3 replies to this topic

[TheAlex]

I want to make it as easy as possible for people to add comments to pages on my website. As I'm (PHP) coding everything else myself, I was going to code the comment form too, so I have control over everything. But this might result in a greater spam problem (especially considering I'm learning PHP as I go along).

Would it be better to use a service such as Disqus (the free version)? Is it only techy people that register on/trust these things? I've noticed that Disqus goes down sometimes but it generally seems to be well received. Are there other systems that are worth looking into? I've seen IntenseDebate and Livefyre mentioned. I'd ideally want to keep a backup of my comments (assuming I get any!) if anything happened to one of these services.

Is there a setting on Disqus that enables people to leave a comment without registering with anything?

In your experience what format makes it easiest for you to leave a response on another website?

Thanks. :-)

[jonbey]

I moved my site to Wordpress mostly to allow easy commenting. I require no sign in, but have full moderation in place with an anti-spam tick box. Seems to work pretty nicely.

[glyn]

Just about every tool on the planet that is used to spam blogs can be circumvented with a very simple procedure. Typically what will happen is that a bot will look for common field values and variables which it will use as hooks and then post data based on these hooks. So, for example, if one were to automate the posting of comments into a blog a bot might look for presence of the field <name="comment">.

If you want to stop scraper or any other kind of bot you need to take away the identifiers that they use to hang onto.

So, for blogs or any other kind of field based submission you need to be randomizing their values and types through a sufficiently high enough number of permetations as to make bruteforcing the comment completely pointless. Otherwise you still leave the door open for a bot to rotate through the "random" field values until it gets a hit. You could easily mitigate this by incorporating a flood control from the IP, but then this could easily be overcome with proxy rotation.

Another way is to incorporate a hidden field into the submission form that software that is not being run inside a browser will not be able to send. In this way you remove all of those apps, but not those that are browser based.

It's really that simple.

And sorry but I don't know a plugin that does that for WP.

On a lighter note, any small bit of personalization you can give to your system, as jon has suggested gives you a huge advantage.

G.

Edited by glyn, 22 January 2013 - 02:48 PM.

[jonbey]

GASP works very well on Wordpress. Since installing it Akismet has had very little to worry about. I used to have about thousands pf spam comments at any one time on my blog (they auto delete after 30 days, so over hundreds a day from bots). I just looked for the first time in ages, and there are 21 comments that got past the GASP but were blocked by Akismet. Not seen any real spam in my moderation queue for a long time (apart from some trackback spam, which is also fully moderated).

GASP is very simple and it works, which is rather unusual. And if some spammer did make a bot to bypass it (not happened in the time I have been using it) you can simply change the checkbox name.