Comment Spam Prevention Goes Nuclear

By on December 28, 2004

Elliot Back has come up with the best anti-comment-spam measure I’ve heard in quite a while.

Taking Matt’s stopgap spam solution, which sends precomputed hashes to be echoed back by the user-agent’s form, I’ve added dynamic generation of the md5 hash. Rather than write it to a hidden field, we wait until the form is submitted to compute the hash. This prevents spammers from automatically scraping the form, because anyone wanting to submit a comment must execute the javascript md5.

Here, as I understand it, is the method:

  • Before the form is generated, the server creates a short MD5 hash and includes it in the comment form. It also includes an MD5 hash javascript function in the page.
  • When the user submits the comment form, the original MD5 hash is re-hashed by the browser using the js function, resulting in a new hash. The new hash is included in the post to the server.
  • The server makes sure that the new hash is a proper result of hashing the original hash.

This ensures that the browser end must have executed the javascript code. Pretty slick. Of course, if everyone uses it, comment spam tools will be quickly rewritten to be able to handle MD5 hashing, but until then we could enjoy a little spam-free blogging. Well done.

Via Waxy’s Links.



  1. I looked at this just this morning for my personal blog. Sadly, it’s only confirmed to work on IE 5+ and Firefox 1.0+ running on Windows.

  2. Well, it’s only confirmed to work with those browsers, but the javascript is very basic. I don’t see a reason why it wouldn’t be cross-browser friendly.

Comments are closed. If you have something you really want to say, tweet @gadgetopia.