Patrick Lambert - Freelance Content Creator

Entry: 5078058e< < Blog

  • How to easily beat comment spam
  • [Tweet] [Facebook] [Google Plus] [LinkedIn]Fri, Oct 12 2012 4:57:02 PDT - [Permalink] - Category: security - by: Patrick Lambert

    Blog comment spam is an old problem, and something that's been plaguing the web for a long time. I myself run this blog, along with another web site about art, both of which use my own code but allow people to post anonymous comments, simply by entering a name, comment, and clicking on send.

    Now, from simply reading that, if you know a bit about how web sites work, you would think that this should be the easiest thing in the world for all the spam bots out there to exploit. But in the many years I've been running both sites, I've never received any spam messages, not one, at least none produced by bots, only the random human-created troll post. Now, if I go to my web hosting logs, I see them trying. In fact on TideArt, they are trying many times every single day, but none of these attempts end up in my moderation queue.

    So I wondered why that was, and recently decided to investigate, looking at how those things worked, and then I found the reason. These spam bots are unbelievably stupid. The reason I never get spam hitting my comment systems is purely by accident, because of how I created the commenting code. Here's how the comment box looks like for my other site, which allows people to post a name, web site and comment:

    So as you can see, it's pretty basic code, nothing to write home about. And from reading my comment log, it's clear that all of the spam bots read that from my pages, and use those variables. But as you may notice, there's no submit button. Instead it calls a JavaScript function to post. That's also not unusual, a lot of comment systems use JavaScript to validate input. Let's look at the code:

    This right here is what fools every spam bot that hit my site so far in the past years. As you may notice, the script actually changes the variable names. Even though the input for your name is name and the one for your web site is site, when the XMLHttpRequest is sent, it renames them to cn and ct. Apparently, nothing out there is able to parse that. This is why even though a lot of spammers are trying to leave junk on my sites, not a single one of them is able to even hit my moderation queue.

    I hope this helps anyone currently having trouble with spam bots.

    Related security posts:

  • Sat, 8 Nov 2014 11:41:34 -0800 - Kijiji scammers
  • Wed, 5 Nov 2014 4:21:06 -0800 - The holy grail of cloud privacy is possible
  • Tue, 22 Jul 2014 11:46:04 -0700 - Don't use Firefox for privacy

  • Categories: art | business | entertainment | gaming | lifestyle | misc | science | security | tech
    View full archive