The site's comment form in _includes/comments.html doesn't actually engage two of the spam mitigations the staticomment server is configured to enforce, so they silently do nothing. Spammers are getting through trivially as a result — see recent commits adding 888starz, vulkan vegas, etc. comments (most landing on 2010-01-15-this-post-uses-naughty-words, which is an SEO magnet for that title).
Gaps
- No honeypot field. The staticomment server defaults to looking for a field named
website (STATICOMMENT_HONEYPOT_FIELD). The form doesn't render one. Server-side checkHoneypot only rejects when the field is non-empty, so an absent field looks legitimate — every bot post passes.
- No
_timestamp field. Same story: server expects it for the "submission too fast" check, but the form doesn't include one. (Server-side, an absent field currently means the check is skipped — that's also a bug to fix on the staticomment side, tracked separately.)
Proposed changes to _includes/comments.html
- Add a hidden honeypot input named
website. Hide it with CSS rather than display:none (some bots skip those), and set tabindex="-1" + autocomplete="off" so real users don't tab into it or have it autofilled.
- Add a hidden
_timestamp input set via a tiny inline <script> at page load (Date.now()/1000 | 0). Jekyll renders pages at build time, so a Liquid timestamp would be the build time, not the page-load time — JS is the right move.
Test plan
- Submit a real comment locally — should still succeed.
- Submit with the honeypot filled — should be silently discarded by the server.
- Submit immediately on page load — should be rejected once the staticomment-side timestamp default is also fixed.
The site's comment form in
_includes/comments.htmldoesn't actually engage two of the spam mitigations the staticomment server is configured to enforce, so they silently do nothing. Spammers are getting through trivially as a result — see recent commits adding888starz,vulkan vegas, etc. comments (most landing on2010-01-15-this-post-uses-naughty-words, which is an SEO magnet for that title).Gaps
website(STATICOMMENT_HONEYPOT_FIELD). The form doesn't render one. Server-sidecheckHoneypotonly rejects when the field is non-empty, so an absent field looks legitimate — every bot post passes._timestampfield. Same story: server expects it for the "submission too fast" check, but the form doesn't include one. (Server-side, an absent field currently means the check is skipped — that's also a bug to fix on the staticomment side, tracked separately.)Proposed changes to
_includes/comments.htmlwebsite. Hide it with CSS rather thandisplay:none(some bots skip those), and settabindex="-1"+autocomplete="off"so real users don't tab into it or have it autofilled._timestampinput set via a tiny inline<script>at page load (Date.now()/1000 | 0). Jekyll renders pages at build time, so a Liquid timestamp would be the build time, not the page-load time — JS is the right move.Test plan