Comment spam defeated by...a cookie?

When I decided not to implement user accounts in [The weblog software behind this site.|Pants], I knew I'd have to do something to prevent comment spam. The most popular method for fighting comment spam on sites that don't require user registration seems to be maintaining a huge blacklist of URLs or words frequently used by spammers and checking each comment against the blacklist. Some sites use Captchas, but those are complicated to implement and a real pain in the ass for vision-impaired users. I really didn't want to have to use either of those methods. So I figured I'd wait and see what the spammers did and then figure out something simple to keep them at bay.

Sure enough, within minutes of bringing the Pantsified wonko.com online, I had my first comment spam. It was obviously just an automated spambot filling out forms. By the next morning, I'd had several more spams, and I decided to try the simplest idea I could think of, just to see if it would have any effect.

So I implemented a very basic behind-the-scenes authentication system in about five lines of PHP. When the "Post a comment" form is displayed, Pants generates a key that's unique for each IP and changes every hour. This key is sent to the user's browser as a cookie. When the form is submitted, Pants checks to see whether the cookie is set and the key is valid. If everything checks out, the comment gets posted. Otherwise, no comment for you. It's completely transparent to the user and so simple I didn't think it would actually work.

Obviously, all a spammer would need to do to bypass this system is support cookies. And yet, since implementing it a week ago, I haven't had a single spam comment.

I still find it very hard to believe that defeating comment spam is this simple. I find it even harder to believe that nobody else has ever bothered doing this before. Have I just been lucky, or is every other comment spam prevention system horribly over-engineered?

Comments

Drink More Pepsi

Pepsi! The choice of all generations! That's right! You should drink more Pepsi! The refreshing taste that only Pepsi can bring! Pepsi! Pepsi! Pepsi!!

Thursday September 22, 2005 @ 12:58 PM (PDT) Posted by Pepsi

Har har

Thursday September 22, 2005 @ 01:00 PM (PDT) Posted by Ryan Grove

hehe

Sorry... Could not resist!

Thursday September 22, 2005 @ 01:01 PM (PDT) Posted by Mike

Bug

Oh... looky a bug! If you try to post two comments in a row without going back to the main page first it tells you that you are a spammer.

Thursday September 22, 2005 @ 01:03 PM (PDT) Posted by Mike

Hmmm

Shut up you stupid Spammer!

Thursday September 22, 2005 @ 03:18 PM (PDT) Posted by Nightshade

I love SPAM

YUM

Thursday September 22, 2005 @ 04:07 PM (PDT) Posted by Spam

That's similar to what I do.

For years I would just delete the stuff - spam in my website's guestbook. These days though I go for a three pronged attack. I use a cookie, as you do, but I also have a silly captchas-like thing I thought up. Since most everyone can count or recognize a six-sided dice pip pattern, that's what I use as my "turing test." I also keep a blacklist of IP addresses and key words for the occasional spammer that goes through the effort of manually spamming me. You can see it in action by clicking on "Guestbook" near the top of the website. Anyway - Cheers and nice work on the new look. I half expected there to be pie somewhere though. Where's the pie?

Thursday September 22, 2005 @ 05:25 PM (PDT) Posted by I Like Pie

Hello, friend!

CHEAP V1AGRA CLICK HERE

MAKE HER HAPPY INCREASE YOUR FRIEND

MAKE MONEY FAST NOW!!!

Thursday September 22, 2005 @ 09:10 PM (PDT) Posted by digdug ;-)

Captchas

"Since most everyone can count or recognize a six-sided dice pip pattern, that's what I use as my 'turing test.'"

Blind people use screen readers, and screen readers can't read your dice. Maybe you could put some alt tags in.

Thursday September 22, 2005 @ 09:42 PM (PDT) Posted by Tabor

Alt-Tags

Great - then my auto spammer can just check the alt-tags. I don't think that's a good idea. But you could post a .wav file that would play the "number".

Mike

Friday September 23, 2005 @ 08:02 AM (PDT) Posted by Mike

No title

spam tastes minghing
wrong thing shit lol

Friday September 23, 2005 @ 08:16 AM (PDT) Posted by ben

YARRRR!

Join me on the Seven Seas and a swath of destruction we'll wreak! YARrrr, and buy a Chrysler! One with the cupholders ye can carry our GROG Pepsi! It be the drink of a new genarrrrrrrrrrrrrration of pirates!

Friday September 23, 2005 @ 10:37 AM (PDT) Posted by Brunslo

yay!

Hooray for cookies!

Friday September 23, 2005 @ 10:45 AM (PDT) Posted by Drebin

Hot Babes are Looking for you!!!

www.sex.com has all the hot horny women who are looking for you!!! Come visit us on the web today and get laid today!

Friday September 23, 2005 @ 11:05 AM (PDT) Posted by HotBabes

Hot Babes

Mike from 8:02, you realize that I log the IP addresses of commenters, right? And that your IP is owned by Pier 1 Imports? Which tells me that you're posting faux porn spam from work? Which maybe isn't the best idea if your employer keeps logs of Internet traffic?

Just checking. :P

Friday September 23, 2005 @ 11:10 AM (PDT) Posted by Ryan Grove

Of course I do

and its a hell of a lot of fun! :)

Friday September 23, 2005 @ 08:03 PM (PDT) Posted by Mike from 8:02

Ride the .wav

Playing a .wav file of the numbers, that's an interesting idea. If computer speakers were ubiquitous to all computer owners then it sound files might function even as a replacement for captchas all together. Though in the ten years prior to me using my little dice scheme to weed out spam I don't think I had any blind people sign my guestbook so this may be a case of me balancing how I spend my time against return rewards (rewards being the small self-gratifying sense of accomplishment I get when someone bothers to sign the guestbook).

This post was sponsored by Pepsi. "Ride the .Wav of the New Pepsi Generation"

Wednesday September 28, 2005 @ 12:15 PM (PDT) Posted by I Like Pie