And another thing is maybe if we disable the website param for comments the spam would stop, i mean if a user was a true user i don't think having their website in their comments matters...

to reiterate: spammers dont care if you disable links, use no_follows, etc.. its a game of numbers. They hit 10000000 sites, 10% success is good, 90% is better.

The ONLY way to not have spammers hit your site is to not have a web site. Why do you think so many people see hits to non-existant guestbooks or forums on their site? Spam is random by definition. Anything else is a Denial of Service attack.

what can be done is to minimize effects, and block accordingly at the highest level one has available.

So couldn't you keep the url textbox open then and then a message next to it and say if you give us a url then your comment will fail.

A bot wouldn't know to read the warning first.

are we in agreement that we are working on minimizing the effects of spam? :P

you could do all sorts of things :) I send all comments that contain more than 3 links to /dev/null, for instance. Its possible with a little code changing to send comments that contain "this", "that", or "other" or dont include "this", "that", or "other" to somewhere else.

All you need to do is parse the submitted comment.

good comment -> keep going
bad comment -> disregard, move on.

Yer we are in agreement ;)

Hold up, if i have a display:none textfield called website, would the bots still put a value in it.... If so then there wouldn't be a need for the warning message...

balupton, nice idea with the hidden field, but I guess most spammers only use pre-defined fields anyway. They probably detect, which software gets used and re-act on that.

But, using different names for fields randomly (and storing the real name in $Session for the current user) mixed with fields that get ignored and are hidden by CSS, could make them fail.

OTOH, a simple 'style="display:none"' can get easily parsed by bots (and ignored) and you'll annoy non-CSS-capable browsers.

just my 2c.

Yer... not sure wether were on the same track...

What i was saying is so you could have;

<input type="text" name="website" style="display:none;" />

or even

<input type="text" name="website" maxlength="0" value="ignore me" />

And just make it so on server side if a comment contains a website then they are obviously bad.

And make it so only registered users have the privellege of having their website in their comments.

But for non css compliant browsers, surely their not still around...

EDIT:
well as for the bots detecting the website is bad thing, surely the bots would continue onto the next site because its just a waste of time posting comments that don't have a link to their website...

What about using that hidden field with a simple math question, filled in by javascript?

I proposed this here;
http://forums.b2evolution.net//viewtopic.php?t=7053

The above one will not work as most bots do not run by clicking submit, they work by getting the form values and then submitting a form to wherever it needs to go.

You will also have compatiability issues with users that do not have javascript enabled.

But i think this [no website] method is quite good.