Spam epiphany
Published June 4th, 2014 under General
I had an epiphany whilst out running this evening.
You can use “sporting methods” (coin termed from Otto) to block comment spam; things like cookie and JavaScript validation fit into this category. These features are available in my Spam Destroyer plugin and are adequate for most websites.
However, sites which are hit with serious spam problems still require CAPTCHA’s to properly block spam attacks. The “sporting methods” are able to block 99.9% of the attacks, but the remaining 0.1% manage to bypass this, probably because they’re using something like PhantomJS to process the page. Properly rendering a page costs the spammers a lot of money because it requires substantially more processing power than just sending off post requests, but some sites are deemed worthy of this treatment, and it is those sites which require extra protection. The use of CAPTCHA’s requires a substantially increased amount of processing power again, because cracking CAPTCHA’s is non-trivial and so is usually an effective solution.
My epiphany whilst running, was that we could simply increase the amount of processing power required to crack the CAPTCHA, by forcing the browser to do a calculation every time the page is loaded, rather than requiring the end-user to solve a CAPTCHA. I’m envisaging a page which loads, but sits there in the background hashing a string a few thousand times before adding it to an input field ready for sending back to the browser. This would require JavaScript to be running in the browser, but could offer a substantial upgrade in spam-protection without effecting 99.9% of users visiting the page. Their browser would need to do some extra calculation, but as long as it wasn’t too extreme, then even the slowest devices would still only take a few seconds to process the calculation, yet this would hopefully be enough to cost the spammers too much in processing time to be worth their effort.
Do you folks think this is a good idea or bad idea? Have you heard of this being implemented elsewhere before? If it’s deemed a good idea, I’ll probably implement something like this into the Spam Destroyer plugin in future.
Ideas based on Feedback from Twitter
Andrey Savchenko pointed out running JS in this kind of way could cause the page to lag. It could be set to load later on after important things have already loaded, but we don’t have a reliable way to determine when the page has fully rendered.
A solution to this problem, could be to trigger the calculation on clicking the submit button. So instead of immediately submitting the form, a box could pop up, or another page could be loaded, which did the calculation then. A timer could be added, and if the calculation took too long, then a CAPTCHA could be served instead (useful for devices which are not able to handle complex calculations).
Daan Kortenbach says:
You could start the calculation when the commenter starts filling in the form. I’m sure it takes any commenter more than a few seconds to fill in any form. You could even add a timer to the form, enabling and only accepting submits after a set number of seconds.
June 5, 2014 at 7:44 am # //
Ryan Hellyer says:
That sounds like an excellent idea.
June 5, 2014 at 7:51 am # //
Lotus says:
How about showing a CAPTCHA only to readers that are commenting for the first time on your blog?
If I leave you a comment, and I have never done this before, I will see a CAPTHA. If I am not able to solve it, my comment is deleted (not moved into spam list, also this can be made an option).
If I solve the CAPTCHA test and then you approve my comment, next time I want to leave you a comment, I will see no code. Ever.
This way, readers are not stressed with solving difficult tests (except for the first time they comment), bots don’t pass and you never have to check your spam list again. And yes, Akismet becomes useless. Since, in fact, it kinda is.
There is, up to my knowledge, only one plugin that does this, it is called Conditional Captcha for WordPress. But I would like to see more such plugins, since I think the idea is valuable.
July 10, 2014 at 5:50 pm # //
Ryan Hellyer says:
I\’m running a test version of the Spam Destroyer plugin on this blog, which implements a CAPTCHA if all other tests fail. This would allow for situations in which the calculation wasn\’t completed, so that the user would only face a CAPTCHA, rather than their comment failing to post.
I don\’t like the idea of prompting users for a CAPTCHA by default though. That seems overly drastic, unless all other systems fail.
July 10, 2014 at 6:10 pm # //
Ryan Hellyer says:
Ironically, I just triggered the CAPTCHA right now 😛
July 10, 2014 at 6:11 pm # //
Lotus says:
Well, my idea is about prompting for captcha only if they never commented here before. But I see your point.
Does your plugin allow trackbacks/pingbacks? Some time ago I had on my blog something called \”invisible capthca\”, it never bothered real users, no captcha was displayed, and bots never passed. However, trackbaks/pingbaks were also filtered.
July 11, 2014 at 11:14 am # //
Ryan Hellyer says:
A huge number of commenters are first timers.
The Spam Destroyer plugin does filter trackbacks and pingbacks by checking that your post is actually mentioned in the post. I’m also implementing a check for spammy words in the trackback/pingback pages too in the newer version.
July 11, 2014 at 11:37 am # //
Miroslav Glavic says:
There is one problem with triggering captcha/skill testing math question/putting the tie with the suit/etc…if the commenter takes too long.
People with certain disabilities, people who didn’t grow up with a computer or just slow typers.
What about turning on registration? I would have to login with my twitter/facebook/instagram/whatever else.
Also include that first time commenters are put in moderation.
August 16, 2014 at 9:43 pm # //
Ryan Hellyer says:
You can get spam even with Twitter registration. That is a useful extra layer of protection though.
August 16, 2014 at 10:28 pm # //