Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Finally made the jump to Drupal for my personal blog, and within two hours received my first bit of spam; no problem, I set permissions on comments for a while, then installed the spam module, but in between some testing this morning, I turned it all open-access and was whopped by several dozen spams within a very short span of time, all from the same four IPs on the same subnet.
Ok, easy to ban and I did, but this spammer taught me something: When I looked at the comment logs, I see the hits start as posts to the node forms themselves, slowly, but then shifts to direct calls to the comment /node/reply/NNN address ... and that's when the frequency soars.
Would we benefit from some sort of referrer authentication for comments, some test to show the POST request is comming from the node form and not from an automated spam-posting robot?
In the past I've used really simple methods like a hidden variable in the comment-form; it's not a total solution, but it does block a lot of abuse, and trivial to implement: add a hidden value into the comment form, modify the comment hander to reject access if the key is missing, and if we wanted to get really fancy (to thwart View/Source), we might make a key pseudo-randomish, resolvable to a timestamp or some such.
Comments?
Comments
Comment #1
bdragon commentedform_token was implemented a while back, closing this issue.