Why do important messages end up in my spam?

Are there any flaws in this method of eliminating comment spam?

• http://dendory.net/blog.php?id=5078058e How to easily beat comment spam Blog comment spam is an old problem, and something that's been plaguing the web for a long time. I myself run this blog, along with another web site about art, both of which use my own code but allow people to post anonymous comments, simply by entering a name, comment, and clicking on send. Now, from simply reading that, if you know a bit about how web sites work, you would think that this should be the easiest thing in the world for all the spam bots out there to exploit. But in the many years I've been running both sites, I've never received any spam messages, not one, at least none produced by bots, only the random human-created troll post. Now, if I go to my web hosting logs, I see them trying. In fact on TideArt, they are trying many times every single day, but none of these attempts end up in my moderation queue. So I wondered why that was, and recently decided to investigate, looking at how those things worked, and then I found the reason. These spam bots are unbelievably stupid. The reason I never get spam hitting my comment systems is purely by accident, because of how I created the commenting code. Here's how the comment box looks like for my other site, which allows people to post a name, web site and comment: So as you can see, it's pretty basic code, nothing to write home about. And from reading my comment log, it's clear that all of the spam bots read that from my pages, and use those variables. But as you may notice, there's no submit button. Instead it calls a JavaScript function to post. That's also not unusual, a lot of comment systems use JavaScript to validate input. Let's look at the code: This right here is what fools every spam bot that hit my site so far in the past years. As you may notice, the script actually changes the variable names. Even though the input for your name is name and the one for your web site is site, when the XMLHttpRequest is sent, it renames them to cn and ct. Apparently, nothing out there is able to parse that. This is why even though a lot of spammers are trying to leave junk on my sites, not a single one of them is able to even hit my moderation queue. I hope this helps anyone currently having trouble with spam bots.

• Answer:

  I don't think that blog gets much traffic, and higher traffic blogs usually get a higher quality of spambot. Were this all that is required to prevent spambots, then there'd be no spam anywhere, ever. Circumventing this method is very easy with a bot that's even the least bit above the basic level, so no, this is not a valid way to protect against spambots. The proper way to truly protect against spam are still, unfortunately, captchas and among other things proper authentication measures, CSRF prevention with hashes and whatnot and a protective javascript layer. Bottom line, I don't see what's in that post as spam prevention at all. It's as much spam prevention as a sheet of newspaper can serve as a replacement umbrella. It will filter very few raindrops and then fall apart, but it'll last years if there's no rain.