After getting far too much comment spam during the last few days, I decided to introduce hopefully effective spam countermeasures to my blog. But at the same time, I wanted the users to lose as little comfort as possible. So I tried to avoid "captchas" as they terrificly infringe accessibility.
Therefore, I tried to find a script being totally out of the visitor's sight, and I did:
Today, I patched the original wordpress hashcash plugin which introduces a really effective way of spam protection: Once someone opens a blog entry, the plugin creates an individual comment key. After pressing the "submit" key, the visitor's browser computes a new value out of the initial key (through a javascript function) and submits this value back to the server. <!--more--> So far so good: As spambots usually don't support javascript, the spam check fails and the comment is not allowed.
But I was forced to modify the original script in some points (if you don't want to read about the modifications but only download the patch, see below):
1. Comment moderation
Usually, the script simply die()
s when the spam check fails. I don't liked this behaviour as I don't expect everyone to have JavaScript enabled. Generally spoken, I also want to have comments from Lynx users!
So I introduced the possibility to have the comments moderated that don't pass the spam test and made this the default.
2. Remote IP vs. session ID
When testing, I realized that any of my comments failed the spam test whereas my brother Jean Pierre didn't have any problems at all. The problem seemed to lie in my computer setup. I found out that the proxy server structure I use to access the internet impacts the IP address seen by the spam script - and thus, a different IP was used for the initial generation of the spam key and the later spam check. Oops. So I made it possible to choose between the remote IP and the session ID as the "key seed" and made the latter the default. Everything works flawlessly now. (Unfortunately, people are supposed to have cookies enabled in their browser, then. If they have not, the comments are moderated automagically (see above), so don't worry ;) ).
I made the modifications to the wp hashcash trunk from Jan 15th, 2005.
If you've already installed the plugin and want to patch it, get the diff file here. Or download the modified version of wp hashcash 1.5 and follow the installation instructions with my PHP file instead.
Happy spam fighting! ;)
P.S.: I will submit my patch to the original development branch. Let's see if it's included soon.