A New Approach to Fighting Spam

Drew asks if MT-Approval has been updated to work with MT5 - specifically version 5.14, but since version 5.2 was jjust released, you may be wondering about that as well.

Unfortunately, I have no idea. The most recent version of MT-Approval was written and released nearly four years ago, so my guess would be no. But that doesn't mean you can't make use of the techniques within the plugin to put together a very decent solution to fight spam on your site.

As I originally mentioned on the plugin page, a determined spammer will post something on your comment page if they really want to do so. In that case, the best thing you can do is have something in place to stop them - Akismet or TypePad AntiSpam both work well. The problem is more for automated spam, as it is much more profitable to submit spam automatically to your site.

In that case, it takes a few pieces and you can create a solution in in no time.

First, put together a simple HTML page that tells visitors you only accept comments if they have JavaScript enabled. This can be as simple or as elaborate as you want. Call it whatever you like. You may want to choose something random, or call it something direct, like commentspam.html. Just make sure you know the name.

Next, put this document in the action of your comment form. That's right, this becomes the action of your form. Don't worry, we'll fix it later. This is for those robots that submit every form they can find, so that they can't actually do anything. In the end, it will look (something) like this:

<form method="post" action="http://www.example.com/commentspam.html">

In actuality, your site may be a little more complex. But you get the idea, right? The important part here is that you set the action to the document you created earlier in the first step.

Next, you need to have at least one other item in that form, and that is an id, because we'll use it to change the action. So make sure you set it now while you are checking. It should now look like this:

<form method="post" action="http://www.example.com/commentspam.html" id="comments-form">

If you use the default Movable Type comment form, you should be fine if you just change the action - you will also have a name and an onsubmit handler there too, which is not a problem. This just shows you the simplest form that you can get by with here.

Ready to proceed? Good. Now you need a bit of JavaScript. This should be loaded somewhere - it can be in a library file, or at the top of the page - just make sure it's accessible. If you have a .js file being loaded already, add it in there. It won't conflict.

function setAction (id, url, cgi) {
var f = getById(id);
f.action = url + cgi;
return true;

This just sets the action of a form to the URL and the script that you will pass to it (and you will pass it, we just haven't done so yet). In order for this to work, you'll need one more function, the getById function, here:

function getById (n, d) {
if (!d) d = document;
if (d.getElementById)
return d.getElementById(n);
else if (d.all)
return d.all[n];

This goes into the same place as the last function, and it allows the setAction function to get the form it needs by referencing the form by ID. Now you can see that by passing in the ID (comments-form back there on the form), we can get the form by the ID. So if you use a different ID, just change the ID on the form and it will all flow through correctly.

Now, one more bit of JavaScript to add to that file:

function mtApprovalOnLoad () {
setAction('comments-form', '<$mt:CGIRelativeURL$>', '<$mt:CommentScript$>');

This is the new and improved MT-Approval. Actually it has nothing to do with MT-Approval, I just wanted to keep the name. You can call this function whatever you like, you just need to make sure that you know what it is, because we'll need it later. And you'll notice here three bits of information. First off is the ID that you used earlier on your form, second is the path to your CGI files and third is your comment script. That means if you change your comment script, you'll need to rebuild this file, wherever it is. And if you are familiar with JavaScript, you can play with this to change things around if you like - one thing I would not do is put them together, say to create a single string that has a long URL to the script.

Why? Because in anecdotal evidence, it seems less likely for a robot to find the comment script if it has it in pieces (that is, a path and a script name) than if it is a single long path to the script. Make sense? It is entirely up to you of course, so do what you like. The other thing that I would advise is to put this in your JavaScript file - that way if you do change your comment script name, you only need to rebuild this file, not all of your entries. Makes things a lot faster.

Finally, there is one more change you need to make. In your entry template, you need to add this code:

<script type="text/javascript">mtAttachEvent("load", mtApprovalOnLoad);</script>

This calls the mtAttachEvent function (a JavaScript function that comes with the default MT JavaScript file - if you don't have it, you may need to refresh your templates) to load the mtApprovalOnLoad function that we just added. If you called it something else, put that name here instead.

What you want to do is put this event in your comment form - in the recent versions of the comment template, there are similar calls towards the bottom of the comment form for other events on loading of the form. That is a great place to add this. Once you do, and rebuild your entry templates, you're all set.

Now when someone visits your entries, they will only get the real comment script if they have JavaScript enabled. If not, they will instead be sent to a static HTML page. Why does this work? Because automated spam robots don't use JavaScript. You will likely see automated comment spam cut significantly almost immediately, while regular visitors will see almost no impact.

Leave a comment

Recent Entries

A New Approach to Fighting Spam
Drew asks if MT-Approval has been updated to work with MT5 - specifically version 5.14, but since version 5.2 was…
Adventures with Joomla!
One of my longtime customers, Craig Reid, recently inquired if I could help with an issue his parents were having…
MT-Notifier defined (%hash) is deprecated error?
Alert (and long-time) MT-Notifier user Scott Yoshinaga - yes, from nemu*nemu - mentioned an error that he had been seeing…