A comment spam precaution that didn't work out

Every now and then I try a comment spam precaution and it backfires on me. So let me amend my previous remarks: it turns out that refusing comments from people that are on the XBL is a bad idea.

It's a superficially attractive idea, which is why I implemented it way back when; the XBL is (theoretically) listing addresses of compromised machines and open proxies, and I have seen comment spam attempts from XBL-listed IP addresses. But the XBL itself contains warnings against this sort of usage, and in practice I don't think the XBL check ever did anything, because all the comment spam got dealt with by earlier precautions.

Then today, the problem with this was unpleasantly illustrated when a would-be commentator to had their legitimate comment blocked because they had an XBL-listed dynamic IP address (likely because they'd inherited it). Whoops, and clearly wrong.

(Worse yet, I didn't think the possibility of a misfire was high enough to warrant giving a clear error message. Which is stupid, all things considered; the kind of spammer that uses open proxies is not the kind that actually reads the web pages that they get back.)

All in all, a humbling mis-judgement. I've pulled the code until I can reform it (I think I still want to block any comment attempts from SBL-listed IP addresses, although I may be wrong about that too).

(And I apologize to the unknown person today who got hit by this, if they happen to still be reading.)