Simple explanation of how blogengine fights SPAM comments?

Topics: Controls
Aug 16, 2007 at 12:04 PM
Hi everyone, I was wondering if someone could write a simple explanation of how blogengine fights comment SPAM? I think like many moderately geeky bloggers who came to use blogengine I naively assumed that because it doesn't use Akismet and doesn't require user registration by default - there is no comment SPAM protection.

I have read through the documentation and forums and it appears this is not in fact the case, although I am not entirely clear how the protection works (perhaps because I am not entirely clear how automated comment SPAMming works I admit!). Invisible captcha sounds a bit like an oxymoron and I am not sure why using AJAX in the comment form would stop an auto-SPAMmer. Again I admit this is more than likely due to my ignorance of how comment SPAMming works, but I suspect I am far from alone here.

I think a simple explanation would be great and if there is protection there it should be highlighted and explained clearly in the features list as it is in an important control mechanism. It may also stop "Need Akismet!" feature requests ;)

Happy blogengine user http://tigwell.net
Coordinator
Aug 16, 2007 at 1:09 PM
Well, first off BE uses the event validation feature of ASP.NET to stop spam bots in posting comments as explained here http://blog.madskristensen.dk/post.aspx?id=5b5c718d-1b09-4a42-8e09-d78f67085a09

The invisible CAPTCHA is only used when a browser doesn't understand XMLHttpRequests and it ensures that the client supports javascript. This is to over-ensure that no spam bots can post comments even if they can bypass the event validation. See http://blog.madskristensen.dk/post.aspx?id=67accd78-1848-4811-9734-7052d6d745fe

If the spam bot does accept XMLHttpRequets then BE uses AJAX to submit the comment. In that case it doesn't use the invisible CAPTCHA, but it still uses the event validation.

Basically, BE is very well protected against spam bots and to this date, I haven't gotten a single spam comment whereas I used to get many a day on my old DasBlog installation. Akismet will not be implemented as part of the core until spam bots learn to bypass the BE protection and I don't expect that to happen any time soon. You can alsways create an extension for the 1.2 release that uses Akismet if you wan't, but wait until it becomes an issue before using time to develop it.

Hope it helps