13 Comments


  1. I tested this plugin and is mostly dead in mobile era. When you try to unblock a form from a smartphone you will need ages to solve the math (more than one minute into my Android dual core smartphone). In short, this plugin stop spammers and good comments aswell.

    Reply

    1. This is indeed valid problem today and depending on the site might be a reason to not use plugin. But before you decide, make sure to run statistics on which browsers/devices are used by people posting actual comments. Very likely majority of mobile users are just browsing (of course it is not universal, it might be quite opposite)

      Reply

  2. I have a few ideas on how to implement this type of functionality myself, but I need to find the time to implement them :/

    My idea, is that if the computer can’t do the calculation in time, then it just gives up and defaults to a CAPTCHA instead. This allows users on even seriously junky hardware to bypass the block, albeit at the expense of needing to answer a CAPTCHA.

    I don’t think this sort of thing should be used as a first line of defense though. There are less problematic ways to block the majority of spam than this. I’d use this sort of technique on top of a bunch of other methods as a last line of defense before resorting to forcing a CAPTCHA on everyone.

    Reply

    1. Someone else working on similar functionality for Drupal (i.e. hashcash when browser is capable, and captcha – when it is not.) But I am concerned that this will undermine security. There are ways to automate captcha solving, but there is no way around solving hashcash… so if you do it – make sure to keep captcha fallback optional and not turned on by default.

      Reply

      1. You can automate the solving of a hashcash puzzle too :P Solving CAPTCHA’s requires processing power too, just like with the hashcash approach.

        Reply

        1. But you can’t change complexity of the captcha with simple number adjustment. (at least with reCaptcha). There were some plugins which allowed to change level of distortion, but there is limit too.

          With hashcash you have flexibility – if you get tons of spam non stop – you increase value of complexity. So for example if spammer posts 1000 messages, and with complexity of 0.01 it takes on good machine and browser average 5 seconds, it takes him 5000 seconds to post it.

          Now you increase it to 0.02 and now it twice as long while regular user have to wait 10 seconds instead of 5. (and i am working on idea where calculation will be happening in background, so user really will not be waiting anything in most cases)

          Reply

          1. You can increase the complexity of a CAPTCHA, but you are correct that there is a limit to how far that can go. Eventually it will just tick the user off. The same applies to the hashcash route though as the user will eventually get sick of the length of time required for the calculation. I’m not sure what would take longer, solving a CAPTCHA or cracking a hashcash.

            If you have any data on that sort of thing, I’d love to hear about it :) At the moment I’m just guessing that they’d be comparable.

            I do intend to cater for your concern though, as I’m intending to have various levels of protection which will automatically ramp up as more spam arrives. If the user reports too much spam, I’ll crank the protection level up a notch. Eventually there would be both a CAPTCHA as well as other various protections to stop whatever hyper aggressive spammer might be attacking your site. I am still a wee way of getting that implemented though.

  3. vprelovac

    What an innovative and possibly game changing approach, once the problems are ironed out. Bravo!

    Reply

  4. yesterday i brainstormed some ideas on how to make it even less painful for users (including mobile users.) Concept will stay the same, but UX will be different. Should solve mobile users pains as well.

    I am going to work on new version this weekend. Stay tuned :)

    Reply

  5. I’ve used it on a site of mine, and it has decreased the amount of emails I get from Limit Login Attempts to zero. So – for me – it’s a success and a thumbs up.

    Curious to hear about the rev-sharing though :)

    Reply

    1. If you try it, I’d love to hear if it makes you a single cent. I haven’t crunched the numbers on it, but my gut says that there won’t be enough processing power provided via commenters to make any real money from it. Hopefully I’m wrong though. This would be a handy way to bankroll my blog :)

      Reply

  6. This sounds awesome! :D One thing that came to my mind with this thread was that if it would be possible to insert this on the pages that generally do not need to be publicly acceccable. Stuff like /plugins and such what bots try to access a lot of times. If this could be done for those sites it would certainly be a game changer :)

    Reply

    1. If the page should not be publicly accessible, then just making it non-publicly accessible seems like a better option than trying to block bots from accessing it.

      Reply

Leave a Reply