nullprogram.com/blog/2009/10/10/
Update: This is refering to my old, hand-written comment system,
before I changed web hosts and switched to external comment hosting.
I started getting Asian spam in my comments in the last couple
days. If you are subscribed to the comments feed you probably noticed
this. The spammer was manually filling out captchas, so this wasn't a
bot but rather a patient human being. Getting tired of removing these,
I set up some filters to silently drop messages that fit certain
criteria. By "silently" I mean the server tells the client everything
went fine but the comment never actually gets written to the database.
The spammer gained nothing except annoying us because all links in
comments get a rel="nofollow"
attribute, which tells
search engines to ignore it. That, plus small readership and
captcha-solving gives little incentive for spamming.
Well anyway, while I had my sleeves rolled up and my hands on the code
I decided to make some upgrades I have been wanting to do. The e-mail
address is no longer displayed (stupid idea in the first place) but
instead used for a Gravatar
image. You can also specify a home URL, which will be linked from your
name. This makes my comment system work very similarly to what you
find around the web, except that I don't require anything from you but
a captcha and a comment.
I also fixed a small usability issue: when you preview a comment now
it takes you right down to the form rather than leaving you at the top
of the page. The back-end database was also adjusted from the original
pollxn design to scale better as the website grows.
Now, Gravatar is a neat concept but I have two complaints. One, I
don't like centralized systems. It's a single point of failure and a
single point of control. It has privacy issues. It's anti-web. It's
inelegant. Decentralized systems built around self-enforcing protocols
are more robust and democratic.
Luckily, a decentralized version does exist! It's a specification
called Pavatar. The avatar is tied
to a URL rather than an e-mail address. However, it's a bit less
flexible, since it needs to remain simple on the server side. It's
harder to set up and I doubt 99% of the users on the web would be
capable of doing it. What would help Pavatar gain a wider audience
would be Pavatar provider services. Hmmm...
So, I think might switch it to Pavatar sometime, with a possible
fall-back to Gravatar. That takes significantly more work to set up
than Gravatar does, so it's a future project. And, well, no one uses
it yet either. I actually thought the project was dead until just now
because their website was down the first time I visited it a couple
months ago.
My second complaint is that Gravatar incorrectly assumes e-mail
addresses are not case-sensitive. The domain part is, but the alias
part is not. These two addresses could technically arrive to two
different e-mail inboxes,
chris@example.com
Chris@example.com
Pretty much every e-mail server will treat these as the same address
as a convenience, because treating these differently would just be
confusing, but it's not necessarily the case. Gravatar specifically
says to hash the e-mail in lowercase form, so the unique address
Chris@example.com
can't be used with the service.
So, go ahead and play in the comments a bit.