Andy Makely sends me a translated link to gotoandplay.ca‘s Flash Form, created to replace MoveableType blogs commenting form in an effort to prevent blog spam. The only thing it does is prevent form auto-fill scripts from spamming your blog, and the instructions mention to rename your mt-comments.cgi file which the SWF reads from an XML config file.
“Dude, this is worthless… the spammers can find the CGI file via google, and they hit the cgi directly, NOT my web page…”.
To accentuate my point, 7 minutes after re-activating my mt-comments.cgi after installation of the Flash comments, I got a new blogspam.
Then I got an idea. Some dude had written me in an email, talking about his solution. He basically added an extra form field for the user to type in a value, and have perl check to see if that value exists when the form data hits it.
The flaw in that theory is that the blog spammer can read your comment page, see the new variable Perl is expecting, and modify his/her script as need be.
…you can’t do that with Flash. You can decompile the script, but I don’t think most blog spammers know how to do that. Hidden form fields on HTML pages are easily spotted via View Source, but doing that in Flash requires a SWF decompiler… and I’ll have to test to see if they can spot the variable name when I get home to check via ActionScript Viewer.
SO, I added the variable with a whack value:
specialVar = “some whack string”;
To the “MTgotoAndComment.fla” file, and recompile to the form.swf, and replace the one they give you.
In Perl, I check for the value, and if it’s not there, I throw an exception… at least, that’s what the code looks like its doing, I don’t know Perl.
After some tests, it appears to be working. IF this solution does work after this weekend, I’ll delve into further detail of how I got it to work, and then I’ll rewrite this form for AS2.
…and to the blogspammers, I say…
Cool, the problem you exposed is why I decided not to use this form, but your solution sounds like a winning combo. I decided to let Blogger take care of the problem for me by using their comment interface.
Cheers!
just to give you a heads up, i was having issues with that burningbird comment hack about adding the extra parameter after I upgraded to MT 3.11. Wierd stuff like comments not displaying after they were submitted…it could be that i just jacked up the perl scripts though. Just make sure and test all your comment areas on your site.
What the heck… I should have only 1 comment area. I know there are other templates, but I don’t know how to get there… er.. crud, lemme go check error template.
I’ve been thinking about something like this for weeks, but unfortunately I don’t have the time to play with it right now. I was thinking of really getting drastic and hiding your secret variables in a database, and then calling that database via Flash Remoting. Obviously nothing is ever going to completely stop all spam, but putting that many barriers to entry has got to cut it down to almost nothing.
Hmm and just so you know, it’s: Vive la r?sistance!
in french :P Viva is spanish.
And I also need to say that posting a solution for spammers on your blog might not be the best idea ever since it’s ranked quite high on search engines. How about offering via email so that you can sift through them and see if the person asking for the solution is ‘legit’? I know it’s more work but it sure will help keeping it more secret…
omg I LUV YOU!!! WEEE~~
la disco-techa es muy beuno.
Muy bueno?
Wee, wee.
And thus, my foreign language skillz laid bare. Be gentle.
Combine the benefit of the blog scene coupled with the Flash community, and you get a great sounding board for ideas. Therefore, I’m posting this in an effort to find holes in my idea. If someone has a better solution, a way to compensate for my solution’s weaknesses, or another idea, I couldn’t get that type of feedback without publicly speaking about it.
The risk is that I inadvertanly help blog spammers circumvent my solution, but I fully believe in open, honest solutions with community input will help us all be more protected, and regain our right to spamless blogs. Look at how open source software has grown from likeminded groups getting together to contribute ideas to the growth of software products. I’m hoping to employ the same tactic with anti-blog spam solutions.
Besides, if you type in blogspam on Google, you get more results how to prevent blogspam rather than how to spread it. There’s strength and hope in that.
…oh yeah, and the “staunch” was like staunch the flow.
Words on play a, reversed.
oh yeah.. I like. And I think it’s fine to post the idea here because it gives me a place to start. If all the Flash blogs use a slightly different technique then there’ll be some pissed off blog spammers because they’ll have to manually type in each spam comment. cool. game on.
I don’t think this is going to stop the blogspam because they’ll just manually enter it.. so there still needs to be some sort of approval process or something that validates their e-mail address and asks them to confirm the post before it goes live.
you pain you used the latest vs of the flash player!! I didn’t want that on my work computer!! ARGH! I blame you :P
:(
I’m more concerned about stopping the bots. They are the ones pumping 400+ spam comments into my blog a day. The manual enterers have generated no more than 6 every 2 weeks. I have no qualms about deleting manual spam.
Additionally, adding any type of registration or validation makes it harder on people like you to comment. I want it to be as simple as possible for anyone and everyone to comment, except bots. If the worse I’m doing to that usabilty is requiring the Flash 6 Player, I’m fine with that.
I swear I compiled to Flash Player 6. Did it prompt you to update?
hey just testing this out. So far pretty sweet. Though the page did take a while to load.
The current SWF implemented at the time of this posting is 11k. It’s probably my site itself taking awhile to load. I have a header graphic at the top that is almost 400k, and every image on this site is an un-optimized PNG.
Not to mention the fact the Central SWF’s on the left don’t load as of last night because my sub-domain had it’s DNS changed, so you’ll see a continual loading…
Ah, first we revive AMFPHP, then we figure out how to stop blog spam.
Quebecors: is there anything they can’t do?