how to stop comment spam

kumiko · October 10th, 2008, 02:54 AM

hie there, i would like to ask ..... how to avoid the spammer to insert the spam word in my project comment form?

i have try to use the Javascript validation to avoid the users to insert the comments with the LINK (<a href>) and JS code(<script language=...)
but the spammer still can spam my database.

i really duno how to stop tis spamming..
plz give some idea or solution...thank you

jminatel · October 10th, 2008, 06:36 AM

No system will be 100% spam proof but 2 good options are to look at:
1. CAPTCHA - this will slow down automated spam and make live human spammers work a little harder. If you Google ASP Captcha you'll find several examples

2. Akismet and other systems actually check the content of comments and detect with fairly good accuracy which are spam. Akismet was designed for Wordpress blogs originally but through the use of an API key, you can hook into their system from blog systems written in any language. Akismet is free for non-commercial use and really small scale low revenue commercial blogs. Check their site for details:
http://akismet.com/
and then a link Google provided to an ASP 3 Akismet example:
http://framework.lojcomm.com.br/app/...class-asp.html
There are probably other systems like Akismet to if you want to do further research.

Jim Minatel
Acquisitions Director
Wiley Technology Publishing
WROX Press
Blog: http://wroxblog.typepad.com/
Wrox online library: http://wrox.books24x7.com

Old Pedant · October 10th, 2008, 02:06 PM

Besides what Jim said...

The problem with using JavaScript validation is a simple one: People can simply TURN OFF JavaScript in their browsers and your validation is then worthless. (They can also spam you using non-browser systems, and again JS validation is worthless.)

You *NEED* to *ALSO* do the validation in your ASP code, in VBScript.

It's not hard. You can use the same kind of regular expression(s) you do in JS.

For example:

Code:

<%
...
' strip all HTML content out of user comment
Dim reStrip 
Set reStrip = New RegExp
reStrip.Pattern = "\<\/?[A-Za-z][^\>]*\>"
reStrip.Global = True

comments = reStrip.Replace( Request("comments"), "" )
...
%>

That will strip *all* HTML tags from the comment. If the user puts in something like
<a href="...some **** site...">Click here!</a>
then all that is left in his comment is
Click here!

Which might be annoying to read, but at least it won't be a usable link.

Same with <script> tags. The script will still be there, but it will be ineffective.

If you want to do more than this (i.e., actually strip out all the content of <script>...</script>) that's not too hard, either, but requires making a list of the tag pairs you want to strip from & doing one at a time.

dparsons · October 10th, 2008, 06:40 PM

JavaScript is a moot point anyway since most spammers will use bots of some sort which renders JavaScript useless.

Pendant's suggestion strikes two fold since it will prevent the links from being rendered in your comments and also works to thwart XSS attacks.

In any event, as Jim pointed out, nothing is full proof (Google's CAPTCHA can be hacked should be proof enough) so do what you can to reduce it but, keep in mind that some is probably going to get through and you will probably sleep better at night.

hth.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
.: Wrox Technical Editor / Author :.
Wrox Books 24 x 7
================================================== =========

mat41 · October 12th, 2008, 07:12 PM

hey the remove HTML code is very nice. Like it alot, thanking you...

reg Ex is a real wek area of myn - Always like finding good stuff!!

Wind is your friend
Matt
www.elitemarquees.com.au