Eventually comments have been re-enabled.I first devised a simple solution similar to the one I used to encode email addresses in my site. The text I want to display is not stored in the HTML itself, but obscured and given to a JavaScript function that takes care of decoding and displaying it.
Provided that the “evil one” has a simple HTML parser/scanner he won’t be able to find the sensitive information.
This assumption proved to be wrong by far. As soon as I put on-line the JavaScript version the spam started to flow back into my comments db. Too Bad.
I could require a registration and some form of authentication, but this would hamper the number of people willing to leave their comments. So something simpler and as effective should be employed.
Time to study.
Basically I want to distinguish between a human leaving a comment and a spamming robot… sounds familiar. This is, after all, a Turing test. Not a simple matter. Anyway most of the other sites I saw employs a simple pattern recognition schema. A pattern (usually a random string) stored in an image is processed to add noise and distortion, the result is supposed to be readable by a human, but hardly recognized by an OCR. Searching on the wikipedia I came across this: CAPTCHA. CAPTCHA is shorthand for “completely automated public Turing test to tell computers and humans apart“. Exactly what I need.
The wikipedia page is well written and list a number of ready made packages for most programming languages, PHP included.
I spent some time after veriword. This seems a very complete package, but it proved to be a nightmare to have it working. The example doesn’t work, moreover digging into the code I wasn’t able to get anything usable as a readable image.
So I went on, decided to not investigate anything without a properly working example. At last I found GOTCHA that worked instantly out of the box. Some minor modifications were needed to integrate it with my blog… and ta-da. I’m done.
As a side consideration I have to admit that the idea of hiding information and displaying them through JavaScript is not strong enough. I’ve got yet no spam on my email address that is encoded throughout my site, but this could be just because the visibility of these pages is quite low. I’ll remove the email field from the add comment form in order to avoid email leaking into the wrong hands 🙁