Preventing Comment Spam with JavaScript bot detection

Update: Due to lack of time and interest (on my part), I am no longer maintaining JSSpamBlock or ImageScaler.

I got my first comment spam on this blog the other day. It inspired me to try an idea I got a few months back. My theory was that these bots aren’t very smart - they are programmed to post as many comments as possible on as many sites as possible, hoping that a handful of these comments would get past whatever system the blogger was using to prevent spam. I hypothesized that these bots did not execute JavaScript, and that by requiring some JavaScript to run in the browser I would be able to check with reasonable accuracy weather the comment was submitted by a human or a bot.

I wrote up a simple plugin to test the theory. I checked the logs to find that I was right. In fact, most of the bots that were spamming my blog did not even include the hidden element, which indicates that they were posting to the wp-comments-post.php file directly rather than accessing the form first. The bots that did access the form did not execute the JavaScript and therefore their comments were blocked. Since the trick only involves JavaScript, most users will not even notice the difference. Users without JavaScript simply need to follow the given instructions to copy a number to a text box in order to prove they are human. This is what users without JavaScript will see:

JSSpamBlock Screenshot

If you are interested in using JSSpamBlock on your own blog, here are the download links:

Posted on Mar 22nd, 2007 in JavaScript, WordPress, JSSpamBlock

Comments

  1. That’s actually quite cool. A lot of blogs use some capcha/challenge against bots, at the expense of annoying users. Having a JavaScript autofill that field is simply… brilliant.

    Comment by Tony — March 22, 2007 @ 7:09 pm

  2. Hey Paul,

    keep up the good posts.

    I use Akismet spam protection, and there’s also brian’s threated-comments plugin which allows you to change the name of your wordpress comment post file. mine is something liek “i-hate-spamming-assholes.php” or somethign like that.

    I still get HUNDREDS of spam filtered through teh Akis met spam protection, and once ina while I get one slipping by.

    Comment by Jeff Kee — March 24, 2007 @ 2:18 pm

  3. Great job hopefully this will stop the constant spam on my site. Also noted you’re also from halifax as well :)

    Comment by Jared — March 25, 2007 @ 5:59 pm

  4. Cool, small world, eh?

    Comment by Paul Butler — March 26, 2007 @ 3:06 am

  5. Is there any way so that I can use this plugin to present a challenge regardless of javascript being present?

    Comment by Fred — March 27, 2007 @ 8:00 am

  6. Fred, you could remove everything between < script > and < /script > and it will function as you want. The reason I do not provide this as an option is that my understanding is that there are already several scripts that do what you are looking for. If this isn’t the case, I can make an official version that works that way.

    So far, I haven’t seen any bots get past it.

    Comment by Paul Butler — March 27, 2007 @ 8:58 am

  7. Thanks Paul I’ll give the full version a try 1st.

    Comment by Fred — March 27, 2007 @ 9:49 am

  8. I personally use Akismet on all the blogs I run, still this looks like an interesting approach. Good job!

    Comment by Michele — March 31, 2007 @ 6:17 am

  9. paul -

    thanks for the plugin. elegant!

    a suggestion:
    it would be helpful if you included - maybe in the readme.txt - the SQL for creating the database table manually. for me it wasn´t such a big deal to extract it from the .php script, but others maybe not find it so easy.

    Comment by sadara — April 15, 2007 @ 4:06 am

  10. I’ve been using Akismet for awhile, but it has always bugged me that it does might actually *encourage* spammers. After all, the post was successful as far as the bot can tell….no error messages. I’d rather the spam not get into my database to begin with. Thanks for the great script!

    Comment by Glenn Dixon — May 12, 2007 @ 9:24 am

  11. Glenn, I’m glad you like it. Unfortunately, based on my experience with spam bots, I doubt they even bother to check the output after attempting to post a comment, but if they do, the plugin will sere them up a nice error message.

    Comment by Paul Butler — May 12, 2007 @ 11:37 am

  12. […] way JSSpamBlock has evolved since I first released it has reminded me why I love open-source. From day one, I had users pointing out bugs and features […]

    Pingback by Paul Butler.org » JSSpamBlock Modifications — May 21, 2007 @ 9:17 am

  13. An amazing, an elegant and a human friendly solution! Thanks a lot! If I were a painter I would create some masterpiece where a human defeats the spam bot! :) good luck!

    Comment by Ilya — June 20, 2007 @ 3:35 pm

  14. […] while ago I installed Paul Butler’s JSSpamBlock on my Wordpress blog here.  His original idea is simple and brilliant:  Spambots don’t […]

    Pingback by Brandon Checketts » Blog Archive » Block comment spam with bcSpamBlock — October 10, 2007 @ 11:06 am

  15. Well, I’m rather sceptical about this. There were so many programs against spam that seemed brilliant and all of them failed some time later. Will check this one out soon!

    Comment by Patricia — October 18, 2007 @ 7:52 pm

  16. Not Using WordPress…does this work for FrontPage apps using JavaScript? If so, how do you install it?

    Comment by RC — January 1, 2008 @ 2:43 pm

  17. RC - It could work for FrontPage, but not without modification. Others have already modified it to work with Perl and other PHP apps.

    Comment by Paul Butler — January 23, 2008 @ 6:22 am

  18. I want to test the comment

    Comment by ken — June 18, 2008 @ 12:10 pm

Post a comment

For spam detection purposes, please copy the number 3732 to the field below: