Preventing comment spam

The: 15/07/2010 - AT: 6:24

Trying to prevent spammers and fake profiles, is like trying to prevent burglaries. It just wont happen simply by locking your door, sometimes you need to use some muscle, and throw them out by force.

But this is usually not "burglars", in fact most is done with automated scripts. So we can actually stop most the spam right at the door, or amusing enough with the door itself, even while keeping the door unlocked. This may be confusing to some less-technical users, but is actually quite simple, so lets talk about some traditional methods to prevent spam.

Pattern Matching


This is a combination of checks, which matches, and identifies certain behavior, with that of malicious automated scripts, or even users. I recommend you develop your own pattern matching, as each site may be different, and has its own requirements to prevent spam.

Its very effective, but i recommend never to prevent normal user behavior, even if its just 1% of your users who behave in a specific way.

CAPTCHA Images/text questions


These are to be avoided whenever possible, the main reason for this, is that it annoys your users. But other valid reasons would include usability issues for impaired users.

If you really want to use CAPTCHAs, then i recommend that you only do so, if your users behavior matches that of a malicious user. That way you effectively eliminate the annoyance for most of your users, who this would otherwise effect.

Also note, CAPTCHAs, both as text, or as logic questions, has proven hard to solve for some users. Please also be sure to check their difficulty. And finally, note that computers eventually will be able to bypass most CAPTCHAs, which may very well be sooner then you expect.


Other solutions


Basically sit down and think about the problem, for instance: "How did this fake user get in?", or "How did this spammer post his nonsense?", the answer is of cause simple. When an automated client comes in, its often because it was able to open the door.

I would just like to add, that often you don't need pattern matching, or CAPTCHA images. Often you just need to move the door around a bit, and see how the client reacts.

Say you got a HTML-form, simply try to move the fields around a bit in the source, but keep them in their position visually with CSS, so real users wont notice a thing. This type of door, is sort of moving around, so its never where you expect it to be.

Then you may ask: "But wont the spammers just be able to submit the form manually?" That they will, but they likely wont, unless they target your site specifically, which is rare. But even if they do, it isn't a problem we need to account for, because we have police to handle those, and throw them in prison (Ip ban them).

It doesn't matter if they come from hundred, or thousand ips, they got to run out of proxies sooner or later. In my mind, deleting 1 fake profile, or spam post, is not really a problem. Hit the alarm when we are talking hundreds or thousands, then we may consider to create functions such as Deactivate all posts by IP and ban.

You might also ask: "But wont the script be able to just look at the CSS, and say hay, this is the correct field for email, name, message, etc?". Well in theory it could, but in practice it takes time to look at other peoples code, and as i mentioned earlier, this would require them to actually target your site specifically, to make their program/script able to enter your front door.

Another solution, which has been used with varying success, is to submit your forms with JavaScript. This type of door, was however designed minding that dogs wont know how to use the handle. I don't know if you have a dog, i got two dogs, and one of them knows how to use the handle, which is actually quite funny. :-)

The real burglars


By "real" i mean malicious users, those who for some reason, abuse your site manually.. Well just remember, the police don't have automated infrastructure installed around town, to automatically arrest criminals, and save a few wages (Hopefully I'll never meet the real Robocop!).

All security equipment need to be manned, that usually goes for our software based security as well. But despite this, we still have an advantage above "colleagues" in the police, because its harder to break a virtual lock, then a real lock. And a lot of our work can be entirely automated. For example, banning thousand ips with the click of a finger, the police can't arrest criminals that easily.

Just remember to give banned Ips a reason, it can be anything from a simple generalized message saying: "This Ip is banned, if you think this is an error, please contact blah blah". And remember not to delete the junk which is posted, you need to be able to look into individual cases, also if further investigation should take place.

Comments: [0]

Author: BlueBoden

Add comment

1: Use [code][/code] for right code examples.
2: Use [code2][/code2] for wrong examples.
3: Use [h][/h] for secondary headlines.
4: Use [strong][/strong] for strong text.
5: Use [url=http://www.yoursite.com/]TITLE[/url] for links.

Last 5 Posts

  1. My experience with Google Adsense
  2. Internet trolls and spam
  3. Preventing comment spam
  4. Episodic Releases
  5. Online Dating

Infrastructure

  1. Privacy Policy

Last 5 Comments

  1. It's serious
  2. this post is fantastic ...
  3. Wonderfull great site ...
  4. Punk not dead
  5. real beauty page

Categories

  1. Webdesign: (9)
  2. Blogging: (6)
  3. Windows: (3)
  4. Vista: (3)
  5. Brugbart: (3)
  6. HTML: (3)
  7. Layout: (2)
  8. MySQL: (2)
  9. PHP: (2)
  10. Games: (2)
  11. Spam: (2)
  12. Business: (2)
  13. FGP: (1)
  14. Facebook: (1)
  15. SEO: (1)
  16. Security: (1)
  17. Utorrent: (1)
  18. Ubuntu: (1)
  19. Windows-Mail: (1)
  20. IE8: (1)
  21. Home Premium: (1)
  22. Ultimate: (1)
  23. Home Basic: (1)
  24. Diablo II: (1)
  25. Markup: (1)
  26. WYSIWYG: (1)
  27. JavaScript: (1)
  28. Hosting: (1)
  29. Adsense: (1)

Welcome Guest

AdminPanel

Copyright © Brugbart Webdesign