Getting spammed

I guess most of you have already seen it — I’m currently experiencing severe problems with spam entries. Each time I visit my site I have to face a bunch of new cialis, viagra etc. entries: forum posts, replies and comments.

Since I’m using my homebrew CMS I don’t have the possibility to use any of those plugins available for WordPress etc. to get rid of those annoying entries. I’ve already written some sort of spam filter using PHP — but obviously it doesn’t work.

So you guys are my last hope. Do you know any recommendable tools — preferably written in PHP — that can either check if a submitted comment is spam or — and that would be much better — that can check whether a visitor is a “real” visitor or just one of those spam bots?

I’ve already received some recommendations such as Akismet or Captcha in the forum but I just want to make sure that I don’t overlook any great tools. Thanks.

Update: I kinda liked Danilo’s idea of providing an additional input text field, that is hidden via CSS — so that it would never be filled in by a real user. Simple, easy to implement — I like such approaches. I’ve already implemented it in the forum section — well let’s see if it works.

36 comments so far

Skip to comment form

flomax June 30, 2006 at 07:02 PM

Hallo ! Also dir gehts genauso wie mir, meine shoutbox geht leider auch unter mit diesen spam email, hab schon so viele sachen probiert, ich glaub es gibt da keine lösung !! Momentan verwend ich nur noch einen “Word-Filter”, wenn ein Wort in dieser Liste ist wird der post einfach gelöscht, zwar nicht die beste Lösung aber so hab ich dann einfach immer wieder ein zwei Tage wo kein Spam gepostet wird . Aber hoffentlich findet sich hier jemand der vielleicht doch noch was gescheiteres hat ! mfg Georg

kitune June 30, 2006 at 07:11 PM

Hi, I use a captcha like 5+2=_

You can view it in http://www.shinkitune.com/ikkaro, on the “Comentarios” tab.

Bye!

A. Nonymous June 30, 2006 at 07:22 PM

Link

If you’re using WordPress, this works amazingly well.

Michele June 30, 2006 at 07:26 PM

I’m doing great with Akismet, but I’ve also heard good things about Link Bad Behavior

Boris June 30, 2006 at 08:04 PM

Bei einigen meiner Skripte hat es geholfen, indem ich einen UniqueID/Sessioncheck eingebunden habe. Quasi so:


  1. Session beginnen

session_start()


  1. beim Aufruf der Seite eine ID erzeugen und in die Session speichern:

$_SESSION[‘uid’] = md5(microtime()*rand());


  1. Diese uid wird mit dem Kontaktformular mit übertragen:

” />


  1. Nach dem Abschicken des Formulares wird dann gecheckt, ob die Session existiert, und ob die uin die gleiche ist, die via Formular übertragen wurde:

    if (isset($SESSION[‘uid’])

    && isset($POST[‘uid’]) && $SESSION[‘uid’] == $POST[‘uid’])
    { // alles ok & uid löschen unset($_SESSION[‘uid’]);

Das hats bei mir gebracht. ;)

quis June 30, 2006 at 08:36 PM

My German isn’t so hot, but Boris’ PHP code seems like a very elegant solution to most spam bots.

helge June 30, 2006 at 08:53 PM

badbehaviour (linked previously) works really well on the wikis i operate. stops only spambots though, no spam-sweatshops.

Michael June 30, 2006 at 09:29 PM

Akismet provides an API to implement it into any CMS: Link
One advantage of Akismet is that it works for both comments and trackbacks.

In the last days, I have had a weird increase of spam on my blog: between 3000 and 6000 spam comments (not trackbacks) per day, and Akismet identified every comment. So it does a great job.

Bad Behavior can cause that real visitors cannot post comments anymore. I have red about that problem in different blogs. Even blog authors could not post under some conditions. So no recommendation for that.

Fredrik Wärnsberg June 30, 2006 at 09:46 PM

Regular captcha wont be enough anymore, any decent spambot will be able to get pass it. You need to find a more sophisticated way, or use a really good captcha (LOTS of distortion, or some human input like a 5+2 or whatever).

Tom S. Weber June 30, 2006 at 11:57 PM

I found a, I hope, useful link: Linktechniquesin_php-2.php

Michael Schmidle July 01, 2006 at 07:10 AM

Well, here is how I set a little snare for spam bots:

In the comment or forum form, include a hidden field that contains the client’s IP address. Spam bots are clever enough to recognize such attempts to capture their address and will forge this hidden field, to 127.0.0.1 for example.

So, when that form is submitted, just check the address in the hidden field and compare it to $SERVER[‘REMOTEADDR’] (for PHP) to know if the field is forged.

Serious users do not forge hidden fields, that is my assumption!

Regards

Michael

Avasilcai Daniel July 01, 2006 at 11:00 AM

Every day i receive at list 4-5 spam comments. I hate this shi.. It’s eating my precious time.

Sean Hayford O'Leary July 01, 2006 at 12:07 PM

I use Wordpress with the Akismet plugin on several sites that I manage. One or two comments have wriggled through, but it’s solid.

