The Right Glue has undergone an important rite in interactive websites: it has been spammed. To me, this can only mean that my website has a high enough rank on some search engine or spammer hitlist (or however it is that spammers decide whom to spam) to merit being spammed. Someone (or, more likely, somebot) somewhere decided, either consciously or algorithmically, that it would be profitable to fill my site with Cialis ads.
The spam targetted the language trap post specifically, probably because it is the most popular of my individual posts, linked by Gharbad on xkcd's forums. So at least one of my posts is well ranked.
Obviously I can't let spammers have their way with my website, so I have had to put into place some experimental anti-spam mechanisms on the Right Glue. These are some ideas I've had regarding spam protection on anonymous websites that I've never had opportunity to implement. Luckily I finally have a chance!
I want to avoid as much as possible "active" spam protection (for example, image captchas found on many websites) which require users to do something extra to prove that they are no, in fact, bots. I don't really like the idea of treating users as if they are guilty of spamming just because there are some bots out there (hereafter referred to as the Microsoft way), since no one really deserves that. Instead I favour a "passive" protection approach, relying on the fact that spam bots are merely algorithms and have no choice but to follow their instructions.
Specifically, I have done two things to fool spam bots. The first is I've hashed the names of POST variables. Spam bots will look at the names of fields and put certain data into them. For instance, the spam bots put words like "John" into fields containing the word "name". By randomizing the names of the fields using a hash function, bots will not be able to identify what type of information goes into which field. Hopefully this will cause the poorer bots to give up. At the very least, it should help make spam that does make it through easier to identify, since fields will be mismatched.
The second thing I have done is a bit more crafty. I have created a regular field in the comment form called "comment". What spam bot wouldn't want to fill such an obvious target? If the server-side comment script determines that something is in the "comment" field, the comment will not be added. The trick is the "comment" field is completely invisible to humans. Only a bot parsing the HTML would see it and fill it in. That way humans can fill in every field they see without trouble. Bots which do the same will fail.
Given time we'll see if these measures work in practice. I certainly hope they do, but if not I will have to do things the Microsoft way. I'll try not to make them too bothersome. Something like "please input the last two words in your comment into this field" to verify you're not a bot.
Here's to the popularity of the Right Glue! May it be the target of more spam in the years to come.