Discuss Home · Bootstrapped Podcast · Scribbleton Personal Wiki · HelpSpot Customer Service Software

The spambots have found me


Feature Upvote has started to get a few spam comments everyday, and I suspect it will quickly rise. I expected from day one that sooner or later I’d have to deal with this problem. That’s okay by me - I enjoy a good technical challenge like this.

I’ve been investigating using the Akismet spam detection API to help with dealing with the problem. You send it a newly posted comment via a POST endpoint, and it tells you either “true” or “false”. So far I really like it.

What’s been your experience with dealing with comment spam? And with Akismet in particular?


ASP.NET AJAX Control Toolkit provided similar functionality since 2007. The corresponding component was called NoBot. Here is the link http://www.ajaxcontroltoolkit.com/NoBot/NoBot.aspx but it appears to be a bit dysfunctional now.

“NoBot is a control that attempts to provide CAPTCHA-like bot/spam prevention without requiring any user interaction. This approach is easier to bypass than an implementation that requires actual human intervention, but NoBot has the benefit of being completely invisible.”

If you are brave enough to dig inside NoBot’s code, you’ll get the job done. Basically it does a bunch of server and client side checks. They all appear to be fully transparent to the human user.

Works like a charm even now, 10 years later.

Update: found the relevant source code at https://github.com/DevExpress/AjaxControlToolkit/tree/master/AjaxControlToolkit/NoBot


Before you use akismet you can add some more simple protection mechanisms that block bots that are not using a full fledged browser (this might change once spambots start using chrome headless):

  • Add hidden inputs into the form called “url” “email” if you dont use them yet, check that they are empty on the backend. Only bots would provide values here.
  • Render parts of the form with javascript on document ready, for example a hidden input with a hash that is verified on the backend, or change the form action with javascript to another endpoint, then consider comments spam that sent to the original endpoint.



Thanks @DiSchwarz and @Benjamin_Eberlei. Your suggestions are helpful. I like that they don’t require a dependency on a realtime API.


Something I’ve found helpful is to detect the country from the submitting IP (I use Maxmind GeoIP), and watch for trends. Over the years I’ve found some countries with a 100% spam rate (or at least, 100% unconstructive), and I redirect submissions from countries with high spam rates into a manual review area. I’m sure that will be controversial, but it’s had the biggest impact on reducing my spam fighting workload.

Beyond that, I also have a lot of keyword filters for common spam phrases, which I tweak whenever something gets through.

I also tried IP lookups with Project Honeypot and some other spam blacklists, but I ultimately turned them off for too many false positives.


@Benjamin_Eberlei has it nailed. We used this method to protect unauthenticated commenting on a very large web portal that was getting 10 million comments a month. Most effective when the fields are set with type of text and hidden with CSS.


Totally concur with this. The honeypot technique @Benjamin_Eberlei lists is far more effective than you’d expect.

I also punish comments that contain more than 3 links. And I keep a list of “stop words” such a “N*ke shoes” or Printer supplies, that have appeared in spam comments before. I do IP-banning as well.


After implementing your suggestions, comment spam has stopped. Thanks all!