SlideShare a Scribd company logo

Defeating Comment Spam

Andrew Hedges
Andrew Hedges

Blog comment spam is a scourge, but using a few, simple techniques, I have been able to eliminate it from my personal blog. I make no guarantees this will work for you, but if you're implementing a blog with comments, it might be worth taking a look.

TechnologyNews & Politics
1 of 19
Download to read offline
Ban Spam? Yes we can! Simple techniques to keep comment spam at bay. Andrew Hedges http://andrew.hedges.name/ December 26, 2008
You lock your bike, right? • Even a Kryptonite™ lock can be defeated • The point is to prevent “crimes of opportunity” • For this, simple techniques Photo credit: thewashcycle.com are as effective as complicated ones
How do spammers work? • Itʼs an arms race; what prevents comment spam now might not work later • Automated form submission ʼbots: dumb, they “succeed” by spamming 1000s of sites • Human spammers: paid per submission, not likely to spend much time on sites with non-obvious barriers
Common Defenses • CAPTCHA • Bayesian filters • Registration/login • Comment moderation • Tricky JavaScript Copyright 2003 by Randy Glasbergen
CAPTCHAs Suck • CAPTCHAs are annoying • Ones good enough to defeat computers defeat humans, too • They require workarounds to be accessible Facebook.com CAPTCHA, circa December 2008
Bayesian Filters Suck • Fuzzy logic needed to determine whether a [T]he probability that an email is spam, given comment is spam, less that it has certain words in it, is equal to the probability of finding those certain words in than 100% accurate spam email, times the probability that any • email is spam, divided by the probability of Akismet is probably the finding those words in any email… best-of-breed, but even it Source: en.wikipedia.org/wiki/Bayesian_spam_filtering returns false positives
Registering Sucks • I have no illusions about my popularity; one-time visitors are not going to register to comment on my blog Source: attentionmax.com
Moderation Sucks • Penalizes real humans who want to see their pithy comment in pixels as soon as it is submitted Source: thinplace.com
Relying on JavaScript Sucks • Some mobile user agents do not support JavaScript • Some Firefox users have the NoScript extension installed, especially my blogʼs target demographic: geeks Source: noscript.net
My Ideal System Balance between • No CAPTCHA preventing spam and allowing unmoderated • No Bayesian anything comments • No registration/login • No moderation • No reliance on JavaScript Source: zenlogistics.net • No false positives, no false negatives
My Production System • Honeypot CAPTCHA As of December, • Hidden timestamp 2008, this system has been 100% • Clearly state that links will be effective. No false tagged with rel=quot;nofollowquot; negatives. No false positives. • Close comments after 15 days See it in action at andrew.hedges.name/blog
Honeypot CAPTCHA • Hidden from human users <style type=quot;text/cssquot;> .captcha {display: none} • Sometimes filled in by </style> <div class=quot;captchaquot;> ʼbots, sometimes filled in What is 5 + 3? by human spammers <input type=quot;textquot; name=quot;captchaquot;> • Reject the comment if any </div> value is submitted for the field
Hidden Timestamp • Automated spam ʼbots either submit comment forms very quickly or cache them and spam repeatedly • Reject comments posted in fewer than 30 seconds or more than 24 hours <input type=quot;hiddenquot; name=quot;whenquot; value=quot;<?=time()?>quot;>
rel=quot;nofollowquot; • Clearly state that links will be tagged with rel=quot;nofollowquot; • Not a deterrent to real people who have something to say If you spam for a living, please be aware that all links in comments will be tagged with rel=quot;nofollowquot;. This means spamming my blog will not help your Google PageRank. Spam kills. Just say no. <a rel=quot;nofollowquot; href=quot;http://example.comquot;>V1@gr@!</a>
Close comments after 15 days • Prevents blog posts from becoming comment spam graveyards and presents fewer targets for spammers Comments close in 15 days. Comments close in 5 days. Dawdle not! Comments closed. Have something to say? Drop me a line!
A little sugar on top… • Donʼt tell the spammers their post has been rejected, just that itʼs been “moderated” • Help real humans avoid being moderated by using JavaScript to enable the submit button only when itʼs legal to post • My system emails me with each successful comment submission so I can catch false negatives quickly
Next steps • Did I mention itʼs an arms race? • Expect your system to be defeated; be ready with next steps • Jibberish form field names? Hash of timestamp + entry ID + salt? Something else?
Summary • Comment spam is a “crime of opportunity,” that is, spammers go for easy targets first • Most strategies and tactics currently used on commercial blog software suck because they either deter humans or sometimes let spam through • Simple techniques such as honeypot CAPTCHAs and hidden timestamps appear to be highly effective in combatting comment spam…for now
Is it progress? • I welcome your feedback on my strategy and tactics at andrew@hedges.name • I wasnʼt the first to think of these ideas. Here are some of my sources of inspiration: • http://nedbatchelder.com/text/stopbots.html • http://haacked.com/archive/2007/09/11/honeypot- captcha.aspx

