Comment Errors
By Justin Gardner | Related entries in BloggingYou’re probably seeing some weird stuff on the site right now and that’s due to the fact we’re getting hammered by spammers. This is actually a good sign and shows that Donklephant is getting more popular, but obviously it’s still a pain in the ass.
In any event, the comments section has been disabled by our hosting service, but I have a request in to fix it so hang tight and we’ll get this figured out.
Thanks all!
UPDATE:
Fixed!
May 14th, 2007 at 3:06 pm
Stopping comment spam is actually much easier than one might expect if you are on a VPS server. I’ve gone from 100+ comment spams a day on my blog to absolutely zero since I made the change.
Basically, you put in some kind of javascript-based check on the email field that triggers on submit. I used a SHA1 hash, but you could easily do something like say, use Javascript to reverse all the letters in the email address and copy the reversed letters into a hidden field that has a bogus default value set. Then on the server side, you just verify that the field is there and contains the values you expected.
That part will prevent spammers from ever hitting the moderation queue, so you don’t have to wade through mounds of spam to find the ham, and that part doesn’t require a VPS host. But if you’re being pounded by comment spammers, it still won’t prevent them from using up valuable CPU cycles. To do that, you need to use the blacklist iptables script. Basically, you autoblacklist at the firewall, anyone who tries to submit a comment with incorrect values in the field, say, for 3 days (since it would technically be possible for someone using a browser without javascript to run afowl of this). Though, you do have to check and make sure that you don’t accidentally blacklist 127.0.0.1, since spammers often spoof that ip address.
The main reason this technique works so well is that it requires customization of the software, and spammers are much, much too lazy to spend time trying to figure out what you’ve changed, just so they can spam one site.
If you’re looking for a much, much faster solution, you can just change the names of the fields off from the default, both on the server side and in the html output. Ideally, you want to name the fields something weird, like Name => “gallbladder”, Email => “pancreas”, Website => “liver”. This prevents spammers from identifying the field names with a regular expression. Alternatively, renaming the form target also works. For awhile. Very non-permanent, since a simple regexp defeats that technique.
May 14th, 2007 at 6:18 pm
I just feel it is important to point out that it is pure coincidence that the blogsite went down as soon as I joined. Really. Just coincidence. It’s not my fault.