[wp-hackers] Another anti-spam technique

John Watson johnw1 at gmail.com
Thu Oct 28 20:52:08 UTC 2004 

All of these techniques are good and have immediate value but they're
probably all doomed in the long run.  The trouble is that in order for
legitimate users to comment, you have to give the client all of the
information required to post a comment.  That is, for people to
comment, you have to tell them the hash keys and the form actions and
the algorithms.  Its a question of effort vs. reward.  Right now, no
one is using this technique so it probably isn't worth it for a
spammer to implement the workaround.  Once the technique begins to
gain widespread acceptance then spammers will adapt very quickly and
the method will be mostly worthless.  So far, everything talked about
in this thread can be got around by a spam bot that navigates like a
real user, scrapes the forms, and submits the appropriate data for
each site.  As computer science problems go, this is trivial.

That's not to say this isn't worth doing.  It IS worth it because it
will reduce your spam *for now*.

The only techniques I can think of that don't look like they can be
hacked by spammers any time soon are: captchas (prove you're human),
hashcash (pay a computing toll), and content filtering (is it ham or
spam).

captchas are little turing AI tests that are currently beyond the
capability of known computer algorithms.  Content filtering includes
things like spam assassin, bayesian filtering and their ilk.  I'm
somewhat surprised, actually, that no one has implemented a bayesian
filtering and training system for comment spam yet (anyone working on
one?).  hashcash is a method of forcing the client (legitimate and
spammers both) to compute something that requires a non-trivial amount
of work to compute (a couple of seconds) and that can't be faked --
hashcash works by making spam uneconomical rather than preventing it
outright.

--
John
http://flagrantdisregard.com/

On Thu, 28 Oct 2004 11:55:54 -0500, Dennis Williamson
<dennis at netstrata.com> wrote:
> I'm trying to understand these redirect ideas. If you require the referrer
> to be a index.php (from a post display page) either through a random URL
> with mod_rewrite or a random file with a meta refresh and a test in the
> destination comment, can't the spambot just navigate from index.php in the
> same way a legitimate human visitor would. Is it that this technique only

More information about the hackers mailing list