Spam protection in comments module #85

Closed
arjan opened this Issue Sep 5, 2011 · 3 comments

Comments

Projects
None yet
2 participants
@arjan
Owner

arjan commented Sep 5, 2011

From http://code.google.com/p/zotonic/issues/detail?id=80

The comments module does not have any form of spam protection currently.
This is no longer a nice to have feature but an absolute must.

@arjan

This comment has been minimized.

Show comment Hide comment
@arjan

arjan Sep 5, 2011

Owner

Currently comments are posted through an api, the post is done using javascript.

There are three possible protection scenarios:

  1. make sure that the form is submitted from the current page/session.
  2. add simple captcha/tripwires/etc to make sure that a human is posting it
  3. filter submitted messages through a spam filter

Not all three strategies need to be deployed. For example, I don't like to fill in captchas, as they get in the
way of adding content to a site. So I prefer other means of protection against machines.

For (1) we can make a crsf protection by mixing some id into the postback message.

For (2) we can have a combined strategy of tripwires (for example false non-user-viewable input elements
that mimic a wordpress comment form) and maye a simple captcha implementation (note that quite a lot of
captchas are already broken, so this only gives limited protection).

For (3) we can add rules and maybe a hook to a service like Akismet.

See also http://codex.wordpress.org/Combating_Comment_Spam

_Commented on Google Code by _profile.url**

Owner

arjan commented Sep 5, 2011

Currently comments are posted through an api, the post is done using javascript.

There are three possible protection scenarios:

  1. make sure that the form is submitted from the current page/session.
  2. add simple captcha/tripwires/etc to make sure that a human is posting it
  3. filter submitted messages through a spam filter

Not all three strategies need to be deployed. For example, I don't like to fill in captchas, as they get in the
way of adding content to a site. So I prefer other means of protection against machines.

For (1) we can make a crsf protection by mixing some id into the postback message.

For (2) we can have a combined strategy of tripwires (for example false non-user-viewable input elements
that mimic a wordpress comment form) and maye a simple captcha implementation (note that quite a lot of
captchas are already broken, so this only gives limited protection).

For (3) we can add rules and maybe a hook to a service like Akismet.

See also http://codex.wordpress.org/Combating_Comment_Spam

_Commented on Google Code by _profile.url**

@arjan

This comment has been minimized.

Show comment Hide comment
@arjan

arjan Sep 5, 2011

Owner

Arjan, my vote is for a non-captcha implementation. Something with CSRF and Akismet would probably work
well. But I would also like to have the option to moderate comments via the admin.

Regards,
Daniel

_Commented on Google Code by _d...@mac.com**

Owner

arjan commented Sep 5, 2011

Arjan, my vote is for a non-captcha implementation. Something with CSRF and Akismet would probably work
well. But I would also like to have the option to moderate comments via the admin.

Regards,
Daniel

_Commented on Google Code by _d...@mac.com**

@mworrell mworrell modified the milestones: Enhancements for later, Wish list Apr 22, 2015

@mworrell mworrell closed this Apr 22, 2015

@mworrell

This comment has been minimized.

Show comment Hide comment
@mworrell

mworrell Jun 8, 2015

Owner

See also #967

Owner

mworrell commented Jun 8, 2015

See also #967

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment