When I decided not to implement user accounts in [The weblog software behind this site.|Pants], I knew I'd have to do something to prevent comment spam. The most popular method for fighting comment spam on sites that don't require user registration seems to be maintaining a huge blacklist of URLs or words frequently used by spammers and checking each comment against the blacklist. Some sites use Captchas, but those are complicated to implement and a real pain in the ass for vision-impaired users. I really didn't want to have to use either of those methods. So I figured I'd wait and see what the spammers did and then figure out something simple to keep them at bay.

Sure enough, within minutes of bringing the Pantsified wonko.com online, I had my first comment spam. It was obviously just an automated spambot filling out forms. By the next morning, I'd had several more spams, and I decided to try the simplest idea I could think of, just to see if it would have any effect.

So I implemented a very basic behind-the-scenes authentication system in about five lines of PHP. When the "Post a comment" form is displayed, Pants generates a key that's unique for each IP and changes every hour. This key is sent to the user's browser as a cookie. When the form is submitted, Pants checks to see whether the cookie is set and the key is valid. If everything checks out, the comment gets posted. Otherwise, no comment for you. It's completely transparent to the user and so simple I didn't think it would actually work.

Obviously, all a spammer would need to do to bypass this system is support cookies. And yet, since implementing it a week ago, I haven't had a single spam comment.

I still find it very hard to believe that defeating comment spam is this simple. I find it even harder to believe that nobody else has ever bothered doing this before. Have I just been lucky, or is every other comment spam prevention system horribly over-engineered?