Entry: 5078058e< < Blog
Blog comment spam is an old problem, and something that's been plaguing the web for a long time. I myself run this blog, along with another web site about art, both of which use my own code but allow people to post anonymous comments, simply by entering a name, comment, and clicking on send.
Now, from simply reading that, if you know a bit about how web sites work, you would think that this should be the easiest thing in the world for all the spam bots out there to exploit. But in the many years I've been running both sites, I've never received any spam messages, not one, at least none produced by bots, only the random human-created troll post. Now, if I go to my web hosting logs, I see them trying. In fact on TideArt, they are trying many times every single day, but none of these attempts end up in my moderation queue.
So I wondered why that was, and recently decided to investigate, looking at how those things worked, and then I found the reason. These spam bots are unbelievably stupid. The reason I never get spam hitting my comment systems is purely by accident, because of how I created the commenting code. Here's how the comment box looks like for my other site, which allows people to post a name, web site and comment:
This right here is what fools every spam bot that hit my site so far in the past years. As you may notice, the script actually changes the variable names. Even though the input for your name is name and the one for your web site is site, when the XMLHttpRequest is sent, it renames them to cn and ct. Apparently, nothing out there is able to parse that. This is why even though a lot of spammers are trying to leave junk on my sites, not a single one of them is able to even hit my moderation queue.
I hope this helps anyone currently having trouble with spam bots.