Sean Hayford O'Leary July 01, 2006 at 12:08 PM

P.S.: Wolfgang, still looking at WordPress?

Spencer Akers July 01, 2006 at 01:28 PM

What about a check box saying: This is not spam : (checkbox)

When the form is submitted, if the checkbox isn’t checked, It’s Spam!

Thats what I use on Link . Then again, I don’t use wordpress.

Derick July 01, 2006 at 08:22 PM

I agree with Akismet which would seem to work better since it is transparent to the user. CAPTCHAs are irritating in my opinion though it is widely used. At times I find it hard to read and most of the time it is just quite irritating to the user.

Lastly, you may wish to read this. Link

Anti Spammer July 01, 2006 at 10:59 PM

I do a word filter for comments, so if it comes across http:// , www, or .com, then the comment is rejected. This has stopped comment spam completely for me. No one will be able to post links however, but it’s a small price to pay.

pickupjojo July 02, 2006 at 01:45 AM

Sorry if it’s not the topic, but I like you new theme ! It’s another beautiful spring cleaning. :)

adrmis July 02, 2006 at 09:34 AM

I think that security image ( retyping confusing text) is a good idea to prevent spam bots.

Mitja Ribic July 02, 2006 at 07:21 PM

I had the same problem some time ago. Got like 100 spam comments in a day. So, I made few changes and added human input(math) control. And I must say it’s really working. At worst, only one bad comment gets throught. And when it does, I get email notification. :) And it’s very simple to integrate.

Hope you find a solution.

Danilo July 02, 2006 at 07:23 PM

Bei mir hat ein Textfeld geholfen, welches in einem versteckten Container liegt (display:none) und den Namen ‘homepage’ oder ‘email’ trägt.
Da Spambots solche Felder ausfüllen, der Benutzer aber nicht (ist ja nicht sichtbar), kann Spam schnell gefiltert werden.

Eine weitere Möglichkeit ist das Anlegen eines weiteren Submit-Buttons, vor dem ‘Say it’-Button, selbstverständlich auch in einem versteckten Container. Spam-Bots nutzen häufig den ersten Submit-Button eines Formularfeldes. (Die ‘Usability’ wird hierbei aber ein wenig eingeschränkt!)

Gregor July 02, 2006 at 09:29 PM

Hi Wolfgang,

what about just renaming your post script (journal_detail.php). I think most of spam scripts call directly your post script, so this could be an easy temporary solution until you find an usefull filter script.

PS: I LOVE YOUR NEW VISUAL DESIGN!

flomax July 03, 2006 at 04:40 AM

@gregor, your idea doesn’t work, i’ve tried it a few weeks ago :-/

Michael July 03, 2006 at 05:36 AM

Hi Wolfgang,

some time ago i wrote an article about this problem, so maybe it’s interesting for you. I never had problems with spam posts so far, but well my website isn’t so popular like yours ;)

Here you go (german article): Link

By the way: your new design looks marvelous :)

GigoIt July 03, 2006 at 09:43 PM

Thought you guys might like this.

GigoIt’s HumanAuth is based off the ideas presented by KittenAuth.com. HumanAuth supports ADA and Section 508 requirements, increased security and includes watermarked images with random positioning. HumanAuth ensures that an actual human is using your site without forcing them to read distorted CAPTCHA text.

Link

Dev July 04, 2006 at 07:32 AM

I guess you could do an image verification. Give a picture of letters and ask the person to repeat the letters in the image. Bots can read images.

Hung July 04, 2006 at 09:32 AM

A friend of mine runs his blog on a homebrew CMS too. He told me that he makes the commenting process have two parts: one where you write the comment, and another where you preview and verify it.

He says it pretty much killed all the spam.

TitoFer July 13, 2006 at 05:27 AM

Hi! Will you please tell us what is the Danilo’s solutions? (I dont speak german).

Wally July 17, 2006 at 08:38 AM

Link
wow, der Spam im Kommentar ist seit Januar nicht entfernt.
Leute klicken auf meinen Link, darunter ist aber noch dr Spam. Viel Glück mit dem Spamentfernen. Ist ja schlimm.
Grüsse, Wally

Wally July 17, 2006 at 08:39 AM

ups der Link ist weg,
also hier ein Teil, falls es geht:
/forum_detail.php?detail=199

Funbug July 17, 2006 at 09:10 AM

Using Akismet is really painless and absolutely easy:
Link

Kyle Korleski July 24, 2006 at 05:13 PM

Try Akismet. It’s a great anti-spam solution.

Owl July 27, 2006 at 08:24 PM

cool solution
——-

carlos September 21, 2006 at 10:16 PM

“I kinda liked Danilo’s idea of providing an additional input text field, that is hidden via CSS”

I’m integrating this simple solution in a new website (not online yet). So what are your experiences?

Greetings, Carlos

Wolfgang September 21, 2006 at 10:26 PM

Well it helped a bit – however I still got spam entries. Probably because spam bots try all possible combinations when filling in a form.

Yuppy Tippy December 02, 2006 at 02:44 AM

Is this message little enough to be one of… lost idea

Commenting is not available in this weblog entry.