Stopping comment spam with keystrokes

In response to the recent post by Simon Goodway, I threw together a simple implementation of the keystroke-approach to comment spam blocking:

MT-Keystrokes

It’s quick to install (one small file and one quick change to templates with a comment form). So far I’ve seen a 100% decline in spam, so much so that I’m thinking about turning off Moderate and going old-skoole with my comments.

If the spammers figure out the field I’m using, it’s trivial to change, and could even be automated. There are a number of ways to make it more difficult for spam purveyors, but my thought is that this 5% added difficulty will never be worth their while.

18 thoughts on “Stopping comment spam with keystrokes

  1. There was a bug in the initial code, wherein I tried to compress the javascript down into a size where it was no longer functional. Things should be working fine now.

    This comment is proof!

  2. Cameron, I would like to use your excellent plugin, but I am not ashamed to say your documentation kind of stops as it gets started.

    These sixapart programs appeal to the somewhat-technical, not the full-on-technical. It would be helpful to know what template files we should be making these changes on.

  3. Not meaning to come off as grumpy, but:

    1) This idea makes posting to MT impossible for anyone who doesn’t have a Javascript-enabled client. That way, you’ll exclude a number of blind users who use braille display (which typically use line-mode browsers)

    2) The only reason this blocks spam, at the moment just because your script isn’t widely used. A dedicated spammer will circumvent your plugin in about two minutes of programming.

  4. Your keypress counting counts a comment as spam if it’s composed in notepad and then copy/pasted over to your forum using context menus. (I just tried that, and the comment didn’t post.)

    It’s probably a pretty tiny percentage of people that would do something like that, but on message boards with long debate posts (that people don’t want to risk losing due to the browser accidentally changing pages or something), I could see it being more frequent.

  5. Foiled! I wrote this huge entry about how your thing would only work for a while, and I posted the secret solution, but when I tried posting it said “Somehow, the entry you’re trying to comment on doesn’t exist.” So I hit back, copied my text, refreshed the page, pasted it, and indeed I could not pass due to the keystroke regulator. Now I feel grumpy and require begging for the secret solution.

  6. At first this seemed like something nice to me but upon further inspection it’s way too easy to crack for spammers. If you’re forcing javascript usage anyway there’s a much powerful solution called WP-Hashcash by Elliott Back.

    http://elliottback.com/wp/archives/2004/12/29/spam-stopgap-extreme-new-version/

    I ported his code to Pivot-Blacklist (www.pivotblacklist.net) and really rocks. Bots will have to execute complex javascript in order to get through this. They can’t guess anything like they still can with this solution.

  7. I’ve been offline for the weekend, but it’s nice to see some feedback.

    Jason: as for the documentation, I can add much more detail tomorrow night. I was going for the level of expression that other plugins use, but maybe I usually end up on the side of not being explicit enough.

    As for the paste-in posts, it should work if you push any of the buttons. There might be something funky going on with the onclick not being triggered when it’s submitting the post, but you’ll have to let me know what browser you’re using so I can debug.

    Arve: As for being accessible, there are a range of different technologies used, and many of them support javascript. If you’re using javascript at all, you’re excluding some users by default, but that’s sort of the point.

    Marco: Any client-side code can be reverse engineered, simply by interpreting the javascript. I think the best solution is to produce as many solutions as possible. The more tools we have out there to make spamming difficult, the harder it will be.

    I’ll respond more fully tomorrow, but I thought I’d dump my reaction in the 5 minutes I had.

  8. I looked into doing a plugin for 2.6, and it’s much more difficult than I expected. What’s necessary is rewriting an entire chunk of the MT code (which is admittedly mostly copying) in addition to what I’ve already written.

    I can explain how to do it to an interested party, but at the moment I just don’t have the time. Maybe once I get back from SXSW.

  9. There’s a pretty big problem with this plugin. If you preview before you post and do not change the comment beforehand, the post fails silently. There’s output in the log, but no notification to the commenter.

  10. Neil: Have you verified this? What version of the plugin are you using?

    I thought I fixed that bug in an earlier version. Any clicking on the post form should validate the post. I’ll look into that.

    As for the comment failing silently, I felt that it should be silent, in order that a robot would have nothing to believe that the post didn’t go through, whereas a human would always validate.

  11. Actually, on second thought, if you were referring to the installation on my weblog, I forgot to update my comment preview page. It should be working now.

    Also, you’ll notice that the installation instructions have changed slightly to include the post-button validation, which should make most scenarios work (except the robot one).

  12. I’ve been using 0.1.4 (reads as 0.1.3 on the MT main page, however) for nearly three weeks. To all appearances it is working, but the number of successful intercepts recorded in the Activity Log seems far too low: maybe 1% of the spam comments stopped during the same period by MT-Blacklist.

    I’m running MT 3.14 with MT-Blacklist 2.03b and the NoFollow plugin. Archives/Individual Entries are dynamic, Indexes are static. I’ve checked and rechecked the templates, making sure every comment form was updated according to the installation instructions. Cleared the server cache of the dynamically generated pages, too.

    Any further suggestions? The concept is excellent; something is clearly amiss, though, in my installation.

  13. David- The site actually has read 0.1.4 since about two hours after I put the latest version up. Have you tested it manually by entering comments? I’ve never seen it not record something to the logs.

    I also haven’t tested it with MT-Blacklist. It’s meant as a replacement for something like MT-Blacklist, and frankly I was never able to get MT-Blacklist working on my 3.1 installation, and couldn’t test it.

    The way that MT logs things is strange; if you set an error twice, it’ll only record the last error that you recorded. I’m not sure if the same is true across different plugins.

    Send me an email if you can’t get it to work.

  14. Hmmm. When I wrote that MT shows version 0.1.3, I meant on the MT Main Menu listing of plugins. I just redownloaded MT-Keystrokes and reuploaded the files, and it still shows 0.1.3.

    Unfortunately, I cannot do a proper test in that I don’t have a comment spambot to play with. I do have plenty of them pointed at the site, however, along with several human commenters, so the overall picture is pretty clear. At this point, MT-Blacklist stops anywhere from a few dozen to a few hundred spam comments per day. On the Activity Log, however, MT-Keystrokes’ interventions appear only a handful of times per day, and sometimes not at all.

    I’ll take yet another look in the AM to see if I’ve overlooked anything obvious.

  15. Belated followup:

    It now appears that MT-Keystrokes has been working fine all along, but only kicking in *after* MT-Blacklist has done its stuff.

    Apparently our combination of keywords and regular expressions for MT-Blacklist was extraordinarily successful at killing off almost every comment spam attempt, leaving little for MT-Keystrokes to do.

    Recently, however, we’ve been hit with a significant amount of comment spam that MT-Blacklist has directed towards the moderation queue rather than deleted outright. This spam MT-Keystrokes has then blocked — saving us a great deal of trouble, weeding out the moderation queue.

    Many thanks.

Leave a reply to cameron Cancel reply