[drupal-devel] simple and effective comment spam prevention exists and works

Khalid B kb at 2bits.com
Sat Oct 1 17:31:01 UTC 2005

No, a captcha is very different.

A captcha relies on some output (letters/numbers in a graphic or an
equation to solve) that is human readable/solvable. This is almost
impossible for a bot to decipher and hence  is a good defense.

A referer is trivial to fake. Just put the domain name in the referer
and voila: it is not a defence.

So, it just becomes another arsenal in the arms race that becomes
useless quickly, giving a false sense of securty, wasting effort, and
bloating the code.

On 10/1/05, Larry Garfield <larry at garfieldtech.com> wrote:
> Um, isn't that the idea behind a captcha?  We've got that already.
> http://drupal.org/project/captcha
> On Saturday 01 October 2005 10:44 am, Theodore Serbinski wrote:
> > One method we may want to look into. When a session is created a for
> > user and they are on a page that allows comments, we come up with a
> > unique hash based on say the node ID and session ID. We store this in
> > the user's session. When the user goes to create a comment, we pass
> > this unique hash with a hidden input field and when they click "post
> > comment" we verify this input hidden hash against one stored in the
> > user's session. This should prevent most spam comments, IMO.
> >
> > ted
> >
> > On 10/1/05, Khalid B <kb at 2bits.com> wrote:
> > > This defense may work for a while, but will be very short lived.
> > >
> > > Spam bots will be upgraded to fake a referer that contains the domain
> > > name.
> > >
> > > The spam arms race continues ...
> --
> Larry Garfield                  AIM: LOLG42
> larry at garfieldtech.com          ICQ: 6817012
> "If nature has made any one thing less susceptible than all others of
> exclusive property, it is the action of the thinking power called an idea,
> which an individual may exclusively possess as long as he keeps it to
> himself; but the moment it is divulged, it forces itself into the possession
> of every one, and the receiver cannot dispossess himself of it."  -- Thomas
> Jefferson

More information about the drupal-devel mailing list