It’s been a while since I implemented a spammer’s honeypot here on Vacant Nebula.  It has been extremely effective, so much so that I disabled the captcha.  All I do is put a hidden form before any blog posts are displayed.  Humans never see it, but spambots all see it, and apparently they are configured to submit spam to the first form on the page.  In fact the only spam that has gotten through in the last year has been spam that submitted to all forms on the page, not just the first one.  (I think this just happened once though.)

Fast-forward to a few days ago, I noticed that the excerpt of a page that Google shows displays the hidden comment submission form.  This doesn’t particularly matter, but I’d prefer it not be there.  So I added a check on useragent, and if it appears to be a search engine bot the honeypot is not displayed.  Well apparently spammers use a two-step process.  First they scan for blogs with forms while pretending to be googlebot.  Then they submit to those forms pretending to be a normal user’s browser (usually IE 5.5).

I know this because I got about fifty spam comments in the last two days.  If they were scanning the page with user agent reported as IE 5.5, they would have still seen the honeypot.  But the comments were submitted with user agent of IE 5.5.  Anyway, I’ve gone back to printing the honeypot for everyone, but only for the homepage.  Any permalink pages will not have the honeypot.  I’m pretty sure spammers don’t bother to go to the permalink pages, and search bots should only be indexing the permalinks.  Hopefully, both problems are solved.  If not, I’ll have to go back to a more fragile solution (something requiring Javascript, something requiring cookies, or even reinstating captchas).

Or maybe the spammers were just trying to wish me a happy twenty-seventh birthday by flooding my site with links to porn.

Last night I marked another item off my mental list of things to do with this website, by supporting Gravatars for the comments.  Since I haven’t been requesting e-mail addresses in the past, none of the old comments will show Gravatars.  If you’re a frequent commenter on this site and you want me to retroactively apply your e-mail address to any comments you have left on this page send me an e-mail telling me what e-mail address you use, or just leave a comment for this post with the e-mail field filled in and I’ll use that address.

I’ve come up with a very simple solution to the problem of browser-cached CSS files.  What I mean by this is: when you update the CSS which manages your website’s presentation, it will take a while before some visitors actually see those changes.  The reason, of course, is that browsers (this is at least true of IE and Firefox) will cache CSS files pretty aggressively, without checking very often to see if they have been updated.  Usually refreshing the page will solve this, but most visitors aren’t going to care enough to do this.  Meanwhile, your site will look pretty broken to them (especially if you’ve done something like styled a list so that it looks like a horizontal toolbar instead of a bulleted list, for example).

So here’s the very simple solution.  Add the following rule to your root .htaccess file:

      RewriteRule ^(.*)\.[\d]\.css$ $1.css [L]

I’m assuming that you have a common include file or template or something which prints things like the page header.  If so, whenever you update your CSS file (say, style.css), you update the link tag in your header to use style.0.css.  This will look to the browser like it is a different file from style.css, so it will download it again.  But Apache is really just loading the same CSS file through the magic of URL rewriting—you’re just ensuring that the user picks up your recent changes.  You can repeat the process the next time you tweak your CSS, just change the header to style.1.css and so on.

This is a quick update to say two things-

1. Two new sets of baby pictures are up.  They are both under the “Emma Leigh arrives” photo set.  I have to say that photos from Wal-Mart turned out much better than I had anticipated.  We even got full-resolution unaltered digital images on CD, along with full rights to reproduce and redistribute, something I really wish we had with our wedding photos.

2. You’ve probably noticed the site looks a little different.  If it looks broken, try to refresh (browsers tend to cache CSS files very liberally).  I finally implemented a tag cloud, and I’ve made one pass through all my blog posts to add tags to them.  Let me know what you think about it.

I’ve just rolled out a few changes to the site.  The most obvious one is probably the vertical navigation bar to the right.  It’s a bit bare for now, but I’ll be implementing tags on this site eventually and that’s where you’ll see them.  Doing the navigation this way will make it a lot easier to redesign the site.  (The way it is now I have to go through a big Photoshop process before any significant layout updates.)

