[drupal-devel] simple and effective comment spam prevention exists and works

Jeremy Andrews jeremy at kerneltrap.org
Sun Oct 2 04:10:42 UTC 2005

On Sat, 1 Oct 2005 11:44:51 -0400
Theodore Serbinski <tss24 at cornell.edu> wrote:

> One method we may want to look into. When a session is
> created a for user and they are on a page that allows
> comments, we come up with a unique hash based on say the
> node ID and session ID. We store this in the user's
> session. When the user goes to create a comment, we pass
> this unique hash with a hidden input field and when they
> click "post comment" we verify this input hidden hash
> against one stored in the user's session. This should
> prevent most spam comments, IMO.

The spammer has access to the node ID and the session ID, so
they can easily fake the hash you suggest.  But if you tie it
together with a private key (owned by the website), then
you've got something.

Something similar is in core already, and will be in Drupal
4.7.  It currently cuts out over 99% of the spam I see on
KernelTrap: http://drupal.org/node/28420

(#20, #21 and #26 in particular)

There are potential issues to be solved, but it's a step in
the right direction.


More information about the drupal-devel mailing list