Blocking comment spam in BlogCFC (or it could be adapted to others)
Note: This blog post is from 2009. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.Want another tool to help battle blog comment spam? Here's an approach I use that may benefit others. I look for certain bad URLs being referenced in the comment, and if they exist I block the comment. Sure, there are other solutions. I've wondered for a while about sharing this code publicly like this, but I get enough people who've asked for it that I figure I may as well.
Update: Ray has clarified (in a comment) that BlogCFC does already have this functionality, in the "trackback spamlist" feature (on the Settings page of the BlogCFC Admin). I thought that had only to do with track backs, not comments. If you're using BlogCFC, you should use that feature to achieve what I describe here. But some of the thoughts and techniques may still interest some.
Would that not apply here? I would think that would make getting the bad URL list quite fast.
I'd be curious to know how often you see "repeat offenders"...that is, comments that are blocked because of your blacklist. I like this idea, but I'd guess that the majority of spam comments would get past this because they change domains and create new ones so often. Even so, if it helps block some spam, it's a valuable addition to the arsenal.
@Steve, I did do an article in the past on some "secret powers of CFINCLUDEs", but I don't recall asserting that it was faster than CFFILE, no. There were some interesting other surprises that I wrote about. I'm not aware of any assertion that CFINCLUDing a file is faster than reading it with CFFILE. Plus, doing the CFINCLUDE wouldn't turn it into a variable that could be tested. You'd have to wrap it in a CFSAVECONTENT. Just doesn't seem worth it to me. :-)
@Jake, you ask how often I see offenders. I had said something to that effect (though I just updated it to fix a missing word and add the parenthetical statement):
"I also happen to email myself when people attempt to send comments (in case they have problems with the captcha or for some other reason their comment doesn't make it), so I have fun watching how the spammers flail about trying again and again to get their crap in."
You then say, "I'd guess that the majority of spam comments would get past this because they change domains and create new ones so often". Well, I suppose that could be true, but all I care about is that once they've been identified (by me) as a spam URL, I block them, and they never get in again. I don't worry about evaluating if a new one is a replacement of an old one. I never (ever) visit their sites so don't care to do that comparison. I'm not saying that you think I should, but do you see why I just don't worry about it?
But I think you're trying to say "this seems a sysyphian task, constantly pushing the ball up the hill of adding URLs, only to have it roll down the other side under the weight of new ones". I just don't see it that way. It works: it blocks the spammers once I identify them.
It's kind of like what I wrote in my earlier blog entries on captcha a couple years ago (I'll add them as related entries above the comments): I don't regard it as a door lock (that can be broken with modest effort) but more like a screen door, just keeping out the random pests. So I don't worry if this solution works perfectly. :-) Like you say, "if it helps block some spam, it's a valuable addition to the arsenal." Amen.
@Ray, I'm running 5.005. The closest thing I see in the settings is a "trackback spamlist". I assumed that had something to do with trackbacks, so never assumed it solved this problem. I didn't spend too much time digging into the code to see what that may do. As you can see, mine were just a few lines of code.
More curious, though, if indeed that's what it's for, I'll note that I have proposed this solution to other blogCFC users (directly and on a list, though not your forums) and no one had ever suggested that as a solution. I sure wish they had. :-)
Anyway, the good news is that the code may help someone else (and it caused me to create that findlist UDF, which I was so surprised to see no one ever had, and that there was no equivalent in CFML.)
I'll note that I did mention in the opening of my entry here that of course there are other solutions, and I linked to my CF411 category for them, where certainly CFFormProtect is offered.
I also said, "I appreciate that some tools do still more." :-) For those interested in more on CFFormProtect, which does a lot to stop both automated and even human spammers, see http://cfformprotect...
If anyone else is running 5.005 of BlogCFC and has implemented it, I wouldn't mind a heads up of where and how you did. I suppose it could be in the same place I've done what I did above. Otherwise, I may well find some time to try to dig in and add it myself.
Better still, some day I'll just update my old BlogCFC version and get its many improved benefits (CFFormProtect was added to it late last year, per http://techfeed.net/...).
Also, if you don't mind, I might reference this method in my CFUnited presentation (giving you credit, of course).
http://www.myinterne...
You sure didn't make that claim. Not sure why I remembered it that way.
Having brought up the topic, though, I decided to find out which one is faster:
http://www.bryantweb...
@Gerald, sounds interesting. Of course, I think most won't bother to take you up on the testing, since your other blog entries on the topic suggest you will take some retribution. :-) But if you do ever document what you do, feel free to post that here and I'll add it to the CF411 list of CF-based spam-catching tools.
@Steve, thanks for sharing. I see that you say there that the CFFILE was in fact faster. That's what I would have expected, myself.
We've all been there, coming to a conclusion (or taking what someone says, or we think they said) and holding to it for some time before really confirming it. Your tests are one way to go.
Then again, as you say in your opening paragraph, even such observations aren't always conclusive. Many factors can influence whether the observation would always be true. More than that, there's the very impact of micro-benchmarking (testing something in a loop) which may not really equate to what would happen in the real world. This has been debated often (in the CF world and wider IT world). I don't really want to open that debate here, and in fact I chose not to offer this on your blog entry for the same reason.
Not picking on you at all, Steve. :-) Just wanted to put out there that it's something to be cautious about. You may have had it in mind in your thoughts in that first paragraph. (For others interested, a google of microbenchmark will find many articles identifying the problems, though not focused on CF specifically.)