Dvorak’s comment spam fix | Comments (0)
Posted in Code on 26th September 2005, 10:23 pm by Stuart
As a regular listener to This Week In Tech I heard on the latest show John C Dvorak’s anti-spam provider Marc Perkel at ctyme.com has come up with a way to prevent comment spam on any site running apache.
I went over to John’s site to get the low down and basically the method uses mod_rewrite to deny anyone trying to access the form if the referrer doesn’t come from the domain of that site. This is a similar trick to one used to show alternative images to anyone visiting the site of someone that has linked directly to images on your site.
<location /blog/wp-comments-newpost.php>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^.*dvorak.org/.*
RewriteRule ^.* http://www.ctyme.com/comment-spam.html
</location >
The big flaw with this method is that the HTTP referrer can easily be spoofed on the user-agent therefore rendering this method useless once spammers catch on. A better way is to use a token method. Assuming you are using PHP, to implement this is quite simple. Create a token and then put the token in a hidden field on your form. At the same time you need to put the same token into the $_SESSION array.
<?
$secret = 'magicalspambustingnumpties';
$token = md5(rand(1, 1000).$secret);
$_SESSION['token'] = $token;
?>
<input type="hidden" name="token" value="<?=$token? >" />
On the page that receives the posted form, just check that the posted token field matches the token in the session. Unlike the HTTP referrer method this user-agent cannot interfer with this method. To take this event further you could even add a timeout mechanism to this but on it’s own this should suffice.
