The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

How I block comment spam

Admin approval couldn't keep up. Neither could IP blocking. CAPTCHA was a pain to implement. Requiring a login to post was more offputting to the user than I would like.

I ran across this idea:

If a user is anonymous then don't allow him to post any URL links. Practically ALL spam has links. Links are vital to the spammer's business model.

I combine this with email confirmation of signups. If the user is bogus his email address is ususally either bad or has an overflowing queue.

I also block entire segments of IP address space from posting. Most spammers are overseas or use overseas proxies and my sites are only of local interest.

This combination seems to be getting the problem under control without inconveniencing me or my users. Anonymous users can post but they can't post spam. And spammers have a hard time getting accounts.
Sunday, June 29, 2008
Define "overseas".

What does the first W in www mean, again? Why don't you just run your blog on localhost and then your problem will go away.

Monday, June 30, 2008
Our blank poster obviously has no clue WTF he's talking about.

In a perfect world there would be no such thing as comment spam.  Unfortunately we live in the real world and we have to use whatever pragmatic approach yields actual results.  I suspect that if Mr. Blank actually tried to set up a blog/forum in real life he'd quickly stop spouting naive, idealistic b.s.
Pragmatic Realist
Monday, June 30, 2008
Comment spam is nothing new, it's the same animal as usenet spam which I was fighting before you were out of nappies. Cutting 9X% of the internet off from one host is not the answer (clue: the rest of the internet gets along quite well without you, strangely enough).

Monday, June 30, 2008
CAPTCHA is the only thing that worked for me..

I Don't allow links.. But the Bots Did not care, They Just kept posting. Like you I did not want to inconvenience my users. But eventually MY USERS where posting complaints on the Board about spam. I think you will eventual come to the conclusion that CAPTCHA is the best way for now.

But if you are still hesitant what came in a close second was code to regularly rename the Pages with the Posting code. This why the BOTS DB became out dated every 2 hours, this eliminated just about all repeat Spam. But is still did get some “First time Spam”.
To Lazy to Log on
Monday, June 30, 2008
I have battled the comment spam for quite some time. I tried all methods that OP listed. I found that the best way to combat spam is to use a simple customized question. For example: type in the answer of '3X6'. After I took this approach, my forums have not catched a single spam.

Requiring e-mail sign up does not work very well because bots will still hit your signup page using bogus e-mail addresses. Worse, your e-mail servers might be marked as spamming source by administrators of the receiving side. Blocking IPs also won't work from my experience. Many spams are orignated from zoombie machines in US/European DSL networks.
Monday, June 30, 2008
About blocking IP ranges.

I maintain this is a legitimate approach. Only a small minority of sites with discussion features are relevant to the entire world. Most such sites are local or national in focus. All the others are in a specific language. Readers who don't speak that language will have no use for the site.

I say do anything and everything to block spam short of greatly inconveniencing either users or admins.

Last time I tried to plug CAPTCHA into XOOPS it didn't go well. The support there isn't ready for prime time. So I do a lot of little patches. No individual patch requires a huge overhaul or upgrade of the codebase. All the little patches add up to an effective strategy for my sites.
Monday, June 30, 2008
Out of interest, which countries do you block?
John Topley Send private email
Monday, June 30, 2008
You may find some useful ideas here:
Monday, June 30, 2008

That's something to keep in mind if I need more firepower. Thanks.

Countries I block: depends on the site. I ALWAYS allow the US and Canada because it's more trouble than it's worth to distinguish between the two by IP address. A lot of spam gets through but the other methods plus a little manual administration can cope.

I USUALLY allow any country where English is the native language.

I NEVER allow Russia, India, China, South Korea, Japan or anywhere in Latin America or Eastern Europe. I almost never allow continental Europe around the Netherlands and Germany (RIPE territory).

And of course I always block any darknets I know about.
Tuesday, July 01, 2008
I've created a home made forum similar to this one. After a period of training, the bayesian filter catches 99% of spam. Messages that get through are just harmless. Having battled with PhpBB for long time I now enjoy allowing posts with no registration. The bayesian filter itself is trivial to implement and is directly based on Paul Graham's paper.

I keep all the details about my forum private and don't advertise how it works to avoid targeted attacks.
Bayesian filtering works
Wednesday, July 02, 2008
Yep, and anyone who goes out of town can just wait until they get home before accessing the site again.

That'll learn them for being unpatriotic.  :)

Hey, if it works, it works, and that's cool, but I'm not sure that "run a local-only site and don't let those dirty foreigners in" is helpful for most of us.

Thursday, July 03, 2008
Rowland: "About blocking IP ranges.

I maintain this is a legitimate approach. Only a small minority of sites with discussion features are relevant to the entire world. Most such sites are local or national in focus. All the others are in a specific language. Readers who don't speak that language will have no use for the site."

My university has exported some of its programs to other educational institutions in various other countries.  Part of the agreements involve instructors going over to teach for a semester.  An instructor with impeccable English could be in, say, China or Malaysia.  He is active on your site until you block him.


Gene Wirchenko
Gene Wirchenko Send private email
Friday, July 04, 2008
I have been reading up on several ways to prevent spambots from spamming web forms. I have a simple technique that doesn't use image validation but simple number validation. Each time a user enters my form, I generate a unique ID and a 5-7 digit number code. I save this unique ID to a database along with its associated number code. When the form is submitted, if the hidden field unique ID is the same and number code you typed is correct it submits the info and deletes the record, otherwise it will assume spam and not submit info. Again, it can be broken but that come into how complex I display the 5-7 digit code.

ATK Send private email
Sunday, July 06, 2008

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz