Andy Makely sends me a translated link to gotoandplay.ca‘s Flash Form, created to replace MoveableType blogs commenting form in an effort to prevent blog spam. The only thing it does is prevent form auto-fill scripts from spamming your blog, and the instructions mention to rename your mt-comments.cgi file which the SWF reads from an XML config file.
“Dude, this is worthless… the spammers can find the CGI file via google, and they hit the cgi directly, NOT my web page…”.
To accentuate my point, 7 minutes after re-activating my mt-comments.cgi after installation of the Flash comments, I got a new blogspam.
Then I got an idea. Some dude had written me in an email, talking about his solution. He basically added an extra form field for the user to type in a value, and have perl check to see if that value exists when the form data hits it.
The flaw in that theory is that the blog spammer can read your comment page, see the new variable Perl is expecting, and modify his/her script as need be.
…you can’t do that with Flash. You can decompile the script, but I don’t think most blog spammers know how to do that. Hidden form fields on HTML pages are easily spotted via View Source, but doing that in Flash requires a SWF decompiler… and I’ll have to test to see if they can spot the variable name when I get home to check via ActionScript Viewer.
SO, I added the variable with a whack value:
specialVar = “some whack string”;
To the “MTgotoAndComment.fla” file, and recompile to the form.swf, and replace the one they give you.
In Perl, I check for the value, and if it’s not there, I throw an exception… at least, that’s what the code looks like its doing, I don’t know Perl.
After some tests, it appears to be working. IF this solution does work after this weekend, I’ll delve into further detail of how I got it to work, and then I’ll rewrite this form for AS2.
…and to the blogspammers, I say…