Really stopping blog spam - part 1
There's not a day that goes by without me receiving an email from a blog I posted to a few months back. Do these emails have any use? Are they full of new information? No. They are simply blog spam posts being sent to me.
Welcome to the latest front in the war on innocent people by spammers. Actually, this welcome is quite late in coming as the war has been on for a while now. It's just gotten worse as the blog spammers have gotten better with their technology.
There is not a single public form on the internet today that has not been scanned by a bot from a spammer. Their database of form fields and types is immense and their bots have gotten rather sophisticated. They can tell what's a name, what's an email address and what's a password in most cases despite being named different things. They can then use this information to post directly to the action page of the form with anything they want.
So now that i've sung their praise for technical ability, lets talk about how to stop them. I've come up with a few ways to do this and for the most part each works well...to a point.
The first way I'll talk about is one totally ignored by the ColdFusion community at large but is rather obvious once you think about it. Lets walk through the thoughts. A form spammer has to see a form to know what to post and where. If there's no form, there's no spam. Simple, right? But how can we have a form without a form? Maybe.....Flash?
Yes, ColdFusion has a great advantage over other languages in the fight against spam as we can create forms on the fly in flash. Forms that are in effect a flash movie and can not be seen as a form. No form, no spam.
An example of this can be found by clicking on any trackback url on Blog of Fusion. The form looks exactly like the one Raymond wrote (in XForms, actually) but has been changed into a Flash Form. Oh, I also changed the form field names because most form spammers only look at the form once but after that post directly to the action url. Changing the form fields prevents that. But as I stated, only to a point. What happens when I give the template out to everyone? All a form spammer has to do is look at the source code to see where to post to. Don't think they'll look at the source by eye rather than by bot? You don't know these people or the popularity of Raymond's blog package.
But I've got a solution for that as well which I'll talk about next.
For those who want to listen to this post, I've included an MP3 of it here: http://blogoffusion.com/enclosures/formspam1.mp3
But as I add layers of spam protection to my custom site, I realize that different people spam different ways. The latest thing I did is hand out session-based UUIDs for each form and compare it to a salted hash of that UUID that is passed in via a form field and I STILL get spam. These people are actually visiting my site, probably auto-populating the fields with some toolbar or widget, and submitting. I'd love to hear some more ideas.
It's not fool-proof, but it uses the idea that bots are not as visually smart as people. I am not exactly sure how bots "see" the site, but I am assuming that they rely more on the source code than on the rendered page. That is why I used CSS to leverage the rendered-view of the page for users.
The CSS idea is interesting, and while accessibility is not always a concern on my private sites, it still bugs me that it's not really accessible (being entirely visually oriented and breaking down without CSS or CSS support). CAPTCHA is not only inaccessible buy annoying to sighted users, so maybe the CSS is the lesser of two evils. I used CAPTCHA for a short time and while the spam went down, the complaints from my visitors went up and legit commeting went down.
There's someone who wrote a plugin called Bad Behavior that is supposed to work wonders, but of course it is a blog plugin for TypePad or Wordpress or something.