Technique for fighting submission-form spam

Discuss

20 Responses to “Technique for fighting submission-form spam”

  1. A number of years back, I had a run-in with one of the most persistent spammers that I’ve ever encountered; a guy who clearly spent 10 to 15 hours of his own time trying to hack my defenses against his guestbook spam on my (now defunct) website devoted to Krazy Kat.  You might enjoy my message to the wacko:

    http://techcafeteria.com/blog/2005/08/06/message-to-the-krazycom-spammer/

  2. rekoil says:

    I recently got introduced to comment honeypots in a not-so-wonderful way – I discovered that my password-storing browser extension was filling data into the honeypot form on a popular site’s forum page. Worse, not only was the site not accepting the post, but it triggered a blacklisting for the entire site to visitors coming from my (rather large, but sitting behind a single NAT) office’s IP address. This generated some, um, interesting calls to IT tech support.

  3. David Winter says:

    The “spinner” and the randomized field names sound like valid Cross Site Request Forgery countermeasures, but won’t necessarily stop spammers. All that’s needed is to fetch the HTML page shortly before submitting and than feed back all non-empty hidden fields along with the regular ones. You could also go ahead and actually parse the page to find the correct fields, as regular form fields usually have some markup around them, are styled and are not hidden/invisible to the user. I suppose that this would also work for circumventing honeypot fields.

    In my experience, the easiest and usually most effective way to stop this sort of spam is to implement captchas.

  4. Alex Shiels says:

    This doesn’t work against the major comment spambots operating today – they already parse the page and handle hidden and randomized fields.

    • Antinous / Moderator says:

      This doesn’t work against the major comment spambots operating today – they already parse the page and handle hidden and randomized fields.

      Submitterator had recaptcha and live moderators with battleaxes, and it still averaged 70% spam.

      • teapot says:

        I don’t have a captcha and I’m averaging 90% spam. Motherfucking spammers.

        For WordPress I find a plugin called “Safe Signup Form” helps easily ID anything that slips through other checks, yet is spam. It amends a line to the bottom of unmoderated comments (which are not auto-published on my site) like this one:

        [WORDPRESS HASHCASH] The comment’s server IP (___________) doesn’t match the comment’s URL host IP (___________) and so is spam.
        -or- 
        [WORDPRESS HASHCASH] The poster sent us ’0 which is not a hashcash value.

        In any case where the above line has been added to unmoderated comments I can almost guarantee they will be spam. I can’t remember it once spitting up a false negative, but thankfully I don’t face BB levels of spam!

  5. Chris S says:

    “In my experience, the easiest and usually most effective way to stop this sort of spam is to implement captchas.”

    In my experience from the admin side, I agree.

    In my experience from the user side, I do not agree.

    This is always going to be a tough trade-off, but in the case of BoingBoing, where the results are not posted automatically, sticking with hidden countermeasures means provides a straight forward user experience that is highly browser compatible.

  6. Carsten Agger says:

    On my blog, I’m using a  “double whammy” consisting of WordPress’ Akismet filter and a very simple Turing test – a checkbox with the legend: “Please check this box if you’re human”.

    To do this, I had to modify the Perl code for the Blosxom writeback plugin:

    http://www.modspil.dk/itogtech/nyt_v_ben_i_krigen_mod_spam.html

    Without any spam protection, there would be thousands of spam comments every day. Akismet takes care of most of them, but sometimes it would let through a “wave”, and that could mean hundreds in a day. Curiously, no spam comment has yet come through with the checkbox: Those that make it through Akismet never check the box.

  7. CliffLandin says:

    We use Mollom on the sites the I build and maintain. Mollom does a fantastic job of discerning spam from ham One site that I work on used to have a person go through their comments daily. He ended up deleting about 95% of the comments, anywhere from 50 to 100 a day. Once we installed Mollom, it is rare to find any spam comments in the queue and if we do, we report them and we never get repeat offenders.

  8. We have a form at http://www.firesigntheatre.com where fans can write to us if they have old Firesign artifacts they’d like to share. In order to send us their comments, readers must correctly enter the last word of a quote from one of Firesign’s classic albums. In the five years the form has been live, I believe only one spam has gotten through.

  9. awjt says:

    Hand made replica watches! Two for $9.99.

    (LOL – please don’t nuke me. In this context, a joke of this nature is akin to an Onion bomb in Congress.)

  10. hyljelyhje says:

    I don’t know if anyone has tried this yet…
    maybe human spammers (and trolls) could be hindered by not cancelling their accounts but instead hiding their comments from anyone else but themselves? In essence creating a private comment-space for them to rant by themselves without them realizing that no-one’s listening. Maybe have some chat-bot counter-trolling them every now and then.
    (Of course they could use 2 accounts to combat this but any extra effort might be enough to deter some of them)

  11. Steve Hoefer says:

    I’ve seen a new kind of attack on Disqus comments. The first comment is something innocuous (“Great post!”) This gets through filters and moderation. Then the spammer goes back and edits the comment so it contains the spam message, which triggers no filtering or admin alerts. 

    • Antinous / Moderator says:

      We had that happening pre-Disqus, as well.  Disqus will commonly let one or two spam comments through and then catch the next 25.

  12. dbg7 says:

    One problem with this approach is that anyone who’s visually impaired and using the site with a screen reader isn’t going to be able to tell the difference between the “honeypot” fields and the regular ones

Leave a Reply