Show ’n’ tell X: another comment spam tip

Show-n-tell Thursday logoas readers of various Domino-oriented weblogs know, there has been considerable discussion lately with regards comment spam, and how to deal with it. Over the past two weeks the amount of spam my hand-rolled site receives has really ramped up. Up until this afternoon, I was getting 300 - 400 spam attempts per day. Of these, approximately 1% were actually getting through as I introduced various checks to deal with them (documented here and elsewhere). So, not bad. However, I had another trick up my sleeve, which I finally put in place today. It’s a real doozy if you fancy doing the same:

Change your comment form name.

Ha ha! Yes, I’m serious. Many spam bots post programmatically using a URL that is known to work. Take that away, and these spammers have to play catch-up one more time.

Putting through such a change is fairly drastic just to catch out some spammers, I admit. Probably not a go-er for those who use the standard templates. But for idiots like me, who “roll their own”, eminently do-able, especially if you use something like Teamstudio Configurator to track down and change all the form name references in your database.

A more workable solution (that I may try and implement if I ever get time) is a DXL-based solution that changes the form name throughout the database for you, at the click of a button. Should be pretty straightforward. Since I made the change, the number of spam attempts has fallen dramatically; let’s see if this remains the case (I realise I am really tempting fate with this post, but if it helps reduce spam for someone out there, good!)


  1. One of the 'anti-hacking' measures I've put into several of my Domino sites is a 'Lock' and 'Key' field pair that is checked by the WebQuerySave agent. If the Lock and Key don't match, the agent registers a hack attempt and doesn't save the submission. The 'Lock' field is a totally hidden Form field (i.e. not served with the page, but available via the NotesSession.DocumentContext document after submission). The 'Key' field is a hidden HTML field (i.e. is served with the page and returned upon submission).

    I use it to stop people running my WebQuerySave agents directly, but I reckon you could use this to block CreateDocument or OpenForm actions as well, couldn't you? (I acknowledge I may not have thought this one through … it is late here after all :-D )

Comments on this post are now closed.


I’m a software architect / developer / general IT wrangler specialising in web, mobile web and middleware using things like node.js, Java, C#, PHP, HTML5 and more.

Best described as a simpleton, but kindly. You can read more here.