[thelist] Dealing with "feel good" comment spam

[Brooking, John]

Mark Groen wrote:
> Six Apart has a good article on Comment Spam; what it is 
> and how to combat it:
>
> http://www.sixapart.com/pronet/comment_spam

Good article, thanks for the link.

Do people think the following technique would be useful also? Every time
your server issues the comment submission form, include a hidden field
with a randomly generated value. This value would be recorded on the
server, and would represent a limited-time "pass" to make one posting.
Once a posting is made, the pass is no longer valid, and it would also
expire within a certain time period if unused. For extra security, make
the field NAME random as well as the value.

As I was typing that, I thought of the spammer work-around: Just write a
script to repeatedly request the comment submission form, so as to get
the value to incorporate in the comment submission. The only way I see
to mitigate this is some form of throttling, which is already one of the
solutions suggested in that article. However, perhaps the technique is
useful in at least making the spammer work harder. Plus, making each
submission require a prior form request would limit by half the number
of attacks possible in the same time period. OTOH, it would also tie up
your server with fulfilling those form requests, as well as recording
all the token values it is handing out. So maybe that's too much of a
downside?

- John
--