Need someone to lead product management at your software company? I build high-craft software and the teams that build it. I'm looking for my next opportunity. Check out my resume and get in touch.

Adam Kalsey

This is the blog of Adam Kalsey. Unusual depth and complexity. Rich, full body with a hint of nutty earthiness.

Security & Privacy

Comment spam

3 Sep 2003

I’ve been getting a fair amount of comment spam recently. Some of it is outright spam with people using bots to post dozens of comments that look just like your typical email spam. Other comments contain only a short, generic message such as “very good” or “I like the site” but then have the spammer’s payload URL in the contact section of the post. I imagine that the point behind the later is to increase their incoming links to affect search engines like Google.

I’ve been deleting these as I come across them, but the volume has increased dramatically in the last few weeks. Instead of one every month or so, I’m getting comment spam almost every day now. In talking to Brad, he pointed out a scary scenario that would have bots crawling looking for sites to send spam trackback pings to.

I’m fed up and want your help in devising a solution that will curtail this. I’ve drawn upon features of BBSs, authentication systems, and forum software for ideas on how to stop this. Please add your feedback and additional ideas.

To prevent automated bots from flooding a site with comments, we could add posting limits to comment and trackback systems. The average person can’t submit more than one comment every few seconds, so comment systems could enforce a minimum time between comments. A single IP address could only post one comment every 30 seconds. If the commenter ignores the limit and keeps trying to post, it’s obviously a bot. So any IP address that tries to post 4 or more comments in 30 seconds is automatically banned for a short period of time. This would also work for TrackBack spam.

  • Allow flexible field names
    Comment systems could allow site owners to easily change field names for their comment forms. Since many of the automated bots are just crawling looking for certain form field names and submission addresses, this would be an easy way to thwart many of them.
  • Require an authentication token
    Each form submission would need to include an authentication token in a hidden field. The token would be the unique entry ID hashed with a secret key. When a comment comes in, take the entry id, hash it with the secret key, and only allow the comment if it matches. This would keep bots from submitting comments without using the actual comment form.
  • Make it easier to delete comments.
    When someone posts a comment, MT automatically sends me an email. That email should include a link to delete the comment and rebuild the entry. Then when a comment does slip through, it’s a simple matter to remove it.

What else could we do? And anyone want to jump in and implement some of this for popular systems?

Recently Written

Should individual people have OKRs?
May 14: A good OKR describes and measures an outcome, but it can be challenging to create an outcome-focused OKR for an individual.
10 OKR traps and how to avoid them
May 8: I’ve helped lots of teams implement OKRs or fix a broken OKR process. Here are the 10 most common problems I see, and what to do instead.
AI is Smart, But Wisdom Requires Judgement
May 3: AI can process data at lightning speed, but wisdom comes from human judgment—picking the best imperfect option when facts alone don’t point the way.
Decoding Product Leadership Titles
Mar 18: Not all product leadership titles mean what they sound like. ‘Head of Product’ can mean anything from a senior PM to a true VP. Here’s how to tell the difference.
What branding can teach about culture
Jan 8: Culture is your company’s point of view in action—a framework guiding behavior, even in the unknown. You can’t copy it; it must reflect your unique perspective.
Think Systems, not Symptoms
Dec 15: Piecemeal process creation frustrates teams and slows work. Stop patching problems and start solving systems. Adopting a systems thinking approach helps you design processes that are efficient, aligned with goals, and truly add value.
Your Policies Aren’t Your Culture
Dec 13: Policies guide behavior, but culture is the lived norms and values of your team. Policies reflect culture -- they don’t define it. Netflix’s parental leave shift didn’t change its culture of freedom and responsibility. It clarified how to live it.
Lighten Your Process Burden
Dec 7: Everyone hates oppressive processes, but somehow we keep managing to create them.

Older...

What I'm Reading