[Looking for Charlie's main web site?]

Blocking comment spam in BlogCFC (or it could be adapted to others)

Note: This blog post is from 2009. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Want another tool to help battle blog comment spam? Here's an approach I use that may benefit others. I look for certain bad URLs being referenced in the comment, and if they exist I block the comment. Sure, there are other solutions. I've wondered for a while about sharing this code publicly like this, but I get enough people who've asked for it that I figure I may as well.

Update: Ray has clarified (in a comment) that BlogCFC does already have this functionality, in the "trackback spamlist" feature (on the Settings page of the BlogCFC Admin). I thought that had only to do with track backs, not comments. If you're using BlogCFC, you should use that feature to achieve what I describe here. But some of the thoughts and techniques may still interest some.

[....Continue Reading....]

Comments
Years ago, I read an article (by you?) mentioning how it often made sense to use cfinclude instead of cffile to get the contents of a file that didn't contain any CF code as cfinclude would be much faster to execute.

Would that not apply here? I would think that would make getting the bad URL list quite fast.
Hi Charlie,

I'd be curious to know how often you see "repeat offenders"...that is, comments that are blocked because of your blacklist. I like this idea, but I'd guess that the majority of spam comments would get past this because they change domains and create new ones so often. Even so, if it helps block some spam, it's a valuable addition to the arsenal.
Curious - Charlie, why didn't you just add the URLs to the main BlogCFC spam list? I've been doing that for years now. In fact, a lot of my spam 'word' list is actually just the bad URLs. That requires no modding at all. :)
Let me address the 3 in 1:

@Steve, I did do an article in the past on some "secret powers of CFINCLUDEs", but I don't recall asserting that it was faster than CFFILE, no. There were some interesting other surprises that I wrote about. I'm not aware of any assertion that CFINCLUDing a file is faster than reading it with CFFILE. Plus, doing the CFINCLUDE wouldn't turn it into a variable that could be tested. You'd have to wrap it in a CFSAVECONTENT. Just doesn't seem worth it to me. :-)

@Jake, you ask how often I see offenders. I had said something to that effect (though I just updated it to fix a missing word and add the parenthetical statement):

"I also happen to email myself when people attempt to send comments (in case they have problems with the captcha or for some other reason their comment doesn't make it), so I have fun watching how the spammers flail about trying again and again to get their crap in."

You then say, "I'd guess that the majority of spam comments would get past this because they change domains and create new ones so often". Well, I suppose that could be true, but all I care about is that once they've been identified (by me) as a spam URL, I block them, and they never get in again. I don't worry about evaluating if a new one is a replacement of an old one. I never (ever) visit their sites so don't care to do that comparison. I'm not saying that you think I should, but do you see why I just don't worry about it?

But I think you're trying to say "this seems a sysyphian task, constantly pushing the ball up the hill of adding URLs, only to have it roll down the other side under the weight of new ones". I just don't see it that way. It works: it blocks the spammers once I identify them.

It's kind of like what I wrote in my earlier blog entries on captcha a couple years ago (I'll add them as related entries above the comments): I don't regard it as a door lock (that can be broken with modest effort) but more like a screen door, just keeping out the random pests. So I don't worry if this solution works perfectly. :-) Like you say, "if it helps block some spam, it's a valuable addition to the arsenal." Amen.

@Ray, I'm running 5.005. The closest thing I see in the settings is a "trackback spamlist". I assumed that had something to do with trackbacks, so never assumed it solved this problem. I didn't spend too much time digging into the code to see what that may do. As you can see, mine were just a few lines of code.

More curious, though, if indeed that's what it's for, I'll note that I have proposed this solution to other blogCFC users (directly and on a list, though not your forums) and no one had ever suggested that as a solution. I sure wish they had. :-)

Anyway, the good news is that the code may help someone else (and it caused me to create that findlist UDF, which I was so surprised to see no one ever had, and that there was no equivalent in CFML.)
Yes indeed - the TB spam list _also_ applies to comments. I should see if the latest admin makes that more clear - it might not.
Are you running cfformprotect? I was not because I was on an older version of BlogCFC and I used to get ton of comment spam. After updating I can tell you that cfformprotect has virtually eliminated comment & send spam. This is my first suggestion to anyone using forms, it really does help!
# Posted By Dan Vega | 8/3/09 4:52 PM
Hi Dan, no, I do not. I have of course known of it. I didn't want to try to figure out how to incorporate it into the very old version of BlogCFC I had, and again, this was just a few lines of code.

I'll note that I did mention in the opening of my entry here that of course there are other solutions, and I linked to my CF411 category for them, where certainly CFFormProtect is offered.

I also said, "I appreciate that some tools do still more." :-) For those interested in more on CFFormProtect, which does a lot to stop both automated and even human spammers, see http://cfformprotect...

If anyone else is running 5.005 of BlogCFC and has implemented it, I wouldn't mind a heads up of where and how you did. I suppose it could be in the same place I've done what I did above. Otherwise, I may well find some time to try to dig in and add it myself.

Better still, some day I'll just update my old BlogCFC version and get its many improved benefits (CFFormProtect was added to it late last year, per http://techfeed.net/...).
I did see your comment in your spam post about the spammers flailing against your protections. I guess I was wondering more what percentage of your spam comments are blocked by this protection. I am not really saying that you (or others) should not use this method...as you probably know, CFFormProtect is made up of numerous prevention methods that individually are not super strong (well, except for Akismet), but added together they are very effective. So I was just curious how effective this method is.

Also, if you don't mind, I might reference this method in my CFUnited presentation (giving you credit, of course).
I rick roll comment spam. It has been very effective.

http://www.myinterne...
Charlie,

You sure didn't make that claim. Not sure why I remembered it that way.

Having brought up the topic, though, I decided to find out which one is faster:
http://www.bryantweb...
@Jake, I don't really have numbers to confirm. All I know is that once I slam the door in the face of one of these pests, they no longer come in. But I don't doubt the value of CFFormProtect (Jake's tool). I recommend people look into it. It tries to block both automated and human spammers. More at http://cfformprotect...

@Gerald, sounds interesting. Of course, I think most won't bother to take you up on the testing, since your other blog entries on the topic suggest you will take some retribution. :-) But if you do ever document what you do, feel free to post that here and I'll add it to the CF411 list of CF-based spam-catching tools.

@Steve, thanks for sharing. I see that you say there that the CFFILE was in fact faster. That's what I would have expected, myself.

We've all been there, coming to a conclusion (or taking what someone says, or we think they said) and holding to it for some time before really confirming it. Your tests are one way to go.

Then again, as you say in your opening paragraph, even such observations aren't always conclusive. Many factors can influence whether the observation would always be true. More than that, there's the very impact of micro-benchmarking (testing something in a loop) which may not really equate to what would happen in the real world. This has been debated often (in the CF world and wider IT world). I don't really want to open that debate here, and in fact I chose not to offer this on your blog entry for the same reason.

Not picking on you at all, Steve. :-) Just wanted to put out there that it's something to be cautious about. You may have had it in mind in your thoughts in that first paragraph. (For others interested, a google of microbenchmark will find many articles identifying the problems, though not focused on CF specifically.)
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting