[drupal-devel] simple and effective comment spam prevention exists and works

[Jeremy Andrews]

On Sun, 2 Oct 2005 14:36:39 +0200
Adrian Rossouw <adrian at bryght.com> wrote:

> On 02 Oct 2005, at 2:22 PM, Jeremy Andrews wrote:
> > Yes.  The best solution I have come up with is to track
> > token use, preventing token re-use.  I had a nearly
> > working patch a while ago (it tracked the last n-used
> > tokens), but ran out of time.  It had some issues telling
> > previews and submits apart, as well as with handling
> > followup edits.  When it becomes necessary, I will surely
> > dust it off again.
>
> Why not add a count variable to the token generation, and
> have a db table / variable keeping
> track of how many times you have used the token (ie:
> successful submission).

There is some confusion introduced from the fact that it is
perfectly legitimate to "preview" a comment as many times as
you like - so the forms logic would have to know the
difference.  It's also legitimate to "submit" a comment
multiple times as there maybe errors that have to be fixed -
that's a little more difficult to work around.  Finally, it
can also be legitimate to "edit" a comment many times.  In
all of these cases, the same token is used.

A simpler solution I just thought of would require the
introduction of a three column table: 
  token, type, id

The token column holds the token.  The type column is a text
string holding the content type (ie, comment, node, etc...)
The id column holds the uniqe id for that form (ie, the cid,
the nid, etc...)  Insert the token/type/id combo when
generating the token, but be sure the token hasn't been used
with another id for that data type.

This avoids all the problems described above, and would
prevent token re-use by comment spammers.  The only problem
is that this solution doesn't work for forms that don't have
unique id's, such as the contact form.  Perhaps that's okay.
(You could have an 'id' of 0 in such cases.)

-Jeremy