[drupal-devel] simple and effective comment spam prevention exists and works

Khalid B kb at 2bits.com
Sat Oct 1 15:58:14 UTC 2005


The scripts for spam bots can be easily modified to include a referer
that is just the domain name of the site being attacked.

This renders the referer defense completely useless.

On 10/1/05, Harry Slaughter <harry at slaughters.com> wrote:
> Karoly Negyesi wrote:
> >> i believe the domain name can be replaced with a var to make it generic.
> >> i'm just not sure if there are cases where a valid client does not send
> >> a referrer.
> >
> >
> > Plenty. HTTP_REFERER is not something to rely on.
> i'd be very curious as to what browser does not send a referer header
> when posting from a form. the only cases i could imagine where a referer
> would be missing would be non-browser clients (like scripts that post
> comments). the referer header has been around since day one.
> as far as relying on this header, it depends on what you're relying on
> it for. since the only clients that would be omitting this field would
> almost certainly be spammers (or users whose browsers are so obscure
> i've never heard of them), i consider it reliable enough to use as part
> of an anti-spam technique.
> sure spammers will easily bypass this method as soon as it becomes
> commonly used, but that is the nature of all anti-spam techniques. all
> anti-spam tools enter this game of escalation. the fact that a spammer
> can circumvent or overcome a given anti-spam technique is not a
> reasonable excuse for not implementing it.
> and i certainly wasn't suggesting this go in core as it's not the type
> of thing all people would want (like those that want to be able to use
> methods other than a traditional browser to POST content).

More information about the drupal-devel mailing list