Gareth, keep up the great work champ!

But… it requires JavaScript, doesn’t it?

Martin, yes it does as does other parts of WordPress.

How is this different or better than WP-Hashcash?

So users without JavaScript get automatically rated as spam? I would find that tricky…

SpamKarma does have a similar mechanism, but I turned it off because it produced too many false positives.

(sorry for being so critical…)

That was exactly my point. No JavaScript, no comment?

Flo, Martin: This is an excellent question. The short answer is no, users without JavaScript do not get rated as spam, they will receive a message saying they cannot submit comments without JavaScript enabled, but I think its safe to say gone are the days of browsers without JS, its an AJAX world now.

Matt, similar concept, but completely different implementation. For one, Spambam doesn’t rely at all on SQL, where as WP-Hashcode has SQL everywhere and far to many DELETE queries for my liking.

I have JS enabled and I bet 99% of my users have it too. The problem could be that if this plugin is used by many blogs, it wouldn’t be difficult for a spammer to pass over it. Just make a little code to read that JS and there you go. I know that very few or none spammers make this effort, but the possibility is there.

PS: I checked my stats of two of my sites and have 1% and 2% of users without JS. A friend showed me his stats and he has almost 50% of non-JS users! If his stats are right, half of his users wouldn’t be able to comment?

Yes, it’s an AJAX world but it’s also a world with a lot of security holes - a few CSRF these days in google, anyone? Even, few of those were made public by Gareth himself.

Yes, it’s an AJAX world but even gmail and ymail offer a version without JS.

So it’s not safe to say it. What about a casual visitors? Like me for example - I had to temporary allow JS for blogsecurity.net in order to post my disappointment that you rely upon all people having JS enabled.

So, it’s not obligatory a bad thing to have JS disabled or (better) to use NoScript which has a black and a white list.

Anyway, I think a major improvement of this plugin would be, if posting without JS is possible, but these comments have either to be moderated first or (better) are sent to Akismet. IMO this is the way:
- user experience is not broken for users that have JS disabled
- less traffic for all the comments that are made with JS enabled, this would be the vast majority of all comments, but it won’t be all comments.

Martin, is this not the case for any security tool? Also, with salt, its not as easy as just passing through the JS.

Martin, according to the browser stats of your friends page, his primary user base is using JS compatible browsers and of course 50% aren’t JS users, Google bot, RSS feed aggregators probably make up a large chunk of the rest.

Hmm, you’re right. Looks like Statcounter counts Googlebot as a normal visit.

Martin, now if you can just get my mrs to say that :)

Nikola, now your opening a whole other can of worms! Giorgio’s noscript is great but it really bugs you after a while as you have to whitelist just about every site you go to! You have an interesting idea around utilising Akismet along side Spambam… one to think on :)

@Nikola when you’re going to allow comments without JS enabled, why the hell should you use Spambam as that completely defeats the point.

@David
I’m having actually the observation that more and more sites are following modern design patterns, such as separation of concern and unobtrusive javascripting. I’m myself an advocate of such coding, so it’s true - I happen to leave a site if it’s not functioning without JS.
But I have to disagree with you about NoScript bugging you. Yes, in the beginning it’s definitely annoying, but after a short period of time everything comes to normal and you begin to like the protection it gives you. After all you don’t trust everybody you meet on the street, do you?

@Phillip
The point in my idea is to avoid breaking the commenting feature for people without JS. JS-submitted comments can be right away marked as legit, and all other comments (that would be the non-JS-comments) will utilize the Akismet service. Everybody is happy

@David
Few years back when I was coding my own platform I had implemented the same idea: JS is just a helper in the decision process and decisions are made upon JS. If it was disabled however I did some data mining … no Akismet back then :)

@Nikola now I got your point. But some kind of SPAM is done manually anyway, so this SPAM would reach your Visitors!

Spambam advantage/disadvantage is that it uses Javascript for Spam protection. As soon as a Spammer executes javascript it breaks down (They don’t seem to though), it would be extremely difficult for a spammer to gain the correct key without using javascript, if you look at the code you’ll understand why.

This plugin is not for you if you like all sections of your site to be used without Javascript. That really is the end of the argument, however if you don’t want spam and don’t mind the Javascript requirement then use Spambam.

On a side note Spambam will also prevent CSRF comment submissions because of it’s method of protection.

@Philipp
The very same thing happens also with Spambam - if a user is a spammer, so what stops him from having JS enabled? Nothing, he will pass the Spambam exam and will successfully post his spam. And this is the whole point of Akisment - they are doing some data mining on the commments, or at least I hope they are.
Don’t get me wrong, I’m no advocate of Akismet, I just think that for the time being it’s by far the best choice.
I just want that the webdev community treats everybody equal, despite JS, Flash and other fanciness. Spambam just breaks the commenting feature for a group of people.

