Spam protection in comments module

[GoogleCodeExporter]

The comments module does not have any form of spam protection currently.
This is no longer a nice to have feature but an absolute must.

Original issue reported on code.google.com by scherpenisse on 25 Apr 2010 at 9:52

[GoogleCodeExporter]

Currently comments are posted through an api, the post is done using javascript.

There are three possible protection scenarios:
1. make sure that the form is submitted from the current page/session.
2. add simple captcha/tripwires/etc to make sure that a human is posting it
3. filter submitted messages through a spam filter 

Not all three strategies need to be deployed.  For example, I don't like to 
fill in captchas, as they get in the 
way of adding content to a site.  So I prefer other means of protection against 
machines.

For (1) we can make a crsf protection by mixing some id into the postback 
message.

For (2) we can have a combined strategy of tripwires (for example false 
non-user-viewable input elements 
that mimic a wordpress comment form) and maye a simple captcha implementation 
(note that quite a lot of 
captchas are already broken, so this only gives limited protection).

For (3) we can add rules and maybe a hook to a service like Akismet.

See also http://codex.wordpress.org/Combating_Comment_Spam

Original comment by ma...@pobox.com on 25 Apr 2010 at 10:47

[GoogleCodeExporter]

Arjan, my vote is for a non-captcha implementation. Something with CSRF and 
Akismet would probably work 
well. But I would also like to have the option to moderate comments via the 
admin. 

Regards,
Daniel

Original comment by d...@mac.com on 25 Apr 2010 at 8:20