[drupal-devel] simple and effective comment spam prevention exists
and works
Harry Slaughter
harry at slaughters.com
Sat Oct 1 15:55:15 UTC 2005
Karoly Negyesi wrote:
>> i believe the domain name can be replaced with a var to make it generic.
>> i'm just not sure if there are cases where a valid client does not send
>> a referrer.
>
>
> Plenty. HTTP_REFERER is not something to rely on.
i'd be very curious as to what browser does not send a referer header
when posting from a form. the only cases i could imagine where a referer
would be missing would be non-browser clients (like scripts that post
comments). the referer header has been around since day one.
as far as relying on this header, it depends on what you're relying on
it for. since the only clients that would be omitting this field would
almost certainly be spammers (or users whose browsers are so obscure
i've never heard of them), i consider it reliable enough to use as part
of an anti-spam technique.
sure spammers will easily bypass this method as soon as it becomes
commonly used, but that is the nature of all anti-spam techniques. all
anti-spam tools enter this game of escalation. the fact that a spammer
can circumvent or overcome a given anti-spam technique is not a
reasonable excuse for not implementing it.
and i certainly wasn't suggesting this go in core as it's not the type
of thing all people would want (like those that want to be able to use
methods other than a traditional browser to POST content).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: harry.vcf
Type: text/x-vcard
Size: 267 bytes
Desc: not available
Url : http://drupal3.drupal.org/pipermail/development/attachments/20051001/a390f716/harry.vcf
More information about the drupal-devel
mailing list