Recommended

OAuth
OAuthOAuth
OAuth
Blaine
 
SearchLove Boston 2013_Will Critchlow_The Future for Search Marketers
SearchLove Boston 2013_Will Critchlow_The Future for Search MarketersSearchLove Boston 2013_Will Critchlow_The Future for Search Marketers
SearchLove Boston 2013_Will Critchlow_The Future for Search Marketers
Distilled
 
Article18
Article18Article18
Article18
egrowtech
 
Website Threats for Dummies
Website Threats for DummiesWebsite Threats for Dummies
Website Threats for Dummies
Liberteks
 
Real howto vbs
Real howto vbsReal howto vbs
Real howto vbs
Chris x-MS
 
introduction to web blogging
introduction to web bloggingintroduction to web blogging
introduction to web blogging
Jintu Jacob
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)
Jan Schaumann
 
Brad Frost: Open by default
Brad Frost: Open by defaultBrad Frost: Open by default
Brad Frost: Open by default
webdagene
 

Recommended

OAuth
OAuthOAuth
OAuth
Blaine
 
SearchLove Boston 2013_Will Critchlow_The Future for Search Marketers
SearchLove Boston 2013_Will Critchlow_The Future for Search MarketersSearchLove Boston 2013_Will Critchlow_The Future for Search Marketers
SearchLove Boston 2013_Will Critchlow_The Future for Search Marketers
Distilled
 
Article18
Article18Article18
Article18
egrowtech
 
Website Threats for Dummies
Website Threats for DummiesWebsite Threats for Dummies
Website Threats for Dummies
Liberteks
 
Real howto vbs
Real howto vbsReal howto vbs
Real howto vbs
Chris x-MS
 
introduction to web blogging
introduction to web bloggingintroduction to web blogging
introduction to web blogging
Jintu Jacob
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)
Jan Schaumann
 
Brad Frost: Open by default
Brad Frost: Open by defaultBrad Frost: Open by default
Brad Frost: Open by default
webdagene
 
Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)
Dirk Haun
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Mark Stanton
 
Spam Wars
Spam WarsSpam Wars
Spam Wars
Maurice Green
 
Programming to the Twitter API: ReTweeter
Programming to the Twitter API: ReTweeterProgramming to the Twitter API: ReTweeter
Programming to the Twitter API: ReTweeter
John Eckman
 
A CAPTCHA in the Rye
A CAPTCHA in the RyeA CAPTCHA in the Rye
A CAPTCHA in the Rye
Imperva
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Seven Reasons for Code Bloat
Seven Reasons for Code BloatSeven Reasons for Code Bloat
Seven Reasons for Code Bloat
Christian Heilmann
 
Captcha
CaptchaCaptcha
Captcha
Ecaterina Moraru (Valica)
 
Web 2.0 Expo
Web 2.0 ExpoWeb 2.0 Expo
Web 2.0 Expo
guestaaed8e
 
Captcha
CaptchaCaptcha
Captcha
Gowthami T
 
Captcha
CaptchaCaptcha
Captcha
Gowthami T
 
OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3
Frank Louwers
 
Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...
Sivalingam Thangavel, TOGAF 9, ITIL
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network Bots
Tom Eston
 
Captchas
CaptchasCaptchas
Captchas
NIKHIL NAIR
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
Christian Heilmann
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
Jarrod Overson
 
David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...
David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...
David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...
webcontent2007
 
How to become hacker
How to become hackerHow to become hacker
How to become hacker
Raman Sanoria
 
CAPTCHA(Image Verification Code)
CAPTCHA(Image Verification Code)CAPTCHA(Image Verification Code)
CAPTCHA(Image Verification Code)
Abhimanyu Sood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
 

More Related Content

Similar to Defeating Comment Spam

Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network Bots
Tom Eston
 
David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...
David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...
David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...
webcontent2007
 
CAPTCHA(Image Verification Code)
CAPTCHA(Image Verification Code)CAPTCHA(Image Verification Code)
CAPTCHA(Image Verification Code)
Abhimanyu Sood
 

Similar to Defeating Comment Spam (20)

Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Spam Wars
Spam WarsSpam Wars
Spam Wars
 
Programming to the Twitter API: ReTweeter
Programming to the Twitter API: ReTweeterProgramming to the Twitter API: ReTweeter
Programming to the Twitter API: ReTweeter
 
A CAPTCHA in the Rye
A CAPTCHA in the RyeA CAPTCHA in the Rye
A CAPTCHA in the Rye
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Seven Reasons for Code Bloat
Seven Reasons for Code BloatSeven Reasons for Code Bloat
Seven Reasons for Code Bloat
 
Captcha
CaptchaCaptcha
Captcha
 
Web 2.0 Expo
Web 2.0 ExpoWeb 2.0 Expo
Web 2.0 Expo
 
Captcha
CaptchaCaptcha
Captcha
 
Captcha
CaptchaCaptcha
Captcha
 
OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3
 
Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network Bots
 
Captchas
CaptchasCaptchas
Captchas
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...
David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...
David Esrati, The Blogzilla Report- Fact, Fiction Fear: The Monster of the In...
 
