So now that I found out that, yes, people are actually writing software and selling it for US$24 that does comment spam (wiki spam won’t be far off), we really need to work out bullet proof solutions. By bulletproof I mean that can’t be cracked too easily on a large scale by determined coders.
Some ideas on battling commentspam, referrerspam, wikispam and such: (most are for battling robots)
– Randomize the scriptname that accepts the POST data for each installation, or even for each pageview. Not bulletproof, but makes finding your script harder for the software.
– Add a random ID to your form, valid for a 1 post. If the ID isn’t right, the post doesn’t go through. This means that for every spam post, the spam software needs to download the page once. If you randomize the field name as well, it might even work better. Not bulletproof though.
– Generally randomize all field names. Create a table that maps your randomized field names to the real field names.
– Until a poster has proven they’re human, make it really hard to machinespam.
– Find a way to penalize spammers, that doesn’t make it easy to penalize others by faking them as spammers.
– Make sure you don’t make it too hard to post.
– Keep a central list vetted by some authority (maybe a community) of know spam URL’s. Actively use it to scare the people who buy spamming software (find them!): “We’ll make you loose pagerank!”. Be aware of the problems with central lists – this list should only list clear, true and proven spammers, not may-be-spammers.