How to prevent spam reviews in Magento

Question

We have been seeing a number of spam product reviews in our Magento store. I recently installed the Fontis reCaptcha extension to add a reCaptcha form to the reviews form. In all my testing, this works great. A "real" user can't submit the form without filling out the reCaptcha portion. However, this hasn't fixed the problem. We are still getting spam reviews. Interestingly, these spam reviews also don't have a star rating. Somehow, these spam bots are able to submit a review without all the required information and completely circumventing the reCaptcha code. Any thoughts on how I can fix this?

I also tried creating a simple script that would submit the form fields for a review to the form's action URL in an attempt to bypass the logic (see below). I am either unable to get it to work or it simply can't be done, but I always get redirected to a "Please enable cookies" page.

Review Form Submission Test

<?php
$curl_connection = curl_init('http://my.domain.com/review/product/post/id/2587/');

curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);

$post_data = array();
$post_data['ratings[5]'] = '21';
$post_data['nickname'] = 'mynick';
$post_data['title'] = 'my title';
$post_data['detail'] = 'My Review Content';

$post_items = array();

foreach ( $post_data as $key => $value)
{
    $post_items[] = $key . '=' . $value;
}
$post_string = implode ('&', $post_items);

curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string);

$result = curl_exec($curl_connection);

echo "Curl Info:<br><pre>";
print_r(curl_getinfo($curl_connection), true);


curl_close($curl_connection);

echo "<br>Result:<br>" . htmlentities($result) . "</pre><br>";
?>

Answer 1

Testing Review Submit is easier with Varien_Http_Client (Zend_Http_Client)

include 'app/Mage.php';
Mage::app(); //for autoloading:)

$client = new Varien_Http_Client('http://your-url.com/review/product/post/id/2/');
$client->setMethod(Varien_Http_Client::POST);
$client->setParameterPost('nickname', 'test');
$client->setParameterPost('detail', 'detail');
$client->setParameterPost('title', 'test');
$client->setCookie('test');
$client->setCookieJar(true);
/** @var $response Zend_Http_Response */
$response = $client->request();

echo $response;

Without reCaptcha, it adds review.

With right now downloaded reCaptcha fontis module(version 2.3.1), it returns error with incorrect reCaptcha.

If you are using same version of this module and same Magento version(1.6.2.0), I would consider searching server log for 'evil' POST request and examine entry point.

Answer 2

I ended up implementing Akismet anti-spam code into the Fontis reCaptcha extension and this seems to have eliminated all Spam reviews. Somehow, bots are able to get around the reCaptcha check. I still haven't figured out how, but I guess that's what separates the hackers from guys like me just trying to keep a site up and running...

Answer 3

Try to use our free module ET_Reviewnotify. It have function, that reject spam bots without capcha.

Answer 4

I developed an extension which to use the default form in Magento for submitting a review. It then sends the content to Mollom which is similar to Akismet. The content is then analyzed and if the content is interpreted as spam I then make the user enter in a captcha at the next step to allow a "real" user the chance to verify they are real. This approach can allow spam though if the service doesn't detect it correctly, but is in practice easier for users to use. I haven't packaged together the code, but I may offer it on Magento Connect if I find there is sufficient demand for such a product.