Wednesday 27 June 2007 by sencer

From time to time I get questions asked about spam prevention. As I’ve mentioned in the past, I am open to questions from any plugin developers that need assistance in learning how to make use of the anti-spam plugin-API we have in textpattern.

For users and developers

There is of course the Textbook page on comment-spam which talks about some background, and offers a few plugins. There’s also a very basic example plugin which asks a simple question and checks the answer available here:
asy_spamexample.phps
asy_spamexample.txt
which works and can be easily adapted for “static” challenges. Though the main purpose is to illustrate the use of the API as described in the Textbook page.

For developers

The Textpattern anti-spam plugin-API is very flexible in what allows you to do. You can manipulate the form by adding input-elements or displaying text or images – and this can be done with default-values as soon as the plugin installed with the option of allowing the user to override the defaults by imply placing the appropriate tags in his comment form. You can use the nonce-mechanism of textpattern’s comment system to select your challenges from either a predefined list of e.. questions or images, or via function you can create true random challenges (mathematical questions for example).

Then upon submission, your plugin can check the submitted values for their validity. In simple cases you may check against hardcoded values, or you might call remote APIs like the Akismet-plugin does. Or you could check previously stored comments for clues. Because of the nonce-mechanism you do not have to deal with storing any state (via DB or sessions) between the pageviews. It can be derived from the “secret” that’s stored for each comment-nonce. If there is interest I can post a couple more example that do such things.

And finally after checking your plugin can suggest or enforce a way of action, like reloading the comment-form a number of times before taking further action, or straight up showing a custom error-page. Or maybe accepting the comment and placing it in the moderation queue.

To throw some ideas out there:

  • Check the email against comments in the db with a visibility of 1 and let them through, or otherwise send an email requesting a confirmation (or for bonus pints ask the user if he wants to confirm his comment via email before sending it). Obviously works best when email-addresses of commenters are hidden otherwise
  • Same as above but with the url-field. And since the url-field is visible, you could integrate an OpenID client and only give the benefit if the url supports OpenID, and the commenter can prove his control over that url. D nothing otherwise
  • HashCash – add some hidden javascript that needs to be executed by the browser which transforms a challenge into a value that is submitted with the comment. (prior work)

and so on and so on. Given that many other CMS were hit a lot earlier with large amounts of comment spam, we have the luxury of checking out other people’s efforts and porting that which works acceptably, or that which yields a good benefit/cost ratio in terms of development, maintenance and usage. Of course there is no silver bullet that will solve the issue once and for all, anybody who tells you otherwise is likely selling you snake oil. But the problem can be made managable specifically to your preferences and the kind of trade-offs you’re willing to make or not make.

If anybody runs into hurdles implementing any anti-spam ideas, I’ll try to help and I’m open to suggestions in extending the anti-spam API. But you have to ask, otherwise we won’t know about what you need. ;)

I’ve always found the txp-plugin list the ideal place for theses discussions. So I’d point to there for discussions and questions you might have.
http://lists.textpattern.com/mailman/listinfo/txp-plugins
It’s the easiest to manage and follow, and it doesn’t get lost between support/troubleshooting and other topics that come up on the forum.