NYCPHP Meetup

[csnyder]

On 2/11/07, Urb LeJeune <urb at e-government.com> wrote:
>
>  It seem that any form on a web site attracts morons who capricious submit
>  to these forms. I'm not talking about just hitting the submit button but
> rather
>  a fully filled out form.

As some have mentioned, Akismet is a good solution to this, though
people have had problems with false positives, and nothing is more
annoying to a potential customer than having their carefully-crafted
comment blocked as spam.

I'm leaning toward tarpitting as a means of controlling comment spam,
as it seems to be one of the only good ways to control email spam. Too
many form submissions from one IP and suddenly service to that IP
slows to a crawl. Devil is in the details, of course, so if anyone
knows of any implementations of this, please let us know.

For verifying email addresses, checking for MX record is okay but
ineffective if spammer uses any of the millions of domains with valid
mail exchangers. Checking email address using SMTP will fail more
often than not, because these days no reputable mail service will
divulge the existence of a valid account. They respond to these
requests with "maybe the account exists, maybe not, just send the
message and we'll let you know later" messages.

The only way to prove that an email address is valid is to send a
sufficiently hard-to-guess token and have the user check her mail and
give it back to you.


-- 
Chris Snyder
http://chxo.com/