After having to delete a few hundred spam comments from my weblog this week, I finally admitted that my blacklist wasn’t stopping any spam. Apparently domains have gotten too cheap for blacklists to be a viable deterrent anymore.
So, today I upgraded the blog to WordPress 220.127.116.11, and taking a cue from Jeremy Zawodny I’ve included an extra field people need to fill out to post comments:
The idea here is that most comment spam is automated by programs (call them bots or spiders) which look for installations of common blogging software. These spiders look for a “signature” they recognize, like the fields in a comment posting form, that let it identify which blogging software is being used on the site. From there, they can guess where they need to send automated requests to post comments, and what the values of the various form fields need to be. By simply adding another field that needs to be filled out with a specific value, most comment spam can be stopped. Or, that’s the idea.
If everyone were to start doing this, writing spam bots would suddenly become much harder, as they’d essentially need to start passing arbitrary Turing tests. That, or spammers would need to use human labor to customize their bots for each site they wanted to spam. The hope is that that would get very expensive very quickly.
In a sense, this is one step backwards from Captchas, which are programs designed to automatically generate these simple tests. However, the point of vulnerability for captchas is that they too are programs, with their own signatures that bots can pick up on. If enough people use the same captcha in the same way, then at some point it makes sense economically for a spammer to specifically target that captcha, either by writing a program to solve the captcha, or through clever social engineering efforts.
So, if a spammer starts customizing their bots for my site, the logical next step is to either change my one-off customization by asking a different question, or to write a custom captcha to increase the marginal cost of customizing a bot to spam me. Personally, I’m leaning towards automatically generating visual puzzles that would be difficult for a person to solve, let alone a spambot, and seeing how they like that.
In the meantime, the code I added to do this was very simple, and I’d encourage people to try customizing their own site with a different test.
In wp-comments-post.php, I added:
sh: /home/awooster/bin/enscript/bin/states: No such file or directory Download this code: /code/17a.txt
and in my comments template I added:
sh: /home/awooster/bin/enscript/bin/states: No such file or directory Download this code: /code/17b.txt
and changed the next couple of "tabindex" attributes to be higher so tabbing between fields works correctly.
Peter took this idea and ran with it, harnessing the power of his commenters to compute pi. Check it out.