fíam

I've finished moving some of my git repos to GitHub. You can now check Blango, django-geonames, oauthsp and wapi from there. Those are, from now on, the official repos. The old ones at byNotes have already been closed.

Blango is now hosted at the byNotes source code repository and I'll start doing proper releases soon.

However, I feel like Blango has all I need and I don't see any new features I could add (you can check the current features at the project page. How would you enhance it? Leave a comment with your cool idea!

Latelly I've been hammered with a lot of spam in this blog, so I decided to implement something to prevent it.

As I've previously mentioned, I don't like Akismet because it's too simple. It only tells you if they think the comment is spam, so the best you can do is skip writing comments to the database. It would be nice if it returned a probability, so you could act accordingly. For example, consider the following:

• If spam probability is 50% or below, accept the comment.
• If it's between 50% and 80%, present some validation method to the user. It could be a CAPTCHA or even something more simple like a message telling the user to resubmit the form before 30 seconds, since most of the spam bots wouldn't get that right.
• If it's more than 80%, discard the comment.

But Akismet can't do that, so I will never use it. My initial idea was implementing my own spam detection system but, since developing ffloat.it keeps me busy enough, that's not something I can do for now. However, after reading the suggestion from Scott Lawton and reading the page he mentioned, I found I could write something to prevent most of the spam in less than an hour.

My approach uses two form classes, which you must subclass in your application. And that's all you need! Your forms won't even have any visual impact, since those two classes only introduce two hidden fields and the correspondant validation methods. The process is a follows:

• When you create the form (empty or with data) you need to pass two new variables to it: the remote address which is requesting the page and an identifier. For example, in Blango I use the primary key for the entry.

• The form encrypts the requester IP, the identifier and the current time using a stream crypher and your settings.SECRET_KEY as key and puts it in a hidden field.

• The form adds a textfield (author_bogus_name) with a maximum length of 0 without label and with style set to display:none. Users won't see it, but spam bots will try to put something there.

• Upon form verification, the hidden field is decyphered and the requester address and the identifier are checked for equality. If they match, a time verification is performed: if the user took less than 5 seconds for posting it (wow, too fast typing, isn't it?) or more than an hour (preventing bots for reusing the token in the future), the form won't validate.

I know this method is not perfect, since a spambot could be instructed to circunvent it. But the game consists on being ahead of the spammers, and currently this technique will get you there.

As for the code, it's currently commited to the Blango tree, in the file magicforms.py, but for your convenience I've made it avaible here. Let's see an example from Blango itself:

Before:

class CommentForm(forms.ModelForm):
...
...
comment_form = CommentForm()
if request.method == 'POST' and entry.allow_comments:
    comment_form = CommentForm(request.POST)

After:

from magicforms import MagicModelForm
class CommentForm(MagicModelForm):
...
...
comment_form = CommentForm(request.META['REMOTE_ADDR'], entry.id)
if request.method == 'POST' and entry.allow_comments:
    comment_form = CommentForm(request.META['REMOTE_ADDR'], entry.id, request.POST)

Just remember to use MagicForm if your form inherits from forms.Form and MagicModelForm if your forms inherits from forms.ModelForm. Note also that this code depends on PyCrypto (python-crypto package in Debian and friends).

I've started receiving some spam in comments. I thought it would take longer, since I'm running a custom software, but the bots have been posting no less than five a comments a day since the last week.

My idea is implementing full spam detection, but it's something I don't currently have time for. So, in the meantime, I've implemented disabling comments on a given entry. Usually spammers take some days before starting to hit an entry, so users can leave comments and, when the entry starts receiving only spam comments, I can close it.

I've finally released my git tree for Blango. As I previously mentioned, you need to patch Django in order to make Blango work. I've also published my patches. You need to apply 0003 and 0005.