[wp-hackers] Close old comments and pingbacks: feature or plugin?

[Jeremy Visser]

On Fri, 2006-07-14 at 09:36 -0400, Brian Layman wrote: 
> > One thing I did that helped reduce a lot of it was to rename
> wp-comments-post.php to a 
> > random name and update the comment form's action to that new name. 
> 
> I always wondered if someone did that.  It seems like a great way to reduce
> spam, but of course if WordPress adopted that in the core, spam bots would
> come out that parse the name of the comment form prior to spamming.

This might be OT seeing as though I'm about to talk about my guestbook
software, not WP; though a teensy bit of WP code is used in the
guestbook!

I did a similar thing with my guestbook software
<http://narnia.bounceme.net/jeremy/projects/guestbook/>. I basically
required a unique ID to be generated into a hidden INPUT field on the
comments form and is validated upon submission. This technique is very
similar to nonces. Probably even identical.

I looked at the way spam bots were hitting my "guinea pig" guestbook
(like several hundred in a day :D) and I noticed that they never
actually hit the index page and just posted straight to sign.php (or
wp-comments-post.php in WP's case). So I went and put in the "Unique ID"
protection to force the bots to visit the index page first (the unique
ID is only retrievable via index.php), which 99% of them don't (they
must use the Google Cache or something to find out what my form looks
like), thus rejecting the spam comments!

Like you noted Brian, spam bots would come out that parse the unique id
in the form first but at this present time the spammers don't seem to be
concerned about the minority of blogs having some sort of protection.

-- 
Jeremy Visser 
Email: jeremy.visser at gmail.com
Website: http://narnia.bounceme.net/jeremy/