Key Spam

Tags: April 4, 2006 (2 comments)

Disclaimer: This plugin is no longer maintained. Feel free to take what there is under the GPL and do anything you want with it.

It's time to roll out my WordPress comment spam plugin, which simply works by inserting a couple of values into the comment form, and checking them on the receiving end. If the key is invalid then the comment is placed into the moderation queue. Vitally, neither the key nor the name of the inputs can be guessed without access to the MySQL database. The plugin; however, does not do anything to pingbacks or trackbacks, and I recommend using Nick Momrik's Moderate Trackbacks and Moderate Pingbacks plugins to deal with them :)

Without further ado, here is the plugin.

ChangeLog

1.8.0

Improve moderation code, use comment_form to stand guard

1.9.0

Completely redo large parts of the plugin, meaning keys are now only valid for one hour, and that the key is auto-regenerated every week. Any comments posted within an hour of it being generated, plugins go into the moderation queue, otherwise, they get marked as spam.

1.9.1

Remove dependence on str_shuffle(), thereby no longer needing the PHP 4.2 compat code

1.9.2

Replace > with <

1.9.3

Avoid comments already being marked as spam being moved to the moderation queue

1.9.4

Keep count of spam comments, show number on Dashboard, add page to regenerate key at anytime

Comments

  1. Mike Macgirvin
    says

    July 17, 2006 13:38:01+01:00

    I did this, sending out a UUID for every comment page and only allowing it to be used once. It had a negligible effect on comment spam. So far the only thing that has proved infallible is 100% moderation. UUID's and throttling and content recognition only reduce the number of attempts and make the moderation more easily manageable. I have however seen a couple of cool tricks using javascript to write the hidden form values. The assumption being that spam comment script kiddies aren't going to be using javascript. Yes, I think it's clever - but I'm not big on assumptions.

    But I have to note in your message "if the key is invalid then the comment is placed in the moderation queue".

    If the key is invalid you should toss the sucker without question. Legitimate commenters' browsers are going to screw up getting a hidden form field right? Really?

  2. Geoffrey Sneddon
    says

    July 24, 2006 16:52:19+01:00

    Matt,

    Having been away for two weeks, I've had to delete two comments, with this as my only protection against comment spam.

    Using JavaScript for avoiding comment spam is, IMO, massively flawed. There will be users who will have JavaScript disabled, not just spam bots. Too many people assume JavaScript can be relyed on.

    As for it being placed in the moderation queue, if you look at the code you'll see that the key is changed within the database, thereby making all previously issued UUIDs illegal, so, if someone starts to write a comment then the plugin is updated (or even downgraded), then they submit it, it would then be rejected.

    I've got several ideas for the next version of this plugin, one of which will mean that only some comments will get put into the moderation queue (and those being in the minority).

Leave a Reply