Stopping Website Visitor Blog Spam

June 28, 2010 | By greg | Posted in PHP Advanced, PHP WordPress

Stopping Website Visitor Comment Spam. (ex: wordpress)

IF you have a blog and want visitors to easily add a comment to an item, you will also get spam - lots of it - unless you, traditionally, forced visitors to create a login before commenting, or you used a captcha. As one guy said, "It's really disgusting the stuff I have to block from my blog every 2-3 days." You can force visitors to create a login before commenting, but most visitors won't do it, they will just leave.

[also read about "silent spamming" at http://www.theadminzone.com/forums/showthread.php?t=684]

However, the simplest captcha has worked. You have been correct in thinking that you don't need to use images that are so jumbled that even you cannot read them easily, "overkill to the extreme". Spammers have not attempted OCR, and there are 10 times as many sites with no captcha at all - so they haven't bothered. That may be about to change. see the browser add-on "Skip Screen" (http://skipscreen.com/blog/2009/11/megaupload-anti-captcha-is-back/) where doing OCR on those captcha images for you is only a secondary, after-thought addition to its primary purpose (screen skipping).

For the high-profile, high traffic, sites, who might have spammers reading their captcha images already, one amateur spamm writer (bragging how he used OCR to read just about any captcha image he encountered) suggested a better defense:

ask natural language questions.

Captcha: add or subtract 2 random numbers

on your comment page, add
< ?php
$Rnum1 = rand(20, 90); # the range is inclusive.
$Rnum2 = rand( 1, 5); # the range is inclusive.
$_SESSION['comment_math'] = $Rnum1 - $Rnum2 ;
? >

then, below, ask your question:
Captcha Question:
You had < ?php echo $Rnum1; ?> apples and gave away
< ?php echo $Rnum2; ?> leaving you with
< input type="text" name="captcha" id="captcha"
size="4" maxlength="40" tabindex="3" />
(the answer; to stop automated spam)

or
< span class="formatcaptcha"> Starting with
< ?php echo $Rnum1; ?> marbles < /span>
< span class="required_field"> add < /span>
< ?php echo $Rnum2; ?> to get
< input type="text" name="captcha" id="captcha"
size="4" maxlength="40" tabindex="3" />
(the answer; to stop automated spam)
where
.formatcaptcha:after
{ content: 'give away'; }
.required_field
{ display:none; }

is in your style sheet.
Congratulations, you are now asking natural language questions, the one thing that the proudest hacker admitted could not be defeated. (see my comment form below, the spamm-bots are not even coming close to figuring it out. ... a few people have forgotten and had to click return and go back to answer it)
Google is the best at taking a natural language question and coming up with answers, but ask Google "starting with 25 oranges, give away 3 to get what?" and Google is looking for oranges. Ha! On top of that, you know your visitor sees "give away" but the spam-bot screen-scraper sees "add" so again, the spam-bot never has a chance.

add a second name field

Spambot software's main "logic" is to fill in most blanks with something. I added a second name field, hidden with a css class.

css:
.required_field
{ display:none; }

html:
< span class="required_field"> Last Name (required) < /span>
< input type="text" name="lastname" class="required_field"
size="20" maxlength="20" />

Then, in the top of the program that processes the form, (example: < form action="comments-edit.php" method="post" > ) I put this php statement:

if ( !empty($_POST['lastname']) ) exit;

 

using htaccess to stop spam -- it does not work. - the spam-bots have already wised up to it.
# protect from spam comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

 

Wordpress
What disappointed me about Wordpress was that the first thing its form action program (comments-post.php) did, was to load a dozen or more modules - all the overhead of every page on the blog, before it even looked to see if the comment was legit or not. A DOS attack would have a party. Wordpress is asleep on the job. (plug-ins add even more overhead)

First, because WP does not start "sessions" unless a person logs in, it has been wisely advised that, in the top of your wp-config.php file, put
if ( !session_id() ) session_start(); # sessions for stopping spam-bots.
It will have to be put somewhere, and wp-config.php is the best place. It is your file for your configuration settings.

Then, with a question like {25-3} above,
if ( $_SESSION['comment_math'] != $_POST['captcha'] ) exit;
OR
if ( $_SESSION['comment_math'] != $_POST['captcha'] )
{
echo 'Please return and enter the correct answer so that
we know this is not machine generated spam.';
exit;
}

With these, an attempt to overwhelm your/my website with spam would be doomed.

use a timer

Another thing you can do to eliminate spam, totally, is record the time the visitor arrives at you page where they make their comment - with this one line:
< ?php $_SESSION['comment_time'] = time(); ?>
then in the top of your form action program, put
if ( !isset($_SESSION['comment_time']) )
{ $timediff = 0 ; }
else
{ $timediff = time() - (int)$_SESSION['comment_time'] ; }
because a few are so crude, they won't even call your page first. then, put
if ( $timediff < 30 ) exit;
out of 27 spamms, 4 were between 10 and 30 sec., with the other 23 all less than 10 including 4 in which the timer was not even set.

Perhaps, even better than just "exit", sock it to them with this:
{
header ('HTTP/1.1 403 Forbidden');
header ("Location: /403.php");
exit;
}

If you like Javascript, here is a good idea I found: (we know spambots have js turned OFF)

a javascript to stop spam

example:
modify the < FORM > tag for the comment form to rename the "action" program to your 403 error file or something that does not exist or etc. ... and add name="comments_form" (for example)

< form method="post" action="keeplooking.php" name="comments_form" ...

I added these two lines just beneath the comment < form > statement:

< script type="text/javascript" language="javascript"
src="comment.js">
< /script>

And lastly, I created "comment.js", placed it in the root of my website. It contains only this:

document.comments_form.action = "/something.php"

The goal of all that is to rename the comment submission script, and make it difficult for the spam-bots to determine what it is. Most spam-bots either assume the name of the comment script and just post directly to it, or they scan a weblog entry for the

and read the name of the script from the "action=" attribute.

In either case, the default, or original, comment script name no longer exists, I renamed it. The "action=" attribute points to a completely different page ... one that also does not exist.

The magic behind this trick is the javascript in comment.js. When the "script" line that references it is loaded by a browser, the script executes, and changes the "action=" for the form from the imaginary (doesn't exist) page to the "real" comment script, which I've currently named something.pl.

In order for a spambot to be successful, they would need to turn on javascript,
But for now, zero automated comment spams have been posted in the several months this technique has been in use.

Leave a Reply

Website url (required)

Comment / Question