March 3, 2005 18:16 | WebBlogging

Using AJAX and a small private key to thwart comment spam

Does this make sense? It assumes your weblog system allows you to define a small, say 5 character, private encryption key, or even generates one for you. You don't need to know it really cause only the system ever uses it...

Then, you have an AJAX javascript watching your comment field. As soon as it detects keystrokes in it, say 3 or 4, it sends a behind the scenes request to the weblog server for a public key. This key would be generated on the fly using the private key aaaand... say a timestamp. The server would of course need to store the request and the key it generated at this point:

Entry ID # 00345 requested a key at 20050503202312
keygen: j3eJ7%G9U#5G7J*,
awaiting match...

Anyways, so at this point, using the AJAX and the DOM, the comment form now has a uniquely created "passkey", without which the server will not accept the comment...

Obviously this assumes the commenter has Javascript enabled but let's be honest here... it is 2005. If you've disabled JS in your web browser you're a freak 'n luddite. ;)

Hrmmm... hehehe I should've put a disclaimer saying "this was just a quick idea which made my head hurt to think about and I figured I'd just put it up there"... ;)
Thanks for the feedback all, whichever response channel you used! :)


Seems to me the spammer would just write the same code that requests the key then submits his spam. Especiallly if like most blogs it was a single solution such that writing that code once would cover all the similar blogs.

My solution requires no ajax. In it the form's ACTION URL is not the URL that is actually used. When the user clicks "submit" some small javascript updates the URL and then submits to the real URL (along with extra info generated by the javascript).

Submit the wrong URL (the one that is easy to scan since it's in the form's ACTION= attribute) or be missing the extra data and the comment won't be received. The bogus URL still returns success to the spammer though.

It's no more secure (nor is it any less secure) but it is simpler as it requires no ajax.

Not quite sure how this would thward spam... couldn't I just catch on to this process and request a key from my spambot?

I know something excellent against the comment spam... no comments at all :)

Though there is something which I still don't understand. With my installation of SpamAssassin for my mail, I receive maybe 4/5 spams by day on the hundreds which arrive to hit my mail. Why weblogs don't use the exact same mechanism than mails to remove the spam. And also I don't see at all the spam, because everything which is a spam or is maybe a spam goes directly to... the void (/dev/null).

I may miss some mails... but too bad. I really don't care. When we walk in a street or go to a party, there are certainly very interesting discussions we are missing... and so what. :)

What about the "type in the text from this image" challenge system?

That's a captcha. And it's more annoying than anything else.