Another comment spam precaution that no longer works out

October 2, 2011

I use a number of comment spam precautions here (although most of the work is done by only one). However every so often one of these clever tricks turns out to be not just useless but a bad idea. One of my most elaborate comment spam precautions here is signing the comment form with various information about the IP address that fetched it. When I came up with this precaution back four years ago, it was clear from my logs that spammers were fetching my 'add a comment' page from one IP address, sitting on it, and then submitting comments from another IP; adding the precaution caught a certain amount of spammers with no false positives that I could see.

Well. That situation has now changed. It's been some time since this precaution has prevented any spam; if spammers are still doing this at all, they're tripping over other precautions first (almost always my honeypot form field). Unfortunately I've now seen two instances where this precaution seems to have misfired, preventing real people from posting actual comments. So out it goes; I can live with inactive and useless comment spam precautions, but not ones that give false positives.

(Unfortunately I fumbled some code when I did this the first time. For semi-obvious reasons testing this case is kind of tricky, but I really should have tried harder.)

I'm not sure why people are hopping between significantly different IP addresses. My current theory is some sort of proxies, possibly for mobile devices and smartphones; if the proxy choice is basically random per request and the proxies are on multiple subnets, it would match what I saw in the logs. The alternate theory is that ISP DHCP servers are giving out significantly divergent IP addresses when people have flaky lines and keep disconnecting and reconnecting.

Comments on this page:

From at 2011-10-02 09:07:37:

The wildy changing IPs and nets thing looks like Tor ( to me. They are providing a list with all currently active proxies which might be helpful. On the other hand, there are legit commenters as well as spammers using Tor so rules relying on matching IPs might be pointless anyway when it comes to Tor users.

From at 2011-10-02 10:27:32:

I'm guessing my IP will change significantly if my smartphone flips from 3G to wifi or vice versa. This happens more often than I would have predicted before I started using it.

Ross Grady

From at 2011-10-02 17:59:04:

I noticed the behavior of changing IP adresses using Opera Mini. It connects via proxy-like servers that pre-renders the page and transfer this down to the phone using some kind of optimized protocol. These servers seem to be accessed using a load balancer, so each new page fetched resulted into a different IP address for the request.

Written on 02 October 2011.
« Understanding a tricky bit of Python generators
My idea of how a modern mailing service should work »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Oct 2 01:45:35 2011
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.