How to eliminate automated comment spa

individuality is the key to making spamming not worthwhile. ideally, everyone should come up with their own tools to combat spam and not share their solutions. a spammer would then be forced to customize his script for each blog, thus increasing his efforts probably to the point where he wouldn’t want to spam anymore.
that’s not going to happen. the average user won’t have the knowledge to create his own tools. even most above average to expert users wouldn’t be able to create their own tools because they probably have better things to do with their time.
wide adoption of a certain anti spam tool may incovenience a spammer for a while, but the fact that the tool is widely adopted makes his effort of finding a countermeaure worthwhile. once the tool is beaten, the spammer will be merrily spamming away. you’re doing the spammer a favor when you pre package a tool.

Surely pre-packaging something just makes it the default which spammers will configure their systems to beat. Which once they have makes it useless.

i’ve been suffering from a string of SPAM messages recently and hacked the check_comment function in wp-includes/functions.php to put a comment in the moderator queue if the e-mail domain doesn’t have an MX record. my personal experience of these spam messages is that they assume the worst and include all fields whereas most genuine commentors don’t seem to leave their e-mail. the reason i mention this is because the hack i’ve put in place undertakes a DNS query which slows down page loading by a good few seconds. people posting a comment won’t notice this as the query is bypassed if no e-mail address is provided.
i’m sure that others will have a view on this hack which i insert as the last checks in the function:

// hack to query the MX record for a given e-mail domain
// uses getmxrr (https://uk.php.net/manual/en/function.getmxrr.php) which
// the documentation states shouldn't be used for address validation.
// on the basis that an MX record will typically appear for a valid domain
// it is reasonable to assume that an e-mail address that doesn't hail from
// a domain *with* an MX record *might* be a spammer
//
// RDS - 20/12/2004
$address = Array();
$mxrecords = Array();
$address = split('@', $email);
if (strlen($address[1]) > 0) {
// a domain name was found, check it
if (!getmxrr($address[1], $mxrecords)) {
return false;
}
}


The MX solution is a good idea, but it may also reject legitimate posters. We tried this at work, and we uncovered some flaws.

The MX record effectively is an alias for a general domain name to a specific mail server so that senders don’t have to remember that your mail server is “mymailserver.example.com” when sending email — they can just send to “example.com” and the MX entries for the domain will automatically pull up an email server.

The problem is — as we found out — that there are a fair number of domains out there that do not use MX records. Apparently, it is their policy to specify the name of the actual mail server machine in the address. Thus, as a fallback, you have to query the domain for a DNS A or CNAME record. Most mail transport agents such as Sendmail and Postfix automatically retry for an A if DNS doesn’t return an MX, but it does not look like the getmxrr() function does.

From what I’ve seen, the poker folk like to completely spoof their email addresses, and the domain portion of the address is some odd hexadecimal string that looks like an encryption key. So their addresses will fail no matter what type of DNS record you query for the domain. Its just those folk who come from odd domains that may be affected. (Anyone coming from the RoadRunner domains will definitely be affected, e.g. ny.rr.com, rochester.rr.com, etc.)