Block comment spam without captcha

In my experience, currently the most efficient methods are honeypot input fields that are invisible to users via CSS (it’s best to use several different methods, such as visibility: hidden, setting the size to 0 pixels, and absolute positioning far beyond the browser window) ; if they are filled anyway, you can consider it a spambot.

This blog post describes a rather complicated method that I have tried myself (with 100% success so far), but I suspect you might get the same result by skipping all the contents with hashed field names and just adding a few simple honeypot fields.

This is a simple trick to block a spam bot or brute force without using captcha.

Put this on your form:

 <input type="hidden" name="hash" value="<?php echo md5($secret_key.time()).','.time(); ?>" /> 

Put this in your php code

 $human_typing_time = 5;/** page load (1s) + submit (1s) + typing time (3s) */ $vars = explode(',', $_POST['hash']); if(md5($secret_key.$vars[1]) != $vars[0] || time() < $var[1] + $human_typing_time){ //bot? exit(); } 

Depending on the weight of the form, you can increase or decrease $ man_typing_time.

Naive Beyesian filters, of course:

http://blog.liip.ch/archive/2005/03/30/php-naive-bayesian-filter.html

There is also the Khan Pot theory. I really enjoy using honey pots with other forms of spam for best results.

http://www.projecthoneypot.org/

Another common approach is to give the user a simple question ("is the fire hot or cold?" "What is 2 plus 7?", Etc.). This is a bit like, but it is more accessible to visually impaired users using screen readers. I think there should be a WordPress plugin that does this because I see this very often on WordPress blogs.

Sblam! is an open source filter similar to Akismet.

It uses naive Bayesian filtering, checks the sender's IP address and links in several distributed blacklists, checks the correctness of HTTP requests and uses the presence of JS as a hint (but not a requirement).

Regular CAPTCHAs now allow spam bots.

Instead, consider the “CAPTCHAs text : a logical or well-known question, for example,“ What is 1 + 1? "or" What color is the white horse? The question may even be static (the same question for each attempt).

(Taken from http://matthewhutchinson.net/2010/4/21/actsastextcaptcha )

I think that Jeff Atwood even uses such a check on his blog. (Correct me if I am wrong)

Some resources:

• Captcha Text Website and Services: http://textcaptcha.com/demo
• Plugin: http://matthewhutchinson.net/2010/4/21/actsastextcaptcha
• Read more about Captcha text with non- working code: http://www.thesamet.com/blog/2006/12/21/fighting-spam-on-phpbb-forums/

Deny links. Without links, spam is useless.

[EDIT] As middle paths, only allow links to "good" sites (usually your own). There are only a few, so you can either add them at the request of your users or leave a comment until you check the link. When it's good, add it.

After some time, you can disable this and automatically reject comments with links and wait for users to complain.

You might try using a third party like Akismet . API keys are free for personal use. In addition, The Zend Framework has a package for this.

Most bots just fill out the entire form and send it to you. A simple trick that works is to create a normal field, which you usually hide with javascript. On the server side, just check if this field is populated. If so, then this is spam.

As many people have already suggested: use the honey pot input field. But there are two more things you need to do. First randomize the name / identifier whose input field is a honey pot. Store the state of the useful fields in the session (as well as the form token used against CSRF attacks). For example, you have the following fields: name, email address, message. In your form, you will have a “token”, which is your token, “jzefkl46”, which is the name of this form, “ofdizhae” for email “45sd4s2” for the message, and “fgdfg5qsd4” for the honey bank. In a user session, you might have something like

 array ("forms" => array ("your-token-value" => array ("jzefkl46" => "name",
                                                    "ofdizhae" => "email",
                                                    "45sd4s2" => "message",
                                                    "fgdfg5qsd4" => honey ")); 

You just need to re-link it when you receive your form data.

Secondly, since the robot has many chances to avoid the field of your honey pot (25% chance), multiply the number of pots. With 10 or 20 of them, you add difficulty to bots without having too much overhead in your html.

I reduced about 99% of the spam on my site with a simple math question like the following:

What is 2 + 4 [TextBox]

The user will be able to send a question / comment if they answer "6".

Works for me and similar solutions work for Jeff Atwood from Coding Horror!

On my blog, I have some kind of compromise code: I only use captcha if the post contains a link. I also use the honeypot input field. Until now, it has been almost 100% effective. From time to time, a spammer appears who submits something to each form that does not contain links (usually something like “a good site!”). I can only assume that these people think that I will send them an email to find out who they are (using the email address that I can only see).

along with using the fields of the honey bank, we can automatically prohibit the IP address (which does not work for dynamic IP addresses) and especially any links sent by bots.

Akismet is a good alternative, they check your messages for spam and work very efficiently. You just need to download their librabry. http://akismet.com/development/