|
Post by coldstone on Aug 25, 2006 11:16:45 GMT -5
While dealing with spammers, I noticed that the 'no html in comments' config only strips out links created with the html 'a' tag.
I thought that it would strip out any reference to 'http' whether its in an html tag or not. Ironically, if you have the 'assume links' config on, it will then create actual links from the plain 'http...' string in the message.
I am begining to think that GM could really use either 'link throttle' or 'enter this word to comment' mods in the core.
|
|
|
Post by picaman on Aug 25, 2006 13:10:33 GMT -5
Do you have the throttle code? I have it in a modded version of gm-comments.cgi. Jamie
|
|
|
Post by petefinnigan on Aug 26, 2006 16:29:18 GMT -5
Hi Coldstone,
I agree with your sentiments. I went through a massive problem with comment spammers and then with referral spammers. In the end I had to remove comments and also remove my stats pages.
The mod I have planned to write is for comment moderation. What i planned was to do is change gm_comment.cgi to write the comment to a new file on the lines of gm_entrylist.cgi but just for comments. It would write to this file instead of the individual entry xxxxxxxx.cgi. This new file would be a comment queue to be worked by the moderator.
I planned to add a new screen to the admin interface similar to the screen used for editing posts.
I agree that comment spam mods or rather protection against comment spam should be core. I also agree we need to include a mod that forces a commentor to type a random string into a box before he/she can post. Also it would be useful to aloow comments through based on a previous successful post providing the email address and name are still correct. This should prevent spam as the email address is not known and also would work well with comment moderation.
I am aware of the comment throttle mod but not sure about it as could stop genuine comments.
cheers
Pete
|
|
|
Post by scottlindberg on Aug 28, 2006 10:39:36 GMT -5
Jamie's mod for adding a "enter this word to comment" stopgap worked wonders for me. I went from a dozen or so spam comments an hour before doing the mod to zero after the mod was installed.
|
|
|
Post by coldstone on Aug 28, 2006 12:05:55 GMT -5
Jamie - I would love to have that code, it its short enough to post. I am a lazy developer and work better with something that is already started (I guess I am a yogurt programmer). The blank page makes be procrastinate. Pete - That sounds great. I was thinking along the exact same lines. I know other software (WordPress) use that process of once a commenter is approved, the same username and password will let them post directly. I have been emailing various blogs I read to see what other people are finding works. Hopefully we can use the same concepts in GM. I think if we make the link throttle core, it would be turnoffable with the threshold settable. I have been thinking about the 'random word to comment' feature (just taking Jamie's mod for adding a "enter this word to comment" a little further). The issues I have been pondering are: - The comment pages are static, so the random number/phrase wouldn't change without a rebuild (which would happen with a new comment, so it might not be a big deal, however, multiple commenters at once would pose problems).
- I would like to avoid storing the random number/phrase on the server side, since this would add more 'accounting' (having to keep track of which number for which comment, etc.).
- Seems like it might be easier to force a 'preview' before comment, and then give a number to enter, since the 'preview' will hit the cgi file, we can then do dynamic number/phrases.
Those are just thoughts off the top of my head. I am wondering if we could do something like the keyword is the days date. Thats easy and it changes everyday. However, spammers might be able to program that in, but if they aren't bothering with a non-changing phrase, it could work. Should this thread be moved to feature requests?
|
|
|
Post by petefinnigan on Aug 29, 2006 4:28:54 GMT -5
Hi Coldstone,
Thanks for your great comments. I was also pondering how to get past the static page issue and had come to the same conclusion that the only way is to force the user through the CGI so that a page can be generated to inclued the random number/letter sequence. We need to generate the number as a gif / png / jpeg so that scrapers cannot be used to read the number and post anyway. We also cannot use the date as its predictable. Spammers would create scripts to get around this and spam multiple blogs using google hacking techniques to find them. We need a reasonably good random number to prevent scripted attacks. The idea to forec preview is good. Also the mod to allow second and subsequent posts through after moderator approval is good.
You are right we should not store numbers on the server.
Yes lets move this to feature requests.
I will find my more edtailed notes on the comment moderation mod and post them as well.
cheers
Pete
|
|