1 Wait....I was recruiting. What do we do?...Did I miss a memo?

2 If you hadn't already gotten me on a previous drive, I would have succumbed this time.

Although I don't think the spammers are likely to play.  Well, spammer (singular so far) since it's obviously the same IP.

3 Years ago when I was running a site that was getting spammed I used JS to create a hidden form field; the code would silently drop the submission without it.  So far--probably 5 years later--as far as I know it's still effective.  So that it would help trick the spammers, the only thing that didn't happen was the insert into the DB.  Don't know if the spammers are smarter yet, but a simple trick like that might continue to work.

4

J Greely has a trick like that he uses on his site. When you hit the "post" button, some Javascript runs and redirects you somehow. I don't remember the details; the point is that if the Javascript doesn't run, then instead of your comment being posted, you are automatically blacklisted.

Those kinds of things can work pretty well, but only if they're rare and obscure. If they become widespread then the spammers will change their spamming code, and then they don't work any more.

The only thing I know of that does really work and will keep working is captchas, even though everyone hates them. Handled properly, spambots can't fool them.

5 Brickmuppet, I saw your recruitment post and thought I'd pitch in too.

RickC - yeah, I have a hidden form field, and even a decoy form. It helps, but it's not perfect.

Steven - yep, I didn't want to do Javascript tricks in my original deployment, but these days it's probably not going to cause any problems.  If you turn off Javascript, 98% of the web will break anyway.

6 Completely off-topic, but... whatever happened to Trixie's posts?

7 They're in the system, but the far-future dates give it indigestion.

8 My trick is simply to use JS to replace the POST URL for the form. So, anyone grabbing the raw HTML (directly or out of Google's cache) will fail, and my log-scanner sees your attempt to reach that URL and adds your IP address to the firewall's block list for a while. It's quite effective, largely because it's different from what other people use; no one is going to go to the effort of customizing their tools to get past it, because the payoff is too small.

A less-severe alternative would be to have the non-JS version of the form force moderation or extra spam checks. I've been thinking about switching to that method when I upgrade my server, and adding randomization to both the JS and non-JS URLs, so that, say, today /post/43wrdfvk works and /post/tg34grtg fails.

-j

9

My trick worked probably because the site was relatively low volume; I don't think there was much payoff, and we didn't get much spam.

My goal was to get the effect that I wanted with minimum effort, and it worked.  I don't run the site any longer, and I don't bother to read the public-facing forums so I don't know if it is still effective, but I had plans for several other tiers of countering.

10 Pixy, any chance of getting a link to them?  I remember them being quite entertaining.

11 Sure, I'll dig 'em out.