There are two more minor tweaks to this anti-spam approach that need to be implemented. The first is to go back into the blog.cfc and comment out lines 1489 and 1491. This CFIF limits the recent comments to ones that have moderated set to true (which should be the default). Without the CFIF removed, spam comments that have to be moderated will still show up in the recent comments section.

The second minor edit is to the adminlayout, commenting out lines 47 and 49. Now the admin can control the moderated comments.

The more I fix this technique the more I see I have to do it right. One thing that I really have to look at is those CFIFs that 'comment out' the moderated db value in queries. Every comment has a moderated value whether moderation is turned on or not. The only reason I can find for these CFIFs is to remove one of the sql criteria and possibly speeding up the query by some fraction of a millisecond. Unless there's something I'm missing....

There is one other step needed to make this work if your using the hack. There is a CFIF statement in blog.cfc that checks if moderation is turned on or not before displaying a comment. It does not matter if a specific comment is moderated or not, if moderation is not turned on, then the code I mentioned in the last post will just not work. The comment will be saved in the DB as being moderated, but it will still show on the site.

If your using the hack, all you have to do is remove the CFIF tag on lines 1074, 1357, and 1489. Leave the content of the CFIF alone, just remove the tags. Once this is done, moderation will be performed on a per comment basis. If a comment is set to be moderated, it will not be shown. If a comment is posted with an url, it will automatically be moderated. Otherwise, comments will be posted as unmoderated and shown. Basically a "mixed moderation mode".

When the code is done for real, these lines should be modified to check if either moderation is on OR if moderationforurlposts is on (or whatever you call the variable).

I've been getting some human posted spam to my blog and I want it to stop. The problem is, to stop a human you have to either moderate all posts, force a sign in to post or search the comment for one of a million odd keywords. None of those solutions appeal to me. Time to come up with something new.

Looking at the problem I see that almost all human posted spam involves a link to some outside resource. Ah, a pattern I can work with. If I can set moderation on for any comment that has a link, it would help block most human posted spam, at least in theory.

I can do this right or I can do it as a fast hack. As I don't have the time to do it right at the moment, I'm going to write a single regular expression and add it to the blog.cfc. I'll write myself a note to remember to go back and fix it correctly later.

The solution I came up with is to go to line 236 in the blog.cfc component and add in this line to the cfif statement:

This will force moderation on for any comment with a link in it. Great for stopping most form spam, great for letting most comments through, terrible for letting real comments with links through.

To do this properly I'd have to set a new variable in the blog.ini file to specify if I want to moderate based on urls. Then modify the initialization code for blogcfc to grab that variable along with all of the others. Once that's done, line 236 would be modified to look at the new variable to see if moderation should be on for the post. Rather straight forward.

One thing I noticed when writing this post is that I never posted my article on my technique to block all bot spam. I know I posted it somewhere, but I guess I never posted it here. I'll add a reminder to myself to do that as well. Oh, for a 48 hour day. :)