

Blocking Comment Spam Using ModSecurity and Hidden Fields - mike-cardwell
https://secure.grepular.com/Blocking_Comment_Spam_Using_ModSecurity_and_Hidden_Fields

======
colonelxc
I did something similar for a friend of mine. Slight difference was that I had
the best success by pre-populating the hidden field with some static value and
checking to make sure it was set right.

Some bots don't fill out the hidden forms, and some do, you could probably use
a couple hidden fields to try to catch all types of bots. Also, if you keep
some session data, you could place a random value in the hidden field, and
expire it on the first hit (for bots that scrape once, and POST many times).

The site I put this on is pretty small, so I'd be interested in hearing if any
moderately trafficked sites still find this effective.

~~~
mike-cardwell
I only get a couple of spam comments a day at the moment but _all_ of them
have so far filled in the hidden field. I've been running it for about a week
and a half. I've not seen a bot try and post more than once yet.

------
DanBlake
Seems extremely inefficient to have modsecurity parse every request. Why not
just block it at the script level instead of forcing modsec to deal with yet
another rule to match.

~~~
mike-cardwell
If you're already using mod_security then it's more efficient to use another
rule than it is to pass the request onto the CGI

