Blocking comment spam without using captcha

Question

What are some non-captcha methods for blocking spam on my comments?

Answer 1

In my experience the currently most effective methods are honeypot input fields that are made invisible to users via CSS (best use several different methods, such as visibility:hidden, setting a size of 0 pixels, and absolute positioning far outside the browser window); if they're filled anyway you can assume it's a spambot.

This blog describes a rather complex method that I've tried out myself (with 100% success so far), but I suspect that you could get the same result by skipping all the stuff with hashed field names and just add some simple honeypot fields.

Answer 2

1) Adding session-related information into the form Example:

<input type="hidden" name="sh" value="<?php echo dechex(crc32(session_id())); ?>" />

then at postback, check whether session is valid or not.

2) Javascript-only. Use Javascript injection at Submission. Example:

<input type="hidden" id="txtKey" name="key" value="" />
<input type="submit" value="Go" onclick="document.getElementById('txtKey').value = '<?php echo dechex(crc32(session_id())) ?>';" />

3) Time-limit per IP, User or Session. this is quite straightforward.

4) Randomizing field names:

<?php
   $fieldkey = dechex(crc32(mt_rand().dechex(crc32(time()))));
   $_SESSION['fieldkey'] = $fieldkey;
?>
<input type="text" name="name<?php echo $fieldkey; ?>" value="" />
<input type="text" name="address<?php echo $fieldkey; ?>" value="" />   

Then you can check it over at the server side.

Answer 3

Akismet has an API. Someone wrote a wrapper class (BSD liscense) for it over at: http://cesars.users.phpclasses.org/browse/package/4401.html

There's also a Bayesian filter class (BSD Liscense as well) http://cesars.users.phpclasses.org/browse/package/4236.html

Answer 4

This is simple trick to block spam bot or brute force attack without using captcha.

Put this in your form:

<input type="hidden" name="hash" value="<?php echo md5($secret_key.time()).','.time(); ?>" />

Put this in your php code

$human_typing_time = 5;/** page load (1s) + submit (1s) + typing time (3s) */
$vars = explode(',', $_POST['hash']);
if(md5($secret_key.$vars[1]) != $vars[0] || time() < $var[1] + $human_typing_time){
    //bot?
    exit();
} 

Depend on weight of form you can increase or decrease $human_typing_time.

Answer 5

Naive Beyesian filters, of course:

http://blog.liip.ch/archive/2005/03/30/php-naive-bayesian-filter.html

Answer 6

There is the Honey Pot Theory as well. I enjoy coupling honey pots with other forms of spam reduction for best results.

http://www.projecthoneypot.org/

Answer 7

Another common approach is to give the user a simple question ("is fire hot or cold?" "what is 2 plus 7?" etc.). It is a little captcha-like, but it is more accessible to users with vision disabilities using screen readers. I think there must be a WordPress plugin that does this, because I see it very frequently on WordPress blogs.

Answer 8

As lot of people already proposed : use a honey pot input field. But there are two other things you need to do. First, randomize the name / id of which input field is the honey pot. Store the state of usefull fields in session (as well as a form token, used against CSRF attacks). For exampe, you have these fields to get : name, email, message. In your form, you will have "token" which is your token, "jzefkl46" which is name for this form, "ofdizhae" for email, "45sd4s2" for message and "fgdfg5qsd4" for honey pot. In the user session, you can have something like

array("forms" => array("your-token-value" => array("jzefkl46" => "name",
                                                   "ofdizhae" => "email",
                                                   "45sd4s2" => "message",
                                                   "fgdfg5qsd4" => honey"));

You just have to re-associate it back when you get your form data.

Second thing, as the robot has lot of chances to avoid your honey pot field (25% chances), multiply the number of pots. With 10 or 20 of them, you add difficulty to the bots while not having too much overhead in your html.

Answer 9

Sblam! is an open-source filter similar to Akismet.

It uses naive bayesian filtering, checks sender's IP and links in multiple distributed blacklists, checks correctness of HTTP requests, and uses presence of JS as a hint (but not requirement).

Answer 10

Regular CAPTCHAs are spam-bot solvable now.

Consider instead "text CAPTCHAs" : a logic or common knowledge question, like "What's 1 + 1 ?" or "What color is General Custard's white horse?" The question can even be static (same question for every try).

(Taken from http://matthewhutchinson.net/2010/4/21/actsastextcaptcha )

I think Jeff Atwood even uses a validation like this on his blog. (Correct me if I'm wrong)

Some resources:

• Text Captcha site & services : http://textcaptcha.com/demo
• A plugin : http://matthewhutchinson.net/2010/4/21/actsastextcaptcha
• More about text Captcha's with non-working code : http://www.thesamet.com/blog/2006/12/21/fighting-spam-on-phpbb-forums/

Answer 11

Disallow links. Without links, spam is useless.

[EDIT] As a middle way, only allow links to "good" sites (usually your own). There are only a handful of them, so you can either add them at the request of your users or hold a comment until you verified the link. When it's good, add it.

After a while, you can turn this off and automatically reject comments with links and wait for users to complain.

Answer 12

You could try looking at using a third party like Akismet. API keys are free for personal use. Also, The Zend Framework has a package for this.

Answer 13

Most bots simply fill out the whole form and send it to you. A simple trick that works is to create a normal field that you usually hide with the aid of javascript. On the server side just check whether this field has been filled. If so -- then it is spam for sure.

Answer 14

I have reduced about 99% of spam on my website through a simple mathematical question like the following:

What is 2+4 [TextBox]

The user will be able to submit the question/comment if they answer "6".

Works for me and similar solution works for Jeff Atwood from Coding Horror!

Answer 15

On my blog, I have a kind of compromise captcha: I only use a captcha if the post contains a link. I also use a honeypot input field. So far, this has been nearly 100% effective. Every now and then there will be a spammer that submits something to every form which contains no links (usually something like "nice site!"). I can only assume that these people think I will e-mail them to find out who they are (using the e-mail address that only I see).

Answer 16

along with using honey pot fields, we can ban there IP automatically (which don't work for dynamic IPs) and especially any links posted back by bots.

Answer 17

Akismet is a good alternative, they check your posts for spam and works very efficiently. You just need to load their librabry. http://akismet.com/development/

Answer 18

checkout some wp antispam plugins for examples and ideas

there're many nice antispam without using captcha.

some i'd recommend: hashcash, nospamnx, typepad antispam. all these using different methods blocking spam and i use them all. hashcash+nospamnx block almost all spambot. and typepad antispam block most human typed spam.

these are also good ones: spambam, wp-spamfree, anti-captcha, bad-behaviour, httpbl, etc

also with simple .htaccess that block any bot direct POST that do not come from your own site (check referer)

or, simply outsource your comment system to disqus and sleep tight.