繁體中文
/ English
journal
album
book
about
Subscribe
Activities Elsewhere
Title:
Body:
> Those of you who are silly enough to check this space everyday should have noticed that this site has been plagued by comment spam recently. In the last couple days I have deleted more than 100 spammy comments. Tonight I've decided that I've spent enough time deleting them (2 for loops in bash, really), so I sat down and implemented some anti-spam logic that I've thought about in the past few days. > > Looking at the server log I noticed each of the spam comment involved a single POST to the comment CGI script only. The spam bots don't GET the comment page, and each IP posts only one comment. The content varies, but it's usually about Viagra. I can probably just filter out comments using keywords, but some comments contained only links and nothing else. I also don't want to do CAPTCHA or other things that depend on the spammer not being smart enough. > > Now each time you request the comment page, you are given a base64 encoded secret. The secret is your IP and the current timestamp encrypted using Blowfish. When the comment is posted, I decrypt the secret and check that the poster's IP is indeed the same IP I handed the secret to. I also check that it's been at least 5 seconds since I handed out the secret, to avoid bots GET'ing the page and then POST'ing immediately. Finally, the secret is only valid for 1-2 hours. This is implemented by prepending the current hour to a secret to construct the key, and fallback to the previous hour to handle the borderline case. This is probably more difficult than it's worth since I can simply check the timestamp that's in the secret, but I figure that rotating to a different key every hour is probably not a bad idea. > > Implementing it took more time than it should because the Crypt::CBC module on dreamhost is older than what I have on my local machine. I ended up copying the local copy to the server and use that instead. > > This is all I am going to do for now. I realize that it's not perfect (for example, a bot can get the secret and keep posting from the same IP for 2 hours), but hopefully is enough to deter most spammers.
Subscribe