[drupal-devel] simple and effective comment spam prevention exists and works

Harry Slaughter harry at slaughters.com
Sat Oct 1 15:55:15 UTC 2005

Karoly Negyesi wrote:
>> i believe the domain name can be replaced with a var to make it generic.
>> i'm just not sure if there are cases where a valid client does not send
>> a referrer.
> Plenty. HTTP_REFERER is not something to rely on.

i'd be very curious as to what browser does not send a referer header 
when posting from a form. the only cases i could imagine where a referer 
would be missing would be non-browser clients (like scripts that post 
comments). the referer header has been around since day one.

as far as relying on this header, it depends on what you're relying on 
it for. since the only clients that would be omitting this field would 
almost certainly be spammers (or users whose browsers are so obscure 
i've never heard of them), i consider it reliable enough to use as part 
of an anti-spam technique.

sure spammers will easily bypass this method as soon as it becomes 
commonly used, but that is the nature of all anti-spam techniques. all 
anti-spam tools enter this game of escalation. the fact that a spammer 
can circumvent or overcome a given anti-spam technique is not a 
reasonable excuse for not implementing it.

and i certainly wasn't suggesting this go in core as it's not the type 
of thing all people would want (like those that want to be able to use 
methods other than a traditional browser to POST content).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: harry.vcf
Type: text/x-vcard
Size: 267 bytes
Desc: not available
Url : http://drupal3.drupal.org/pipermail/development/attachments/20051001/a390f716/harry.vcf

More information about the drupal-devel mailing list