[wp-hackers] Another anti-spam technique

Owen Winkler ringmaster at midnightcircus.com
Thu Oct 28 13:22:19 UTC 2004 

Ok, I have a couple of new-ish ideas...  The first uses Javascript, but 
be patient with it.

Add an onclick to the comment form submit button that calls a javascript 
function, say, validate_comment().

Inside validate_comment(), code will take the post ID (inserted into the 
client-side script by PHP) and a site-unique hash (also inserted by PHP) 
and build a new hash (in client-side javascript).  This hash is appended 
as a querystring to the form's action.

If the hash exists and is verified by the wp-comments-post.php, it is 
approved.  If the hash does not exist or is incorrect, the comment is 
moderated.

If a user has javascript off (who does this these days?), then the 
comment is not lost, but is only moderated.

Thoughts?

Next idea:  Move the wp-comments-post.php page.

Assuming that mod_rewrite is enabled, first create a rule that makes it 
impossible to access wp-comments-post.php directly, instead returning a 
403.  Then, create a rule that redirects a randomly generated URL to 
wp-comments-post.php.  Change the comment posting page so that it uses a 
PHP function in the form action to insert the appropriate redirected URL.

If mod_rewrite is not enabled, or a config option for this is off, then 
the rules wouldn't exist and the post page would function as normal.

The logic behind this rule is that automated systems may simply submit 
to wp-comments-post.php without looking at the post page for the form 
action.  At the very least, it forces the spam tools to parse the page.

It might be possible to implement this with a plugin, since the rewrite 
code can be hooked.

Thoughts?

Also, has anyone received comment spam that did not have the "HTTP_VIA" 
header?  I have configured WordPress to send a complete set of server 
variables ($_SERVER[]) in every admin comment notification email so that 
I can examine these.  Every spam I've received has had this header, 
indicating that a proxy was used to submit the comment.

Needless to say, my comment spam filtering system now automatically 
moderates any submitted comment with the HTTP_VIA header present.

Owen

More information about the hackers mailing list