[drupal-devel] simple and effective comment spam prevention exists and works

Jeremy Andrews jeremy at kerneltrap.org
Sun Oct 2 12:22:16 UTC 2005

On Sun, 2 Oct 2005 13:09:05 +0200
Adrian Rossouw <adrian at bryght.com> wrote:

> > Something similar is in core already, and will be in
> > Drupal 4.7.  It currently cuts out over 99% of the spam I
> > see on KernelTrap: http://drupal.org/node/28420
> This has been integrated into the form api.

Cool!  :)

> To make any form require a token, you set
> $form[token] = $key;
> Where key is something specific to the form .. in the case
> of comment : $form[token] =  'comment' . $edit['nid'] .
> $edit['pid'];
> It's still fairly easy to download the page first and grep
> out the token to send back though, but
> it's extra work for the spammer.

Yes.  The best solution I have come up with is to track token
use, preventing token re-use.  I had a nearly working patch a
while ago (it tracked the last n-used tokens), but ran out of
time.  It had some issues telling previews and submits apart,
as well as with handling followup edits.  When it becomes
necessary, I will surely dust it off again.


More information about the drupal-devel mailing list