April 25, 2007
How to Defeat Comment Spam

Comment spam is undoubtedly one of the most annoying aspects of running a website. It literally sucks the joy out of it. The spam is everywhere, and everyone has problems with it. But, there is actually a way to solve the problem.

Below you can see 8 ways to defeat comment spam - ranging from the simplest solutions, but also the least effective, to some that are very advanced and also highly effective.

Comment spam is for most parts auto generated. A spammer will write a script that can put out millions of spam comments in a very short time. What you need is, simply put, some obstacles that will prevent the script from running on your site.

The less effective - but simple methods

These works quite well for some people and it definitely doesn't hurt to implement them. But, some sites will still be susceptible to spam (mostly high-traffic sites)

1: Remove WordPress, TypePad, MovableType and Blogger tags

Comment spammers are very lazy people, and as such they go for the biggest target - with the least effort. That means they specifically target popular blogging tools like WordPress, TypePad, MovableType and Blogger etc. The way they do this is to simply try to detect if your site runs on any of these things (it only takes one line of code to do).

What they look for is things like this:

• Varies meta-tags in your header like:
  <meta name="generator" content="WordPress 2.1.3" />
• Html that includes hints to what platform you use
• footers like "Powered by MovableType"

Remove these and you  have just removed all the lazy spammers

Note: Only works if your site is not already targeted (hence on the spammers hotlist).

2: Rename your form and its elements

Another thing you need to do is to change your comment form. In the past people said that you should change the "action URL", but that doesn't work anymore. The spammer can detect your new URL with something as simple as this:

What you need to do is to change every part of your comment form, the ID and NAME attributes of all your elements, the action URL - everything. Do not call your website field "website", do not call your emails field "email". Call it something like "joesfish" or "hubba26rrtdh2".

What this does is that it makes much harder for the spammer to write his scripts (remember they aim for quantity not quality).

3: Make it look like something else

Spammers can still detect that you have a comment form on your site, simply because it contains 4 active fields - name, email, website and comment. All they really need to do is to detect if your page has 3 active input fields (not including hidden ones) and one textarea.

To stop them from doing that, you can simply add more. Why don't you have 7 input fields of varies types, 3 textareas and 2 radio buttons. That will make it look like anything but a comment form.

Of course this will look very messy, but thanks to CSS you can add "display:none;" to those  fields that should not be visible to real people.

It sure will make it a lot harder for spammer to figure out.

The less simple - but more effective solutions

Let's move on to more drastic but also more effective methods. Let's make it really hard for the comment spammers. Both these methods successfully prevent external scripting - but it does not prevent in-page scripting (the kind where the script is executed in a browser on your site - for instance using automated bookmarklets).

4: Change your action URL on form submission

This is something many people have tried, very successfully. The idea is that you add a fake action URL in your form. This obviously causes any spam to be sent to that URL, but since it goes nowhere it simply vanishes into thin air.

Then to make it work for real people, you change the action URL into the correct one when the form is being submitted.

5: Encrypt your form

Another method is to encrypt your entire form - using JavaScript. This will make it look as if your site does not allow commenting in general.

Simple run your form HTML trough a Javascript encrypter like the one from Hivelogic (use the advanced form) - and insert that instead. You use the same method to encrypt emails to prevent spam in your mailbox.

Note: I use this method on this site - and I do not get any comment spam.

The more advanced - but also the highly effective solutions

Finally let's move on to some of the more advanced solution. These will have much greater effect, essentailly eliminating spam completely.

6: Use WYSIWYG, and save with AJAX

The easiest way to get rid of comment spam is to not have a comment form on your site. So get rid of it. You can instead use an iframe in DesignMode to mimic the same visual experience as a form. It is more difficult to make, and you have to know about JavaScript and AJAX.

You will also limit commenting to the latest browsers (old browser and non-browser devices will not work with this)

7: Replace your form with an image

Another method to remove the form from your interface is to replace it with an image. I know it sounds strange, but let me explain. What you do is that you insert an image that looks like a comment form, but replace it with an actual form when people click in it.

To the spammer it will look like a page with an image. To real people it is a normal form, because when activated the image is turn into a real form. This will prevent any kind of scripted spam.

Note: Make sure you detect where people click, and set the focus accordingly. If people click on the website area on the image, the image should be replaced with a real form with focus in the website field.

8: Detect keystroke speed

The last thing you can do is to simply detect how fast a comment is written. It generally takes 0.2 seconds to type a character, so you simply detect how long it took to write the full comment and the average pauses between each keystroke.

E.g. 200 characters should take more than 40 seconds to write, with an average keystroke pause of 0.2 seconds.

If it is faster than that, then it is written by a script (thus from a spammer).

Note: You also need to detect when people paste content into your form - For instance when they want to add a link.

9: Double form Magic (UPDATE)

You might be able to defeat the spammer using a double form (read comment #14). This approach is 100% accessible and with no semantic problems.

What you do NOT want to do

Before we finish let's take a short look at what you shouldn't do

CAPTCHA

You could add a CAPTCHA (an image with some, often distorted, text) and require that people type these in to add a comment). It works fine, but they are also incredibly annoying. Do not do this - annoying your real visitors is not a good way to deal with spammers (who never sees the CAPTCHA anyway)

Register/sign-in

This is another solution that also works quite well. But it is a terrible solution. Forcing people to go through a registration process is not only irritating, but it also removes focus. Do not do this!

Spam filters

Spam filters - like Askimet - as one way that many people try to get rid of spam. But it does not work. As with email spam filters your genuine comments is sometimes flagged as spam, and spam is sometimes not flagged. Perhaps it does a really decent job 98% of the time, but since you cannot rely on it 100%, you still have to look through it.

It is not a solution; you are still forced to look at spam. Forget about it.

Baekdal PLUS: Premium content that helps you make the right decisions, take the right actions, and focus on what really matters.

Join 'The Weekly Update' to get an email every Friday afternoon with the latest from Baekdal + noteworthy articles from around the web.