The continuous fight against blog spam

Just as we arrived in Thailand last month, I found that this website was being flooded with blog spam. As you can see below, I have no CAPTCHAs or anything else to stop naughtiness so it was bound to happen sooner or later. Thanks for the timing though, guys.

Despite not wanting to work whilst on holiday, I did grab a few minutes while Daeng was getting her hair done (first priority!) to write a few lines that searched for the presence of certain phrases (e.g. viagra, cialis, etc.) and prevent the comment being saved if any were found. An obvious downside to this approach is that one has to add new words (and delete a whole raft of comments) every so often to the list of 'banned phrases', but I was pleasantly surprised to find that my effective list of these phrases and URLs remains remarkably short.

Upon returning to England, I spent some more time trying to think of a better way to resolve this issue. I still don't really want a CAPTCHA on my site (I don't really like them outside of serious web-apps to be honest, plus there are better ways), wanting it to remain as simple as possible for a friendly passer-by to say hello.

I tidied the hastily added code written in Bangkok and started logging the spammer IP addresses in MySQL in the vain hope I'd see a pattern or two. Not a sausage: it only took a few minutes to amass a few hundred addresses and sadly, against my wishful thinking, they were all unique. It's not the end of the world of course, after all, the problem was "solved" whilst on holiday in so much that I haven't had a spam message left since, but it doesn't stop that grating feeling that I'm still getting thousands of attempts per day that I'd rather prevent.

"Back to the drawing board", thought I, "but not this morning, things to do". In a final act of churlish spite against my attackers, I added a quick line to return a 403 "forbidden" error to spam comment submission requests instead of returning back the usual page (that's my 2000 bytes of bandwidth, godammit), logged off and went about my offline day. That was last Saturday.

I was stunned to come back and see that this simple move stopped the requests instantly. Had I beaten them so easily? No, sure enough they started up again but this week has seen less requests overall, their number slowing yesterday and so far today, many less spam requests than genuine hits.

I'm pretty sure that if they're giving up it's because their requests are failing to register a fruitful spam comment rather than worrying about the returned error code, but the nice upshot of this is that my JAWStats installation no longer treats these hits as genuine (the 403s are logged as errors under the 'status' tab) meaning my website visitor statistics have become meaningful again.

Have I invited a whole world of pain writing this post?