I'm sure everyone has noticed that my blog posting has dramatically fallen off from the rate I was getting articles out. Unfortunately, I've been spending my blog time fighting the endless war against spam. I've made some progress there and thought I would share some details that others might find useful.
As I've covered previously this blog now requires me to approve all comments. I'm super happy with this decision. I approve posts promptly, so there's pretty much no downside for users and this means you have not seen a single spam message on this site since I made the change. This was literally the perfect solution… on the viewer's side of the fence.
What it didn't fix was the hassle on my side. I don't mind approving messages at all, as long as I have a reasonable pile to go through. However, the spammers really ramped up their efforts against me lately and this blog received 11,134 comment posts in the month of November alone. Six of those were legitimate comments. That exceeds my definition of reasonable.
To fight back, I've added a new plugin to this blog I call Browser CAPTCHA.
If you've read this blog closely enough to know how much I hate CAPTCHA's, that name probably surprises you. It's true that I believe CAPTCHA's are pure evil. If you feel the need to control what makes it past the server and you think, "I'll screw up my interface to make a human prove they are a human," then I think you may have a problem with your brain being missing. I swear I always need three shots just to get past a Google CAPTCHA and that's the "Do No Evil" company. Whatever you do, don't get desperate and hit the hearing impaired CAPTCHA button, because that has to be the only thing worse than a normal CAPTCHA. I'm sure the suicide rates for people with vision impairments must be on the rise in this era of site security.
Browser CAPTCHA doesn't do any of that. Instead, I took a page out of Sun Tzu's The Art of War and got to know my enemy a bit better. Spam bots are not browsers and they do some things differently. If you can detect those differences, you know you are not dealing with a human. Thus my plugin screws up the interface for your browser. If it can pass the test, I trust the post.
What are some differences between browsers and spam bots? Here's a list shared with me from Allan Odgaard:
- Spam bots don't typically pay attention to cookies. This turns out to be a handy performance detail, since you can use mod_rewrite to redirect incoming requests to certain URL's if they are missing a magic cookie before they even reach your application.
- Spam bots don't correctly handle redirects for POST requests. You can use this to add another layer of protection.
The current version of Browser CAPTCHA uses these combined factors to test browsers when they try to post a comment. There are other differences my friends have made me aware of, but I haven't employed them yet.
How's this working out? I've had seven spam posts since I made the change a little over two full days ago. They all came in together and I could tell it was a human investigating the changes I had made. If that's the worst thing I have to worry about now, it's a huge improvement. We will see how things go, but I definitely recommend similar strategies to others fighting in the war…