Spam attack on comments

[comdespagne]

Hello,

I've got this problem that is puzzling me.

Some people are using my contact form or coments form to send spam.

As they post a comment on my blog an email is being sent to me and another one is being sent to the actual sender but they actualy use this function to send an email to another addressee.

My question: Is it possible to make serendipity stop sending confirmation emails to senders ?

It this clear ?

Thanks for your help.

ComDesp

[onli]

Don't the comments have any characteristica of spam, like an empty body, and the spammers are not caught by akismet?

Your can prevent the abonemment of comments in configuration -> general setting -> Allow users to subscribe to entries
sincerely

[comdespagne]

Weird, the function is disabled (set to "no") and yet it keeps sending notifications.

Is there any other place in the back office to set emails notifications ? I keep searching I can't find any.

Thanks,

ComDesp

[garvinhicking]

Hi!

Check the spamblock plugin, did you enable the confirmation of sent comments there? That would be the only way that mails would be sent, but with a fixed content and not a selectable comment by website visitors...

Regards,
Garvin

[fastforward]

Hello.
Some time it happens that a mail come of notifications but when I open the link, the message shows that there is no special request you give. Is it due to spamming or other technical fault.

[garvinhicking]

Hi!

Hello.
Some time it happens that a mail come of notifications but when I open the link, the message shows that there is no special request you give. Is it due to spamming or other technical fault.

Sorry, that doesn't make sense to me, can you be more specific what you mean?

Regards,
Garvin

[nealk]

I had this exact same problem.
I fixed it in my template commentform.tpl file.

Here's the hack: use JavaScript to draw the submission form.
The spambots don't process JavaScript, so they don't see the form.
However, real people will use real browsers and will be able to see and use the form.

My template looks like:
====================
<script>
var V='(div id="serendipityCommentFormC" class="serendipityCommentForm") \
(div id="serendipity_replyform_0")(/div) \
(a id="serendipity_CommentForm")(/a) \
(form id="serendipity_comment" action="{$commentform_action}#feedback" method="post") \
...
(/form) \
(/div)';
V = V.replace(/[(]/g,unescape("%3c"));
V = V.replace(/[)]/g,unescape("%3e"));
document.write(V);
</script>
====================
Notice how I replaced all the HTML < > with parenthesis. The slash at the end of the line just keeps it all in one JavaScript string. Then I just used replace() to convert them all back to < >, and write the HTML string to the document.

The problem of parsing JavaScript is NP-Complete (oh gawd, that computer science education is showing). If the bots ever parse it for the submission form, then all I need to do is make it a little more complicated for them.

Since doing this, my comment spam has dropped to zero.

[kleinerChemiker]

I had this exact same problem.
I fixed it in my template commentform.tpl file.

Here's the hack: use JavaScript to draw the submission form.
The spambots don't process JavaScript, so they don't see the form.
However, real people will use real browsers and will be able to see and use the form.

Real people with real browser sometimes turn off js or use addons like "noscript" for ff. And of course there should be handycapped people that use screenreaders. So you may get rid of the spam, but maybe also loose some reader or at least some commets from real people.

[nealk]

I had this exact same problem.
I fixed it in my template commentform.tpl file.

Here's the hack: use JavaScript to draw the submission form.
The spambots don't process JavaScript, so they don't see the form.
However, real people will use real browsers and will be able to see and use the form.

Real people with real browser sometimes turn off js or use addons like "noscript" for ff. And of course there should be handycapped people that use screenreaders. So you may get rid of the spam, but maybe also loose some reader or at least some commets from real people.

Many years ago, I recommended that people disable JavaScript due to security issues.
Today, most of the security issues have been fixed. (It has been quite some time since I heard about any kind of new JavaScript exploit.) Meanwhile, so many websites use JavaScript that that majority of web content becomes inaccessible if you have it disabled.

So while turning off JS was a good idea 10 years ago, it isn't practical today. Also, most home users are not techies and wouldn't know how to begin disabling JS. So this requirement isn't too extreme.

Second, with regards to usability. There have been some great strides made in screen reading technology for web browsers. I have a blind friend (well, legally blind -- he still can see if he is within 1 inch of the screen). He's had no problem with web sites that use Javascript to render text.

[kleinerChemiker]

Ok, maybe screenreaders are quite good today.

But the days to turn off JS aren't over yet. Just 2 days ago MS admitted a bug in IE that can be exploited with the use of JS. The FF extension "NoScript" has over 57 mio. downloads and is the 3rd most downloaded extension. So I won't say, that turning off JS isn't used anymore. That many pages are a pain in the ass and force you to use JS and cookies is true, but that's no excuse to do the same In my oppinion JS can make sites better, but they should still work without JS.

just my 2 cents