Symphony.

A new Extension, “Can Of Spam Filter” is now available for download. Comments and feedback can be left here but if you discover any issues, please post it on the issue tracker.

Nicely done! For anyone looking to create their own extensions, this is a great extension to pick apart and learn from to understand Symphony's API a little more.

Just activate it and it takes care of all sent events? Is there a way to check if it works? Does it add a cookie or something? 'unique to the person browsing your site' how does this work?

You add it to your event as a filter, when you do that a short piece of documentation gets appended showing you how to use it. If the unique value doesn't match then it creates an error ('Data was identified as spam.') and the event fails.

Thanks rowanjl, but I get an unregistered variable error, as expected because I just added

<input name="canofspam[hash]" value="{$canofspam}" type="hidden" />

To the form.. What value shoud I declare the param? Like so; ?

<xsl:param name="canofspam" select="?" />

Sorry newnomad, I messed up, I've released a new version with correct installation instructions.

I've just released a new version which offers a little more protection against spam attacks.

Can Of Spam Filter updated to version 1.0.4 on 9th of December 2009

As I understand, this extension adds an extra field with a (hashed) value consisting of the visitor's IP. I don't quite see how it's checked though.

Also, can anybody confirm this works with Symhony 2.2?

It's checked in the eventPreSaveFilter function, which is run as a callback of the delegate with the same name.

Guys we've been using can of spam for a couple of years on our corporate website. Its main use was in contact forms some of them AJAX based. We currently have at least 3 interactive items on each page and plan on adding to those. Say chat/request a call/email/subscribe.

How can of spam works is it deletes all entries in db related to an ip per event. That is multiple requests from the same page load will fail (even if the 1st one does not have a can of spam filter enabled) Any idea how we can surpass this limitation?

Say if a user requests a chat; and is told to send an email using the form he would not have to refresh the page; or say he decides to subscribe he would not get an error since the request is identified as spam. Any ideas how we can tackle this?

Just went through our database and noticed we had some 150,000+ entries in the can of spam table. This is probably attributed to the fact that can of spam entries have no time related to them and if a user browses the website and never creates a request his can of spam entry is never deleted. Whilst this would be ok for returning visitors it would be a bit of a problem for one-time visitors as it would create an entry and eventually the table would be going a bit too large.

Would it make sense to have a delegate run only on administrator page load that on a random* basis checks the table for older entries (say a few days) and deletes them?

@davidhund, it's working for me in 2.2.3.

@buzzomatic Is this actively maintained? I find the concept quite simple and elegant for spam protection and therefore I use it a lot in my projects. What about the problem @gunglien described?

@jensscherbl the way we went about it was to disable the extension all together. We were using AJAX to submit requests and once we noticed we still had no spam after disabling it; we never bothered to try fix the issue previously mentioned.

Not sure if the extension has been since updated however on the whole it performs quite well. I noted the above issue as we were having some unrelated performance issues and this came up. Most of the time the size of table will not be a big issue.

Just a FYI: I have enabled the extension but still receive way too much spam on one of my client's sites. I have been looking into it a bit and can't see why this happens.

Manually mucking with the canofspam hash results in a "this is spam" warning, so that works.

However, a lot of spam comes through. Most of those, however, have no data for name and email fields which is strange because these are required. It seems the spammers are able to get around this all somehow :(

No ideas re: my previous comment?

Hmm, that sounds interesting. I don't think it would be this extension per se, but I can't be definite about that.

All I can suggest personally, is to add more spam protection to the form.

;) That's what I'm planning to do (Can of Spam + honeypot) but still: it's weird isn't it? If Spammers, somehow, have access to my event, bypassing the validation, that's worrying…

@davidhund You've probably thought of this, but javascript validation can be bypassed by turning off javascript.