Coding with Jesse

Avoiding Comment Spam with JavaScript

August 16th, 2006

Originally I explained this on the Code Igniter forum, and since others are blogging it, I thought I should bring it here.

I guess I was nervous about sharing my anti-spam techniques on my own blog in case any spam bots are smart enough to read this article and somehow mutate and adapt. We'll see.

For a while, I had no problems with comment spam. Then I started to get a couple. Then one day I got like 50 at once, so I did something "extreme" - I made it so users have to have JavaScript to submit comments. I have a randomly generated spam key in PHP, and then use something like this on the page:

<form id="cform" style="display:none">
    <input id="txtauthor" name="<?= $spam ?>a"/>
    <input id="txtemail" name="<?= $spam ?>e"/>
    <input id="txturl" name="<?= $spam ?>u"/>
    <textarea id="txtbody" name="<?= $spam ?>b" rows="10" cols="40"></textarea>
    <input type="hidden" id="antispam" name="antispam"/>
</form>
<script type="text/javascript">
    document.getElementById('cform').style.display = 'block';
    document.getElementById('antispam').value = '<?= $spam ?>';
</script>
<noscript>Sorry, you need JavaScript to post comments.</noscript>

So if the spam key is 'xxxx' the author field is 'xxxxa', email 'xxxxe', etc. The spam key is filled using JavaScript. Then on the server side I do this:

if (isset($_POST['antispam'])) {
    $antispam = $_POST['antispam'];
    $cauthor = $_POST[$antispam . 'a'];
    $cbody = $_POST[$antispam . 'b'];
    $cemail = $_POST[$antispam . 'e'];
    $curl = $_POST[$antispam . 'u'];
    if ($cbody && $cauthor)
        addComment($id, $cemail, $cauthor, $cbody, $curl);
}

This has majorly cut down on the number of comment spam I get. I still get the occasional one here and there, but they must all be done by hand instead of with some automated bot.

Unfortunately, this method means that users without JavaScript can't post comments on here. I regret that, but since nobody posts comments on here anyways, I figure it's not such a loss. :) One day, I would like to add some kind of captcha or approval system to allow posting of comments without JavaScript.


Comments

1 . donn on January 25th, 2007

donn

Hey,

Thanks for this. I was looking for a solution to my comment spam and your stuff was easy to integrate into my site.

Donn

2 . Anonymus on March 29th, 2008

Anonymus

Why not just use the code at http://javascriptkit.com/script/script2/accept_term.shtml and make the users confirm that they are NOT spamming.

3 . bugstomper on September 12nd, 2008

bugstomper

Even simpler, with no server side stuff required, why not set the action field of the form to a bogus URL such as http://example.com/nospam.html and then have the javascript set document.getElementById('cform').action="theRealURL.php"

That way the spambots don't even try to post to your server, they just waste time on the failed DNS lookup of example.com, and you don't have to check for secret spam fields on your server.

4 . Jesse Skinner on September 13rd, 2008

Jesse Skinner

@bugstomper - That is a good idea. However, I have since revamped my solution to build in a very simple CAPTCHA into the form which is pre-populated using JavaScript. This way users with JavaScript disabled are still able to submit comments.

That said, your solution would work very well if the alternate URL was a CAPTCHA page on my own site, an intermediary test where users without scripting could prove that they are human.

5 . vietnamnews on November 2nd, 2008

vietnamnews

this java scripts still can easy bypass, I'm still looking for good way prevent spammer from auto + manually spam my comment. I got some spammer who using auto fill form software, and he change ip every time posting, even clean cookies, resisted new nick name every time, change domain or key word on commments .. i never seen this kind of man doing comment or posting like this.. i using every way sugges from other webmster ( block ip, block keyword, write cookies to track him, block domain, block email, using catpcha, time between post or comments, resisted for making comment, 3 day affter registed can post urls, atless 3 post before post url .. but he still work out :(
the problems is my forums must alow people posting link on their post in some way ..

6 . Big Ted on November 24th, 2008

Big Ted

Hi great script does this version include the CAPTCHA? or are you still working on this.

7 . china wholesale on November 17th, 2010

china wholesale

Nice,I love it.

Comments are closed, but I'd still love to hear your thoughts.