A slight deviation for this blog into geekville…
Any website that allows people to make comments on it will suffer a problem with junk messages being posted by spammers seeking to promote their various snakeoils and potions.
If you use WordPress (as this website does), then the Akismet service will check if an incoming message is spam or not, and file it appropriately – but that doesn’t stop the flood of spam arriving.
As any spam filter will have false positives, I have to manually check the spam filter for messages that shouldn’t be there, and with hundreds of spams per day, I wanted a method to kill off the flood.
The technique I have been testing for a few weeks is below, and it seems to kill 99% of spam dead in its tracks.
For now at least.
A spambot loads the webpage and then looks for comment forms. The spambot doesn’t really care where or what the forms are, they just fire junk at anything.
So, when the spambot loads the webpage, it is hunting through the HTML source code for a <form> tag. Or more technically, most of the ones I have looked at seem to use an off-the-shelf php class that converts the HTML into an easily searchable array.
Having found the <form> they find its action variable, and then look up each of the comment fields. Now the spambot knows what fields need filling in (email, name, website, comments) and which URL to send the junk to (action value) and off they go merrily spamming away.
The technique I use is to break up the form tag in such a manner as to make it impossible for the usual php classes to detect it.
Sorry, this cannot be done as a simple plug-in, you need to manually edit the source code of your blog.
Log into your webserver by your preferred method (sFTP etc) and you need to locate wp-includes folder and open/edit the comment-template.php file.
Almost at the very bottom of file, locate the following bit of text:
<form action=”<?php echo site_url( ‘/wp-comments-post.php’ ); ?>” method=”post” id=”<?php echo esc_attr( $args['id_form'] ); ?>”>
Now replace it with the following:
document.write(‘<form ac’+'tion=”<?php echo site_url( ‘/wp-comments-post.php’ ); ?>” method=”post” ‘+’id=”<?php echo esc_attr( $args['id_form'] ); ?>”>’);
Save the edited file and also if necessary clear your WordPress cache if you have that plug-in installed.
That’s it – job done.
….in technical terms, the action=”url” component of the <form> tag no longer exists as a single piece of text in the source code – so your standard off-the-shelf php classes can’t detect it.
I’ve tested the change on this blog for over a month without complaints, and also asked a lot of people on Twitter try a test page and see if they had any problems. None reported.
Two issues – because this is not a plug-in, when WordPress does an upgrade, it will occasionally overwrite your modified comment-template.php file. Just look for a flood of spam after a WP update – and you’ll know to look this blog post up again.
The other issue is that this solution to the problem is only temporary for if it becomes popular, then the spammers have an incentive to rewrite their spambots to get around the problem. However, any write-around would probably be slower in terms of their server processor time, leading to either fewer spam messages overall per spammer or them spending more money on extra servers to maintain the flood – and eventually that becomes uneconomical.
The war against spam will never be won, but this is one skirmish where the blogger has a temporary victory.