[wp-hackers] New(?) anti-spam technique

Mark Jaquith mark.wordpress at txfx.net
Thu Oct 21 19:48:47 UTC 2004 

John Watson wrote:

>Then it occurred to me that one way to tell humans from bots is that
>humans are much slower. This is what I came up with:
>
>- When a client hits the comment form, start a timer. Start a unique
>timer for each client (by IP address or some other method).
>- When the client posts the form, check the timer. If the time elapsed
>is less than 3 seconds or more than 5 minutes (the "window"), moderate
>the comment.
>- Delete the timer.
>
Good idea!  But the main thing throtling the comments here is the 3 
seconds variable.   I think that's way too low.  How many humans are 
posting a comment 3 seconds after loading the entry?  Even if their 
posting info is already saved in a cookie,  3 seconds is fairly slow.

I think you could move that 3 seconds up to at least 10 seconds.

Sure, once in a while, someone is going to want to post a quick "Agreed! 
Good post!" comment, but one way you could help them out is to use 
javascript.  Start a JS timer when they load the page, and make an 
onClick() for the comment submit button.  If it hasn't been long enough, 
pop up an alert that says "In order to prevent spam, I require 
commenters to wait X seconds before posting a comment.  You may post a 
comment in (X-elapsed) seconds."

Alternatively, you could "grey out" the comment submit button when the 
JS timer starts, and then make is clickable after X seconds.  Anyone 
without JS support would just see the normal button.

As for whether to use IP-based or cookie-based tracking, I think 
IP-based would be more reliable.  More people have cookies disabled than 
have IP addresses that are changing every few minutes.  You could always 
use both methods, of course.  I wonder how many spam bots accept cookies 
and pay attention to them...

The only thing that might cause trouble for humans is the upper time 
limit.  Some posts are long, and people read the comments before leaving 
a comment themselves.  Also, some people load an entry and leave it for 
quite some time before commenting.

I think the the initial comment posting delay would do the most to 
cripple spammers, as it would require them to hit up a number of 
entries, and then require them to come back later with the same IP.  
Remember, there really isn't a perfect way of completely squashing 
spam.  We're just trying to make it a hassle for them, while keeping it 
hassle-free for humans.

Tara Star wrote:

> Another good way to slow not-so-subtle spammers who post from the same 
> IP address is to set a minimum delay between two comments from the 
> same IP to, say, 5 minutes or something.

This already exists, although the delay is currently set at 10 seconds:

  54  // Simple flood-protection
  55  $lasttime <cid:part1.07050508.03040503 at txfx.net> = $wpdb <cid:part2.03040006.09090606 at txfx.net>->get_var <cid:part3.05080105.04060608 at txfx.net>("SELECT comment_date FROM $wpdb <cid:part2.03040006.09090606 at txfx.net>->comments <cid:part5.06020602.03040004 at txfx.net> WHERE comment_author_IP = '$user_ip <cid:part6.01030702.02080904 at txfx.net>' ORDER BY comment_date DESC LIMIT 1");
  56  if (!empty($lasttime <cid:part1.07050508.03040503 at txfx.net>)) {
  57      $time_lastcomment <cid:part8.02080806.08080003 at txfx.net>= mysql2date <cid:part9.07090906.05030906 at txfx.net>('U', $lasttime <cid:part1.07050508.03040503 at txfx.net>);
  58      $time_newcomment <cid:part11.08080102.08060603 at txfx.net>= mysql2date <cid:part9.07090906.05030906 at txfx.net>('U', $now <cid:part13.02040204.04010203 at txfx.net>);
  59      if (($time_newcomment <cid:part11.08080102.08060603 at txfx.net> - $time_lastcomment <cid:part8.02080806.08080003 at txfx.net>) < 10)
  60          die( __ <cid:part16.01070103.00030906 at txfx.net>('Sorry, you can only post a new comment once every 10 seconds. Slow down cowboy.') );
  61  }


I think that could be boosted to 30 seconds.  Higher values would be 
annoying, as some people comment on multiple entries in (relatively) 
rapid succession.

Some good ideas here.  And now that the comment_post() hook has been 
moved, we can do all this and moderate the comment without generating a 
"comment posted" e-mail to the author.

-------------- next part --------------
Skipped content of type multipart/related

More information about the hackers mailing list