@David
I’ve just read the article for the second time and there is something I’ve missed:

This really is an awesome alternative to Akismet with a completely significant and unique approach to dealing with comment spam.

I disagree with you, that Spambam is ‘awesome’ alternative, but yes it’s an alternative. But hey the idea of using JS against spammers is old as I am (26) and it haven’t proofed itself for being significant nor unique - there are a lot of similar ideas and implementations. Just to name one - an actionless form with an attached click event to an image which fires the submit.

@Phillip
Do you actually believe that there’s a manually entered spam? The approach of dealing such spam would be completely different from dealing spambots. Data mining is inevitable.

@Nikola: No one wants to put Akismet into some corner and tell that it’s not doing a great job, and you can never compare Spambam and Akismet as both walk different ways.
Spambam tries to block the posting of SPAM at all, which is really effective as most Spambots don’t use JS. What you should know is that many Bots aren’t made to SPAM only one Platform, they can SPAM a vary of Platforms(while at the same time to take care of the quirks of each one). As you already told correctly is the fact that JS is used since some time to Stop spammers. But why didn’t they already adopt JS to their Bots?
There are mostly some reasons for that:
1.) There are enough other Spamable places, so they still make good money with their job
2.) They only buyed the Spambot script, which is doing still well, and they can’t prog for their own.
3.) There are dozens of different Blocking mechanism, where not every can be adopted
4.) Maybe their Apps would get too big, or Antivirus Scanner would be able to detect them much easier as the JS runtime maybe something constant

The Spammarket is some real big one, if they would really suffer from blocking scripts done with JS, they would do the needed changes. And as soon as most SPAM doesn’t get public they’ll mostly apply some changes.

Now to your second point: As told above it’s a fact that most/all Spambots don’t use JS. So if he would Pass the JS he would be a human. And yes at least some time ago there where some chinese(or who else) which spammed manually.

@Nikola

You sound like advocate Akismet to me, I would suggest looking at the code before comparing it to an actionless form with a onclick handler.

Listen spammers use automated tools to scan the web and for the majority they don’t execute javascript, if they did I would have reports of people having spam and I would have spam on my site.

Making blind judgments doesn’t help anyone here and as I said before use it if you don’t want spam and don’t mind the javascript requirement but to argue like this is silly and I really don’t see your motivation.

Lets take your actionless form example shall we, the spammer would only need to do a regular expression to find such methods and to compare it to the work I’ve done it silly.

Two weaknesses:
- it requires javascript enabled, which might then simply not work on, say, MSIE when a buggy script crashes the interpreter
- it only deals with comment spam which is just 5% of trackack spam.

@Phillip
I haven’t accused Spambam of not doing its job, I’m just disappointed that it breaks the commenting possibility for people having JS turned off.

@Gareth
As I said, I’m not an Akismet advocate, although I do realize I sound like one. I’m advocating for the commenting feature to be accessible by ALL visitors. And I made a suggestion for improving Spambam in that direction, see my first comment.
I didn’t intend to lessen the logic nor the complexity of Spambam by comparing it an actionless form. I’m sorry if I offended you.

@Ozh

- it only deals with comment spam which is just 5% of trackack spam.

My recommendation is that trackbacks are disabled on all blogs. If you want to take a look at who’s linking to your articles then I suggest looking at your stats or use technorati. By design trackbacks are a security/spam risk and it would be virtually impossible to provide a secure system to handle them.

@Nikola

I’ve already tried methods of producing a accessible CAPTCHA or spam protection and the process is near enough impossible I haven’t given up but I created spambam as an alternative to protect my blog. Akismet is a blacklist filter which doesn’t protect your blog from spam rather just identifies it and charges you for the privilege whilst wasting bandwidth.

[...] qu’ils sont bien “humains”. C’est le même fonctionnement pour bcSpamBlock. SpamBam et WP-HashCash, quand à eux, vont plus loin parce qu’ils vont jusqu’à bloquer [...]

r u using it now?

[...] gerektirmeyen ve kurulumu bir kaç saniye süren bir anti-spam çözümü arıyorsanız Spambam‘ı [...]

Thanks for sharing, DK.

[...] gerektirmeyen ve kurulumu bir kaç saniye süren bir anti-spam çözümü arıyorsanız Spambam‘ı [...]

[...] Solution? Use a decent AntiSpam plugin like Akismet or BlogSec’s SpamBam. [...]