ergophobe - 4:06 pm on Oct 1, 2008 (gmt 0)

I am concerned about JS being turned off and if someone will turn it on to make a comment.

That's the big drawback to haschash. Being that I was drowning in spam, I was willing to pay that price.

The cell phone question is an interesting one. How many people have non-JS-enabled browsers on their cell phones? Do you have any idea?

The best stats I could find say that about half of the mobile visitors have JS-enabled browsers (that's from oct 2007). So I guess it depends on how many you get. I don't get many, but the nubmer is growing. It's growing, however, because of iPhone and others with powerful browsers.

You could make hashcash degrade nicely by demanding some other proof of work that requires user interaction, but if Javascript is available, that field gets hidden and automatically filled in. Or you could treat hashcash success as a free pass, while failure just flags a post for review.

I suppose it depends on your user profile and how hard you're being hit by bots. If you dont' have much spam and you have a lot of users without JS, then Akismet or similar is probably less work in the end.

One other option that I've seen people use is a hidden form field. If the user has a CSS-enabled browser, the field doesn't show. If there's a problem, the field says something like "Do not fill in this field unless you are a spammer". If the form is submitted with a value in that field it gets treated as a bot submission. I have no idea if it works or not. Do spambots automatically fill in every field on a form? Not sure they do.

I agree Akismet is pretty good and I still have it as a second layer of defense on one site, but the spam queue is largely empty after installing hashcash. My issue is that there are occasional false positives that get flagged for review. If you don't have a lot of spam, you can just review these and approve them. For me there are two issues though
- comments that get flagged as spam or flagged for review sit in the queue and if you aren't checking your queue frequently, users might wonder where their comment is.

- if you have tons of spam it's just too time-consuming to go through your spam logs every time and so I tend to just "delete all". The other day I was on a slow dialup and purged my spam queue (drupal spam module, not Akismet, but it also rarely has false positives). Given the slow connection, after I pushed the "delete all" button and as I was waiting for the system to respond I was looking at the screen and noticed a legitimate comment and it was too late. Who knows how many of those I've deleted? Probably not many. In this case, I had time to make a mental note of the subject and sender and that person had also sent an email through my contact form, so all was good. But I just find it onerous to check my spam logs.