inpromissum

Lacking in Execution

As Sha Sha says, we had this conversation quite a while ago, which at the time was eerie to me because I'd just thought of my brilliant new solution the day before and she randomly posted on the subject right after that.

That said, I'm all idea and no execution ... I couldn't be bothered to actually go and implement it. The same thing happened originally with MT-Blacklist - I knew I wanted it, but until things got annoying enough, it wasn't worth the initial effort to implement the system.

The fact that Sha Sha went out and implemented it first was the kick in the ass that I needed. Of course, I also wimped out and did it the static way, but the original idea that I still intend to get to someday (though is probably overkill since I doubt spammers are going to even bother to defeat this) is that the script that creates the comment posting pages should dynamically create a code and that code should be stored somewhere where it is good for 20 minutes or so - this prevents a spammer from hard-coding in your particular magic number. That said, they could just hit your commenting page, parse to find the code, then use that, which isn't much harder. Hmm ... maybe this lame version is all that will ever exist.

Anyway, if you want to do it the quick and dirty way as I have, it's a quick and simple addition to the comment posting function in the comment posting module (replace the code where I've indicated in the second line):

my $spam_code = $q->param('spam_code');
if ($spam_code ne "insert your code here")
{
$app->log("Comment blocked from $user_ip due to spam code failure");
return $app->handle_error($app->translate("To help prevent spam, comments on this weblog must be posted from the comment submission web page. If you have reached this error due to using some other client software, please try reposting using the built-in page. If, on the other hand, you're trying to post meaningless spam, kindly tear off your own arms and choke yourself with them."));
}

If you have MT-Blacklist installed, find the the comment_post_hdlr function in mt/extlib/jayallen/MTBlPost.pm. If you don't, it's the post function in mt/lib/MT/App/Comments.pm. In either case, insert the code anywhere after $user_ip is set.

Then, in each of your templates that have a comment posting form (the 3 comment templates plus the individual archive comment), add a hidden field to the form called spam_code with a value equal to the code you used in the snippet above.

Feel free to come up with your own snarky error message that none of the spammers will ever get to see (unfortunately).

And yes, I'm sure there are a bajillion ways to do this better (as a custom library or something like that), but this was quick and dirty and didn't require research, so as long as it doesn't break, I don't think the spammers deserve any more time than that.

--Nick

Addendum: Mwahahaha!

I added my catch after MT-Blacklist's blacklist check so that it would only catch things that aren't on my blacklist ... just wanted to be able to see how many things I'm catching that would have gotten through my blacklist (seems to happen more and more these days). Awesome to see this:

2004.04.28 15:05:55 24.204.121.53 Comment blocked from 24.204.121.53 due to spam code failure
2004.04.28 15:27:59 24.30.70.162 Comment blocked from 24.30.70.162 due to spam code failure
2004.04.28 15:31:13 68.82.161.52 Comment blocked from 68.82.161.52 due to spam code failure
2004.04.28 16:43:11 207.104.1.211 Comment blocked from 207.104.1.211 due to spam code failure
2004.04.28 17:16:12 172.164.223.214 Comment blocked from 172.164.223.214 due to spam code failure
2004.04.28 19:09:25 172.199.58.125 Comment blocked from 172.199.58.125 due to spam code failure

Edit: Apparently there's a comment entry field on the individual archive page, too ... updated the listing above to reflect this. Thanks to Sha Sha, who ran into this.

Posted by Nick at April 28, 2004 02:37 AM | TrackBack