Comment-Flak: Anti-Spam Technique for Weblog Comments

Comment flak is extra text areas on a weblog comment form that make it easier to detect and eliminate spam submissions. One or more flak fields are placed on the form and hidden with Cascading Style Sheets. Any input in one of these fields indicates that the form has been submitted by spam software instead of a real user.

The Comment-Flak PHP library supports this technique on PHP pages.

In this library, the get_comment_flak() method generates the HTML required to add comment flak to a form:

<div class="cf"><textarea name="comment_0" cols="70" rows="18" tabindex="6"></textarea><textarea name="comment_1" cols="70" rows="18" tabindex="7"></textarea><textarea name="comment_2" cols="70" rows="18" tabindex="8"></textarea><textarea name="comment_3" cols="70" rows="18" tabindex="9"></textarea><textarea name="comment_4" cols="70" rows="18" </textarea></div>

These fields can be hidden from humans using several different CSS styles, such as visibility: hidden, 0-pixel width borders or 0-pixel heights:

.cf textarea {
  border: 0px;
  height: 0px;
}

The real text area takes the next number in the sequence:

<textarea name="comment_13" id="comment_13" cols="70" rows="18" tabindex="3"></textarea>

When the form is submitted, the detect_spam() method looks to see if any flak field contains text. Most spam software submits the same junk comment in every text area it finds on a form, differentiating these submissions from legitimate comments.

In early testing, the first version of this script has been successful at catching 100 percent of the spam submitted to Workbench, a weblog that has been hit by more than 150,000 comment spams. If you have suggestions to make this technique more difficult to beat, please contact me.

A script is included that demonstrates how to use the Comment-Flak library on a weblog's comment's page.

Version 0.1.

Links:

• Requirements to run the software
• Source code files
• Installation instructions
• Documentation
• Version History
• License

This software was developed by Rogers Cadenhead, publisher of the Workbench weblog, and has been released under the GNU General Public License.

I'm running the software on PHP 4.3.2. I think it should work with PHP 4 or higher, but that's only a guess.

• comment-flak.php
• example-form.php
• gpl.txt

• Download the Comment-Flak archive in either tar.gz or zip format and unpack the archive.


• Save the PHP class library comment-flak.php in a directory where it will be accessible to PHP web pages. I put it in the software's include_path directory, which is often /usr/local/lib/php on new installations.

An example use of this class is demonstrated by the example-form.php page.

Comment-Flak employs the following constructor:

• Comment_Flak(): Create the object that will generate comment flak and detect spam in flak fields

// load the library
require('comment_flak.php');

// create the object
$cf = new Comment_Flak();

The get_comment_flak() method creates one or more comment flak fields that can be incorporated into a form that takes weblog comments. These fields must be hidden from site visitors using Cascading Style Sheets.

The method takes the following arguments, in order:

• $last_tab_index: The highest tab index of a component on the form (not including comment flak)
• $field_prefix: The first part of the field name that takes comments (default: "comment"). Fields take a name of the form "prefix_number" and numbering begins at 0, so the default uses comment_0, comment_1, comment_2 and so on
• $classname: The name of the Cascading Style Sheets class that's applied to all of the flak (default: "cf"). Use an empty string to assign no style.
• $flak_count: The number of flak fields to put on the form (default: 13)
• $columns: The number of columns in each flak's text area (default: 70)
• $rows: The number of rows in each flak's text area (default: 18)

The method returns the comment flak as HTML, which you can display anywhere in the form. Use these arguments to customize the HTML as much as possible, making it harder for spam software to detect and deal with it.

/* generate 13 comment flak fields 70 columns wide and 13 rows tall, numbering
them in tab index from 6 upward, and name them comment_0 through comment_12 */
$comment_flak = $cf->get_comment_flak(6, "comment", "cf", 13, 70, 18);

The detect_spam() method checks the fields submitted to a form, determining whether a spammer put any text in comment flak fields. The presence of input in any of these fields indicates that the form is comment spam. The method returns true for spam, false otherwise.

The method takes the following arguments, in order:

• $field_prefix: The first part of the field name that takes comments (default: "comment"). Fields take a name of the form "prefix_number" and numbering begins at 0
• $flak_count: The number of flak fields to put on the form (default: 13)
• $request: The array that holds all submitted input, which can be sent by specifying Array as the argument

The first two arguments must be the same as the corresponding arguments to the get_comment_flak() method.

// check the comment flak for input to detect spammers
if ($cf->detect_spam("comment", 13, $_REQUEST)) {
  $hidden = true;
}