How to prevent spamming from a custom blog

[svgmx5]

Hey everyone i have a custom blog on my site that i developed and i'm trying to figure out how to prevent random spammers from inserting spam comments into it. Right now i don't require anyone to be a member to comment on it, but i'm thinking about it.

 

I was just wondering if anyone knew any way so i could prevent this, aside from having a captcha added to it.

 

Thanks!

[Mchl]

Moderate comments before publishing.

[svgmx5]

Thanks, that was something i wanted to do, the only thing is that i'm not sure how to go about it?

[.josh]

hmm....you made a custom blog all by yourself and you don't know how to add moderation to it?  Or by "custom" do you mean like changing the styling of a 3rd party blog...

 

Add a column in your db, simple boolean column.  All posts start out with a 0.  When displaying the comments, only select where column != 0.  Then periodically check your db for 0's and review the posts, change it to 1 or something if it's not spam.  Or write a script to display all posts where column = 0 and a checkbox next to ones to check for approve.  update table to change the ones you selected to 1. 

 

You could also add captcha and/or honey pots to your comment form to help kill off the spambots. 

[svgmx5]

no i didn't customize or tweek a 3rd party blog, i made it custom, i just wan't sure how to exactly do the moderation.

 

What you said was what i kinda had in mind, but wasn't completely sure if that was the best way to do it. Thanks though

[The Little Guy]

What I do to stop it is:

 

1. Add a captcha to the page

2. Then parse $_SERVER['HTTP_ACCEPT'] and deny anyone with the wrong information.

 

This has worked for me, I used to get about 150 spam comments a day, and now I don't get any spam, only comments from real people!

 

Another thing to do is to make a time stamp. For example:

 

the form

<?php
session_start();
$_SESSION['stamp'] = time();
?>
<form action="somepage.php" method="post">
<input type="hidden" name="stamp" value="<?php echo $_SESSION['stamp'];?>" />
<textarea name="comment"></textarea>
<input type="submit" value="Save!" />
</form>

 

the processing page

<?php
session_start();
if($_SESSION['stamp'] == $_POST['stamp']){
   // They probably came from the form
}else{
   // The probably didn't come from the form
}
?>

 

That has also helped stop spam!

[keldorn]

It think some Bots send POST to your website,  without even actually visiting your site.

Put a Nonce in your comment form too, save the nonce in a hidden field, and also  the browser session.

That forces the bot to least visit your page. Its also good practice for pretty much everything to prevent Cross Site Request Forgery.

 

When you get a post do,

if($_POST['nonce'] != $_SESSION['nonce']){

   $error['nonce'] = "Oops your nonce did not match";
}

 

[cags]

Obviously (well hopefully) nonce has a differnt meaning in your corner of the world 

[keldorn]

Obviously (well hopefully) nonce has a differnt meaning in your corner of the world 

 

Well it stands for number used once

http://en.wikipedia.org/wiki/Cryptographic_nonce

 

Most web application software use these extensivly in once or another to prevent CSRF.

A very simple CRSF example would be if I put  on this forum in a img tag, the logout url.. You view the page, the img tags loads the logout url.. Now your logged out. Request forgery in its most simple form. But you'll see the logout link on the forum has a nonce, but at one time, on forums, they didn't and people abused this as a joke. Or put links like Click here i will hack you!. 

[keldorn]

Now make sure to include cryptographic perverts in your forms.

[cags]

[ot]Oh I'm well aware what you meant, just never heard it called a nonce before. I've always just called it a form hash value or similer.

 

I remember back when I used to play Counter-Strike, people used to say "Press F12 for free money". Ten seconds later the servers half empty because a bunch of new players didn't realise F12 was the shortcut for quit and actually believed they'd get free money. *sigh*[/ot]

[svgmx5]

hey you guys thanks for the advice. i think adding the timestamp  and the http_accept might work.

 

thanks!

[waynew]

Just have a column in your comment table called is_approved. Set the default to 0, and only select comments where is_approved = 1. Then give admin access the ability to set comments as approved. You could use a captcha too.

[Mchl]

Compare and contrast:

 

Add a column in your db, simple boolean column.  All posts start out with a 0.  When displaying the comments, only select where column != 0.  Then periodically check your db for 0's and review the posts, change it to 1 or something if it's not spam.  Or write a script to display all posts where column = 0 and a checkbox next to ones to check for approve.  update table to change the ones you selected to 1. 

 

You could also add captcha and/or honey pots to your comment form to help kill off the spambots. 

 

Just have a column in your comment table called is_approved. Set the default to 0, and only select comments where is_approved = 1. Then give admin access the ability to set comments as approved. You could use a captcha too.

[.josh]

you know what they say...imitation is the highest form of flattery 

[Daniel0]

Just thought of something. You could have a field in the database that says whether or not the post has been manually verified by an admin. Then you can just check the unverified posts regularly.

[Mchl]

You forgot suggesting captchas.

[waynew]

Just thought of something. You could have a field in the database that says whether or not the post has been manually verified by an admin. Then you can just check the unverified posts regularly.

 

Oh you!

 

Seriously, I was too drunk to read the replies so I just posted it thinking "why not, surely the admins and mods won't get too annoyed if I post a solution that has already been brought up by somebody else".

[.josh]

As long as you were only doing it to shamelessly raise your post count

[waynew]

Never.

[waynew]

I was just thinking. If you could somehow create an image (images can't be read easily by bots) that shows random characters. Then save those same characters in a session variable and ask the end user to input what he or she seen in the image?

[Mchl]

I was just thinking. If you could somehow create an image (images can't be read easily by bots) that shows random characters. Then save those same characters in a session variable and ask the end user to input what he or she seen in the image?

 

That's a clever idea! We could call it Completely Automated Public Turing test to tell Computers and Humans Apart!

[.josh]

WUT SORCERY IS TAHT??? BLASPHEMEEZ, YOU DEFIES THE INTERNETZ!!!?!?!?ONE!!?!?!

[448191]

Damn. That is so fucked up I can't wrap my head around it. Do I need shrooms?