Comment spam filtering alternatives

[Robert Zelník]

I would like to have some alternatives to Akismet for comment spam filtering, because Akismet is a bit expensive solution for low traffic small business sites.

Possible solutions:

• text Captcha (math tasks, simple riddles...)
  
• reCaptcha
  
• mollom.com integration
  

[ryan]

Good ideas, we'll definitely have to look into these for future updates in the comments module. However, I also want to note that we already do have an alternative built in, that I've found to be just as effective as a captcha (if not more so) on the sites where I use it. Look at the 'requireSecurityField' option in /wire/modules/Fieldtype/FieldtypeComments/CommentForm.php. This option can be enabled in the options to the form:

echo $page->comments->renderForm(array('requireSecurityField' => 'security_field')); 

I typically hide my comment form with CSS to prevent the possibility of false positives:

#CommentForm {
   display: none;
}

Then use JS to show the comment form, and append a security field to it:

$(document).ready(function() {
   var $input = "<input type='hidden' name='security_field' value='1' />";
   $("#CommentForm form").append($input).parent().show(); 
}

No more spam. The only downside is that your comment form now requires Javascript to use. But since you are hiding it with CSS and making it visible with JS, at least you won't be disappointing anyone.

[Robert Zelník]

Thanks Ryan. It works well, just with two little bugs:

• the ending bracket in the JS code is missing
  
• now it doesn't show the successMessage.
  

I have changed the code to this:

$(document).ready(function() {
var $input = "<input type='hidden' name='security_field' value='1' />";
$("#CommentForm form").append($input);
$("#CommentForm").show();
});

[doolak]

Thanks Ryan. It works well, just with two little bugs:

• the ending bracket in the JS code is missing
  
• now it doesn't show the successMessage.
  

I have changed the code to this:

$(document).ready(function() {
var $input = "<input type='hidden' name='security_field' value='1' />";
$("#CommentForm form").append($input);
$("#CommentForm").show();
});

Yes, that's right - it does not show the success message anymore then.

If i leave the comment form visible (not hide it with CSS) and use the code as follows it works:

$(document).ready(function() {
var $input = "<input type='hidden' name='security_field' value='1' />";
$("#CommentForm form").append($input);
});

BTW: How does that security field works? I guess it should work as a Honeypot fields, right?

I just wondered because there is a value set for that field - and shouldn't such a honeypot field be a normal text field, just hidden cia CSS?

I tried to find out how it is handled in the Commentform.php and i found this part:

if($key = $this->options['requireSecurityField']) {
if(empty($data[$key])) return false;
}

Now i am much more confused ...

[ryan]

It's more of a reverse-honeypot field. Rather than excluding a form based on a populated value, it excludes based on an unpopulated value. This can be even more effective than a regular honeypot, but it does rely on Javascript. In order to eliminate the problem of false positives, you want to hide the CommentForm with CSS and unhide it with Javascript at the same time that you add the security field (as in the examples above).

[doolak]

Thanks Ryan. It works well, just with two little bugs:

• the ending bracket in the JS code is missing
• now it doesn't show the successMessage.

I have changed the code to this:

$(document).ready(function() {
var $input = "<input type='hidden' name='security_field' value='1' />";
$("#CommentForm form").append($input);
$("#CommentForm").show();
});

I have tried that code now and it works fine - the success message is shown.

@ryan: Does the spam protection work fine using the code above? If i use the code you posted the success message is not shown:

$(document).ready(function() {
    var $input = "<input type='hidden' name='security_field' value='1' />";
    $("#CommentForm form").append($input).parent().show(); 
});

[ryan]

Not sure why the follow-up message wouldn't be shown. Was the comment still saved?

[doolak]

Yes, the comment is saved - but it does not show the success message when i use this code:

$(document).ready(function() {
    var $input = "<input type='hidden' name='security_field' value='1' />";
    $("#CommentForm form").append($input).parent().show(); 
});

When i use this, it works:

$(document).ready(function() {
var $input = "<input type='hidden' name='security_field' value='1' />";
$("#CommentForm form").append($input);
$("#CommentForm").show();
});

[ryan]

Okay, glad that works. There must be a container element between #CommentForm and form, and code in the first example assumes #CommentForm is the parent of form. 

[woop]

Thanks for the reverse honeypot method! I'm now using both a regular honeypot (don't fill the field) and your reverse method in all my input forms.

I can also recommend adding simple logging to see if it works or not. 

if ($honeypot == 1 || $securityfield != 1) {
    	$log = new FileLog($config->paths->logs . 'detectedspam.txt'); 
    	$log->save('Spam catched: '.$sanitizer->textarea($input->post->body));
        $session->redirect($config->urls->root); exit();
    }

30 seconds after I implemented this, I got a spam message logged. urgh.. bitter sweet feeling..

[artaylor]

I have a contact form getting heavily spammed. I don't want to pay ransom to Akismet so I found this. I implemented everything here except the dual method listed by woop. However, I am not seeing the Success message. The comment is being added to the db.

This is the JS code I implemented. The form is hidden in CSS then shown with JS.

$(document).ready(function() {
    var $input = "<input type='hidden' name='security_field' value='1' />";
    $("#CommentForm form").append($input);
    $("#CommentForm").show();
});

Thanks for any help.

Anthony

[ryan]

Do you see any errors in your JS console?

Are you using any kind of caching (TemplateCache, ProCache, MarkupCache) on the comments or comments page?

Are you using the redirect after post option in your comment settings?

It might also be good for us to get a look at your code that outputs the comment form. 

[artaylor]

Hi Ryan,

1. No errors in my JS console.

2. No caching on those pages (whatever the PW default is).

3. I am using the Redirect after comment post option.

4. The code that outputs the form (stolen with gratitude from your example):

if ($trailer) {
  $title = $film->title . ' - trailer';
} else {
  $title = $film->title . ' - full film';

  $commentsForm = $page->comments->renderForm(array('requireSecurityField' => 'security_field'));

  $numComments = $page->comments->count();
  if($numComments > 0) $numCommentsStr = sprintf(_n('%d Comment', '%d Comments', $numComments), $numComments);
    else $numCommentsStr = __('No comments yet'); 
}

BTW, at least the bombardment has stopped filling the email notification so that is a start.

Thanks.

[kreativmonkey]

For everybody how is interested on a separate spam filter, i'm creating a spam filter for the Comments Field without using any external services. You can find the Thread: https://processwire.com/talk/topic/12872-module-comment-filter-antispam-guard/

[adrian]

@ryan - I am still getting a decent amount of spam coming through, even with both types of honeypot fields and akismet enabled. Presumably these are person written spam (rather than bots).

I think it would be great if there was a way to hook into checkNewComment() (or similar) so we could add our own checking. In my case, I'd probably like to add Mailgun's email address validation.

Thanks.

[elabx]

Hi! Anyone got a clue on how to implement Google Recaptcha on comments forms? 

I don't see a way to hook into the processInput method of the CommentForm class. Maybe I'm looking at it on the wrong angle?