrote a good comment before submitting it. <a href="javascript: history.go(-1)">Go back and try again if you are not a bot and have good intentions</a>.");
}
The above code should work on pretty much all PHP powered websites. Just add the hidden input value with the time and then the code on the page submitted to with POST.
111 days of testing (april 22 - august 11, 2010)
I added the above to this blog and deactivated both WP-SpamFree Anti-Spam (over 6K lines of PHP code) and Bad Behavior (insane logging into database) to see how it is going. I also added some small logging.
Now I am after 111 days I update this article with the test results.
Spam comments blocked: 10257 Spam not blocked: 547 Good comments: 245
The spam that was not blocked was mostly from bots and catched by Akismet and some was from humans that commented something stupid just to try to get a link.
That is 94,94% of the spam blocked with 5 lines of code. Not bad.
Caveats
Does not work with caching enabled. ;(
I am using this same technique (along with others) on the contact forms on my free website system N.nu. There are more than 1K 4K active websites and this is one of the techniques I use to block all messages from bots without compromising the user experience.
Let me know what you guys think.
Other posts
- My Recommendations for a Happy Life
- Budget 100 - an old school magic format
- My Favorite Board Games and How I Play Them
- Switching from Windows PC to Mac and why I switched back
- Creating The Space War - The Card Game of My Dreams
- 24 Characteristics That Geniuses Have in Common
- Setting up and Managing a MySQL Server
- Canasta - The Great Card Game
- Annual report number 13 + 14: My Success
- Selling my SEO business TodaysWeb
He is the Founder of DomainStats and N.nu. Read his full about page.