Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2013-02-12 10:12:34

etc
Developer
Registered: 2010-11-11
Posts: 5,195
Website GitHub

Are they real?

Until now, Textpattern comments preview feature kept bots away from commenting. But since few weeks some funny comments (-like this one) land on my site. Is there any way for robots to bypass the comment preview, or are these spammers real people?

Last edited by etc (2013-02-12 13:43:02)

Offline

#2 2013-02-12 11:01:58

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Are they real?

Hi Oleg, you can check their ip either on stopforumspam and project honeypot. The second will actually tell you if the ip is affiliated with a listed bot or not.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#3 2013-02-12 11:16:39

jstubbs
Member
From: Hong Kong
Registered: 2004-12-13
Posts: 2,395
Website

Re: Are they real?

I’m seeing more of these annoying spammers lately on TXP Tips, and I use rah_comment_spam plugin too, which is pretty effective. Think I’ll have the site use the Cloudflare service to see if it stops most of the spammers.

Offline

#4 2013-02-12 11:33:35

etc
Developer
Registered: 2010-11-11
Posts: 5,195
Website GitHub

Re: Are they real?

Thank you both! Yes, this IP is a notorious spammer, but there is no evidence whether it’s a real guy or a bot. Why a real guy would post just doors.txt;5? And if it’s a bot, how has it bypassed the comments preview? Logs would help, but I have turned them off some time ago.

Offline

#5 2013-02-12 11:38:24

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Are they real?

Any bot is easily capable of bypassing the preview step if the author of the said bot so wishes. After all, the preview is nothing more than an extra page, one more response to handle. The prevention in all that is that the reloaded form comes with a one-use token, that is then validated when the form is sent the second time. Outside from that, there is no prevention of any real kind going on. This just means that any bot would just have to send a second form after the first one. Anyone can write a efficient script that does just that.

In short, the to be honest, the preview step does nothing in the real world. It would do less if Textpattern and its commenting system was used more. The only benefit from the whole process is that it saves database queries since you won’t have to assign those tokens on the initial article page load, but other than that it’s more of an annoyance and makes the commenting system close to useless. Seriously, I wouldn’t recommend using Textpattern’s two-step commenting system if you actual want to get comments. Same goes to use of Textile (note: nobody uses it even that guys like me like it).

Also the whole token/nonce system is bit questionable, and the fact the values are written to the database when the form is loaded. It would be one if those values where permanent (literally once-valid) and used to prevent double posting, but they are not. Instead, Textpattern uses redirects and doesn’t assign those tokens to comments or preserve already assigned values. Meaning, that the token is nothing more than expiring token, which self-exploratory does not need storage — not until a comment is written to the database. Such system does only require a key (random value, written to the database with the comment, preventing using exact same form again), a timestamp (telling the forms creation time) and a private key (used to secure the values by hashing).

Last edited by Gocom (2013-02-12 11:43:34)

Offline

#6 2013-02-12 12:20:36

etc
Developer
Registered: 2010-11-11
Posts: 5,195
Website GitHub

Re: Are they real?

Thank you for explanation, Jukka! If I get it right, there is even no need to write a Textpattern-specific script, a generic form (re)poster would suffice? Then I agree, the preview step is more an annoyance, or it should include some captcha as well.

Offline

#7 2013-02-12 12:37:45

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Are they real?

Although I used to like the idea of comments when I first started using txp, I gradually moved away from them as they are nightmare (to me anyway) to maintain. I found that using zcr covers most sites needs except for people who wish to use txp as a blog rather than a cms.

I, for one, wouldn’t mind if commenting became an optional plugin and zcr became part of the core, with an option to save what is posted through it in the db.

jukka wrote

Makes much sense. Does this mean that we should expect some radical changes in the next major release?


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#8 2013-02-12 12:43:07

etc
Developer
Registered: 2010-11-11
Posts: 5,195
Website GitHub

Re: Are they real?

Yiannis, does zcr include anti-spam protection? I have never used it, and this question is more theoretical for the moment.

Offline

#9 2013-02-12 12:57:34

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Are they real?

Hi Oleg, yes it does. In two ways. one via a plugin or, via its internal mechanism where you could have one or combination of compulsory fields/tickboxes/whatever which need to be ‘filled’ before the form is submitted.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#10 2013-02-12 13:13:11

jstubbs
Member
From: Hong Kong
Registered: 2004-12-13
Posts: 2,395
Website

Re: Are they real?

On most sites one does not need comments, but on a site like TXP Tips its an ongoing concern. I’ve just put the site behind Coudflare’s servers so hopefully the spam will be reduced. However, options would be welcome including Disqus or similar – your views are welcome.

I’m personally thinking of moving away from ZCR to a more robust solution such as Wufoo, Formstack (no idea about them, just saw their site after a search) or Machform in the future. ZCR is a pain to customise and it seems more and more dated, f.e HTML 5 elements.

Offline

#11 2013-02-12 13:35:17

etc
Developer
Registered: 2010-11-11
Posts: 5,195
Website GitHub

Re: Are they real?

Jonathan, I have no experience with those, but am globally against delegating essential features to clients (via Javascript). Other the fact that it’s not very standards complying, my pov is certainly influenced by an old iPod that takes ages to download and execute all these scripts.

Offline

#12 2013-02-12 14:01:15

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Are they real?

jstubbs wrote:

… a more robust solution such as Wufoo, Formstack (no idea about them, just saw their site after a search) or Machform in the future.

I have this thing against using third party online solutions, especially when it comes to emails. (guilty as charged re my gmail account:).


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

Board footer

Powered by FluxBB