How to become hacker
How to become hackerHow to become hacker
How to become hacker
 
CAPTCHA(Image Verification Code)
CAPTCHA(Image Verification Code)CAPTCHA(Image Verification Code)
CAPTCHA(Image Verification Code)
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

Defeating Comment Spam

  • 1. Ban Spam? Yes we can! Simple techniques to keep comment spam at bay. Andrew Hedges http://andrew.hedges.name/ December 26, 2008
  • 2. You lock your bike, right? • Even a Kryptonite™ lock can be defeated • The point is to prevent “crimes of opportunity” • For this, simple techniques Photo credit: thewashcycle.com are as effective as complicated ones
  • 3. How do spammers work? • Itʼs an arms race; what prevents comment spam now might not work later • Automated form submission ʼbots: dumb, they “succeed” by spamming 1000s of sites • Human spammers: paid per submission, not likely to spend much time on sites with non-obvious barriers
  • 4. Common Defenses • CAPTCHA • Bayesian filters • Registration/login • Comment moderation • Tricky JavaScript Copyright 2003 by Randy Glasbergen
  • 5. CAPTCHAs Suck • CAPTCHAs are annoying • Ones good enough to defeat computers defeat humans, too • They require workarounds to be accessible Facebook.com CAPTCHA, circa December 2008
  • 6. Bayesian Filters Suck • Fuzzy logic needed to determine whether a [T]he probability that an email is spam, given comment is spam, less that it has certain words in it, is equal to the probability of finding those certain words in than 100% accurate spam email, times the probability that any • email is spam, divided by the probability of Akismet is probably the finding those words in any email… best-of-breed, but even it Source: en.wikipedia.org/wiki/Bayesian_spam_filtering returns false positives
  • 7. Registering Sucks • I have no illusions about my popularity; one-time visitors are not going to register to comment on my blog Source: attentionmax.com
  • 8. Moderation Sucks • Penalizes real humans who want to see their pithy comment in pixels as soon as it is submitted Source: thinplace.com
  • 9. Relying on JavaScript Sucks • Some mobile user agents do not support JavaScript • Some Firefox users have the NoScript extension installed, especially my blogʼs target demographic: geeks Source: noscript.net
  • 10. My Ideal System Balance between • No CAPTCHA preventing spam and allowing unmoderated • No Bayesian anything comments • No registration/login • No moderation • No reliance on JavaScript Source: zenlogistics.net • No false positives, no false negatives
  • 11. My Production System • Honeypot CAPTCHA As of December, • Hidden timestamp 2008, this system has been 100% • Clearly state that links will be effective. No false tagged with rel=quot;nofollowquot; negatives. No false positives. • Close comments after 15 days See it in action at andrew.hedges.name/blog
  • 12. Honeypot CAPTCHA • Hidden from human users <style type=quot;text/cssquot;> .captcha {display: none} • Sometimes filled in by </style> <div class=quot;captchaquot;> ʼbots, sometimes filled in What is 5 + 3? by human spammers <input type=quot;textquot; name=quot;captchaquot;> • Reject the comment if any </div> value is submitted for the field
  • 13. Hidden Timestamp • Automated spam ʼbots either submit comment forms very quickly or cache them and spam repeatedly • Reject comments posted in fewer than 30 seconds or more than 24 hours <input type=quot;hiddenquot; name=quot;whenquot; value=quot;<?=time()?>quot;>
  • 14. rel=quot;nofollowquot; • Clearly state that links will be tagged with rel=quot;nofollowquot; • Not a deterrent to real people who have something to say If you spam for a living, please be aware that all links in comments will be tagged with rel=quot;nofollowquot;. This means spamming my blog will not help your Google PageRank. Spam kills. Just say no. <a rel=quot;nofollowquot; href=quot;http://example.comquot;>V1@gr@!</a>
  • 15. Close comments after 15 days • Prevents blog posts from becoming comment spam graveyards and presents fewer targets for spammers Comments close in 15 days. Comments close in 5 days. Dawdle not! Comments closed. Have something to say? Drop me a line!
  • 16. A little sugar on top… • Donʼt tell the spammers their post has been rejected, just that itʼs been “moderated” • Help real humans avoid being moderated by using JavaScript to enable the submit button only when itʼs legal to post • My system emails me with each successful comment submission so I can catch false negatives quickly
  • 17. Next steps • Did I mention itʼs an arms race? • Expect your system to be defeated; be ready with next steps • Jibberish form field names? Hash of timestamp + entry ID + salt? Something else?
  • 18. Summary • Comment spam is a “crime of opportunity,” that is, spammers go for easy targets first • Most strategies and tactics currently used on commercial blog software suck because they either deter humans or sometimes let spam through • Simple techniques such as honeypot CAPTCHAs and hidden timestamps appear to be highly effective in combatting comment spam…for now
  • 19. Is it progress? • I welcome your feedback on my strategy and tactics at andrew@hedges.name • I wasnʼt the first to think of these ideas. Here are some of my sources of inspiration: • http://nedbatchelder.com/text/stopbots.html • http://haacked.com/archive/2007/09/11/honeypot- captcha.aspx