[hashcash] Re: Hashcash for Blogs

  • From: John Honan <jhonan@xxxxxxxxxxxxxxx>
  • To: hashcash@xxxxxxxxxxxxx
  • Date: Mon, 30 Aug 2004 00:04:59 +0100

Mitch Denny wrote:

Hi Jonathan,

I just read this post by James Moore:
//www.freelists.org/archives/hashcash/03-2004/msg00003.html

It seems he had an implementation in JavaScript that was quite slow. So
maybe for web-form comments (as opposed to track-backs) the best mechanism
would be what Atom Smasher suggestion in the form of a dynamically generated
image which is hard for a machine to parse. Does anyone know of how easily
those are compromised? I'd prefer not to have to have people download a Java
applet to make this work, and most browsers definitely won't let an
externally loaded page query a HTTP server on localhost - that would be a
security violation.

OK, so the way it is panning out is this:

        1. Web-form posted comments are filtered using a image verification
system.
        2. Track-back comments are posted using hashcash. The server can
choose to produce the stamps for the posting client (especially if it is via
the web-based admin interface), or the client can provide a set of stamps
that match the referenced URLs.



Some more suggestions;

If your intention is to slow down the spammer and deter them from spamming your blog then why not just apply a delay at the server end? - Make it pause 15-20 seconds after they hit the 'submit' button before actually posting the comment. Would this achieve the same thing?

Another form of flood protection I've seen on forum software is to limit the amount of posts coming from any one IP address. If you try and post again too quickly, it won't allow you (in most cases you have to wait 2 or 3 minutes before you're allowed to post again).

Actually stopping spammers from placing adverts on blogs or forums is quite difficult. As you state on your webpage, they only have to post once, and they end up getting indexed by google and viewed by possibly hundreds of people. If there is one posting coming from a person, and assuming they're not trying to flood the database, then how do you figure out if it's a genuine poster or a spammer? - In fact, the definition of 'spammer' kind of falls apart in this scenario. Instead of sending out millions of emails, they just make one posting and get it read by hundreds of people!

Another solution is filtering (does the post look 'spammy'?) - Or moderation, where each new post is sent to you first for review/approval before getting added to the blog.

John.

Other related posts:

  1. Home
  2. hashcash
  3. Archive
  4. 08-2004