There now follows a brief explanation of the new commenting system put in place on this site.
Firstly, why? Simply put, spam was still getting through. Some of it was mostly harmless and tended to be a useless name quoting some variation of "good site man thx". Harmless, yet still annoying since it was getting published. The remainder of the spam was often using harmless words and linking to a compromised website which contained nasty surprises. Adding the list of compromise websites to the ban list was becoming painful too.
As of 7th July 2008 the following changes have been made:
- a check is made through the browser for a specific cookie containing a unique, randomly-generated code; if the cookie doesn’t exist then one is generated,
- a search for the unique code is performed against a database table; if the code is found then its status is retrieved otherwise the code is inserted along with the ‘pending’ status,
- if the status is ‘pending’ then the comment is put into moderation, if the status is ‘approved’ then the comment is auto-approved and published, if the status is ‘banned’ then the comment is discarded,
- through the admin section I can unmoderate a single pending comment leaving the commenter able to post comments in the future but they will still have to undergo moderation, or I can approve a user meaning all their comments will automatically bypass moderation in future, or I can ban a user from ever commenting.
For regular commenters this will mean that the first time you comment from a specific computer using a specific browser you will need to wait for the comment to be moderated. Subsequently, however, your comments will be published instantly even if you accidentally (or purposely) use otherwise banned words or links. If you use multiple computers or change web browser then this will happen the first time on each machine and browser. If you do not accept the cookie dropped on you (90 day expiration) then this will happen for every comment you post.
Will this stop the spam?
No. I will still see the spam not automatically rejected for using certain keywords and have to delete it. But it should prevent anyone else from seeing any. If some does get through then it should indicate that someone previously approved has a compromised PC and I should be able to notify that person since the unique cookie code will identify it.
Unless I’ve forgotten something obvious.