Matt Readtag:mattread.com,2008:a-bold-move-to-openid/12290952972008-12-12T10:21:37-05:002014-10-08T18:55:04-04:002008-12-12T10:24:58-05:00After deleting thousands of spam comments every week, I got fed up. I went looking for a way to eliminate spam all together. There are many different approaches that work at completely destroying spam bots A Honey Pot, [a Habari plugin](http://svn.habariproject.org/habari-extras/plugins/spamhoneypot/) by [Sean Coates](http://seancoates.com/), that adds a CSS hidden field that only bots would fill in; encoding the "action" URL, and input elements names and ids of the submitting form, a technique used by [Prof. Sneddy](http://gsnedders.com), killing all spam bots which don't use an HTML parser (which is all of them). There are others, but those are two that I find work reliably. <img alt="OpenID Logo" src="//mattread.com/user/files/openid.png" class="right"> The above mentioned methods, however, do not provide any way to authenticate the identity of the submitting comment author. In comes [OpenID](http://openid.net/). Using [OpenID](http://openid.net/) to authenticate that the commenter is who they say they are, allows us to ensure that only valid comments are submitted. Since I haven't seen a spam bot with an [OpenID](http://openid.net/), this will absolutely stop them in their tracks. [OpenID](http://openid.net/) also allows to use heuristics to determine which [OpenIDs](http://openid.net/) can be trusted, and which can be blacklisted. Since every commenter has a unique authenticated [OpenID](http://openid.net/), we can reliably trust repeat commenters and push their comments through the moderation queue; at the same time, not trust blacklisted [OpenIDs](http://openid.net/), deleting them immediately, without needing any human interaction to _reliably_ do so. I've decide to jump head first into the deep end, and only allow comments to be submitted using an OpenID Identifier. This means, that if you want submit a comment on my site, you _must_ have an [OpenID](http://openid.net/). There are many people who do not have an [OpenID](http://openid.net/) yet, but for your protection, and mine, I would highly recommend you go out and get one now. I use [Verisign's <abbr title="Personal Identity Portal">PIP</abbr>](https://pip.verisignlabs.com/) service for my OpenID provider. The service is still in "beta" (whatever that means nowadays) but I would highly recommend it. They even provide phishing detection, and "Strong Authentication" methods, including Browser Certificates, and their [VIP Credetial](https://idprotect.verisign.com/learnmore.v). Go sign up!