Question about spam bots?

[justAnoob]

I've noticed on a lot of websites where users can posts comments, or even in the forum sections of some sites, that there is a ton of spam. so much that is is almost impossible to post a comment that will be seen. What is the best way to keep spam bots away from posting all that &^$@%$^! (spam i mean)?  From what I understand for a spam bot to work, the bot must first have registered on your site, as long as it is setup where only registered users can post a comment. So would just having a simple php captcha on the registration do the trick. Or are ther better alternatives to acheiving a spam free comments section and/or forum section?

[Mchl]

Good captcha is usually the best way.

[gizmola]

In my experience a good captch eliminates all automated spam.  If you are seen as a high profile target, then there are ways that some spammers will use to fake out real people into solving the captcha images, but that is no reason not to start with a captcha.  Many many sites these days use recaptcha which is a service that not only hosts the captcha's for you, but also helps with efforts to OCR books, magazines and newspapers.  If you want to host your own recaptcha there's a few decent libraries out there that use php and gd to generate the images.  You have to do some research because there are plenty of weak captcha's out there that were defeated -- most notably one for phBB some years back, not to pick on them exclusively as there are plenty of other weak captchas that were defeated.

[justAnoob]

So what would be the best captcha to use?

[gizmola]

I already recommended implementing recaptcha, which is easy to do, as there are already php libraries that make it simple to integrate.

[justAnoob]

oh sorry gizmola, i will take a look at it. thanks.

[Daniel0]

From my experience, a lot of form spam is done by humans and humans tend to pass CAPTCHAs. The only way of catching that is by manually verifying everything/everyone or applying a spam filter that uses various heuristics for determining whether or not it's spam. Machine learning is of course way more difficult than simply writing a CAPTCHA script. There are various services (e.g. akismet) you can use for this.

[gizmola]

Human generated comment spam is insignificant when compared to the spam generated by bots.  I did mention that humans can be tricked into defeating captcha's, or even paid to spam, however, for most communities, captchas work fine, although akismet is a great additional form of protection. 

 

So in summary, while I don't disagree with Daniel's point, that human spam can be a huge problem that captcha's don't solve, that's not a reason not to do a captcha as your first line of defense, and in my experience, for many sites, it eliminates the majority and often the entirety of comment spam.  Sites like Yahoo get a lot of human spam, but you have to be a pretty high profile target to attract that type of attention.