[wp-hackers] Simple comment spam experiment

[Otto]

On Wed, Apr 16, 2008 at 9:44 AM, Shelly at WordPress
<wordpress at anekostudios.com> wrote:
>  I was wondering how effective it is if people have javascript turned off
> when they visit?
>  I dunno.

That's one of the reasons I don't care for WP-SpamFree, it relies on
Javascript. I like my sites to be handicap-accessible where possible,
and so I try to stick to standards. Rejecting comments because of no
javascript is just poor form, IMO.

>  Basically, the thing is, when spammers "automate" - they basically fill in
> every input field available.  They don't check to see what the fields are,
> they just stick stuff in.  They do this for hidden fields, as well.  So I've
> taken that to my advantage, and put in a hidden field labeled "Surprise".
> The script then checks to see if any input is placed in that hidden field.
> If not, then it's allowed to go through.  If content *is* placed in that
> field, then it stops it dead in its tracks. (For the record, I even have an
> "accessible" notice - so if people are using screen readers, they get a
> message telling them NOT to put in anything in the field.)

The problem with that in terms of comments is that my own experience
tells me that comment spammers, for the most part, are not filling in
form fields on an automated basis, they are simply sending automated
POST requests directly to sites. Looking through logfiles, I see lots
of hits to wp-comments-post from IPs that never loaded a page just
before they started spamming me with comments.

I imagine your approach would work quite well for custom submission
forms, since anything custom can only be done automated through the
approach you're describing.

You might also consider making a field that is not "hidden" except via
CSS. This would prevent the form from showing up to anybody but a
spammer might be more prone to fill it in.

-Otto