On Sat, 1 Oct 2005 11:44:51 -0400 Theodore Serbinski <tss24@cornell.edu> wrote:
One method we may want to look into. When a session is created a for user and they are on a page that allows comments, we come up with a unique hash based on say the node ID and session ID. We store this in the user's session. When the user goes to create a comment, we pass this unique hash with a hidden input field and when they click "post comment" we verify this input hidden hash against one stored in the user's session. This should prevent most spam comments, IMO.
The spammer has access to the node ID and the session ID, so they can easily fake the hash you suggest. But if you tie it together with a private key (owned by the website), then you've got something. Something similar is in core already, and will be in Drupal 4.7. It currently cuts out over 99% of the spam I see on KernelTrap: http://drupal.org/node/28420 (#20, #21 and #26 in particular) There are potential issues to be solved, but it's a step in the right direction. -Jeremy