A very short while ago I took it upon myself to try to stop the abusive SPAM of this blog software. I seem to have been successful!

Two kinds of SPAM hit this site. Both are annoying and trivial to eliminate.

The first was related to a dynamic list of referrers which the b2evolution authors stopped by not allowing the block to be displayed, thus removing the incentive to SPAM by referrer.

The second kind of unwanted post was related to comments. The software has a relatively open comment policy such that as long as you provide a properly formatted e-mail address, you can post comments. Additionally, the script that entered the comments into the database had a small flaw in that it didn't even trivially authenticate that the user had been a visitor to the site.

A few lines of PHP code added to three scripts and the SPAM has stopped completely!

Essentially, there's a session variable set with each comment page that needs to compliment a value sumbitted with the comment form. Yes, I am giving away the keys to the store, because I'm not sure it can really be circumvented, and I kind of need to issue a smack-down challenge. Now, hacking the database, not the same. Breaking other aspects of Apache/PHP security, also not the same. Submitting comments using the software, without visiting the site, I don't think it can be done any more.

I've sent the eight lines of code to the b2evolution maintainers, and hopefully something will be done about the open comment forms so I don't have to recreate my fix with each future version.