I’ve also added a comments feed.  That’s mainly something to help me out, but if anyone else would benefit from it feel free to subscribe (I’m not sure why anyone would need to though).  Adding the comments feed necessitated permalinks to comments, which are represented by a hash mark.  Eventually I’ll probably change it to the more conventional “X says:” format, where the word “says” is the permalink.  In one other small change, I now conform to most of the rest of the internets in that hyperlinks are only underlined when you hover over them.

If anything looks broken, try refreshing the page (usually CSS files are cached).  If you still notice something being broken, let me know.

I’m thinking about implementing tags on this site, but I’m curious if anyone ever actually uses tags when visiting small sites.  The only time I use them is on a large blog like Joystiq, which publishes dozens of posts per day, far more than I care to read.  But maybe everyone else uses them and I’m just behind the times?  As far as I can tell, on a site like mine the only purpose would be to quickly find other posts similar to the one you just read.  A search feature would help in that regard too, and I’ve thought about using ZendSearch because it looks really easy to use.  But I just haven’t bothered to sit down and figure it out.

If I do implement tags, would I really need a tag cloud?  I happen to find them only slightly more useful than they are aesthetically pleasing.  And like I said, for a site like mine you probably wouldn’t use the tag cloud much.  But again, maybe I’m just behind the times?  Like when I launched this site and didn’t have an RSS feed for like six months because feeds are for hippies.  Then I started using feeds and decided I needed one too.

Preventing spam comments is one of the most annoying things about having a blog.  In the past I’ve tried a few different methods to control spam.  My first attempt involved flagging messages as potentially spam if they had a bad referrer, came from certain IP ranges, contained certain keywords, or contained too many links.  The flagged messages wouldn’t be displayed until I approved them.  This method worked some of the time, but overall it wasn’t very effective and created a lot of work for me.

My next attempt was to implement a captcha system.  This has worked out pretty well, and I was surprised to find that it has been fifteen months since I started this policy.  Basically, any comment containing anything that looks like a link (“http”, “://”, “www.”, “.com”, “.net”, “.org”, “@”, “href”, and some others I can’t remember off the top of my head) would be sent to the captcha page.  This allows real humans to post comments with links, but stops most of the spam.  However, there was an occasional spam comment that had no links.  I’m not sure why the spammers would do this, unless they are trying to game systems where an IP is deemed “safe” after a non-spam comment is made.  In any case, I grew annoyed with cleaning up these comments, and I didn’t like that cookies are required if you get to the captcha page.

Over the break, I decided I would implement a type of honeypot.  I noticed that spam comments were always in response to my most recent post, even when comments were still open for other posts.  So I guessed that the spambots are looking for the first form in the HTML.  So I just stuck a comment form at the top of my page, and wrapped it in a hidden div.  No humans see it, but spambots do.

To judge the effectiveness, I logged any comments submitted to the honeypot.  Since I don’t value the privacy of spammers, I’ll let you view the log if you wish.  As of right now, 212 spam comments were submitted in 10 days.  Where it says “honeypot” means that the message was submitted to the honeypot form.  If it were submitted from a valid form but contained links (and hence, was given a captcha), you’d see “contains_links.”  But there aren’t any of those.

So now I have a system that is so far 100% effective, without requiring cookies and without breaking under tabbed browsing.  If this continues to be effective I’ll probably disable the captchas altogether.  Of course, the spammers could pretty easily overcome this obstacle if they tried.

Recently Penny Arcade made a very funny comic about gifts they receive from PR firms, a topic which Joel Spolsky discussed about a year ago.  This seems like a good time to publicly state my gifts policy here at vacant-nebula.  I’ll now shift to the editorial “we” so that I we sound more important.

We, at vacant-nebula.com, like stuff.  Especially free stuff.  We will accept any gift, be it money or merchandise.  We particularly like high technical devices, such as anything that could be found in Best Buy.

Unlike many other blogs, we do not consider ourselves journalists, and as such we are not bound by any code of journalistic ethics.  In particular, this means that we do feel an obligation to disclose the source of any gifts, or even the fact that a gift was given.  We are even willing to praise products that we don’t really like, as long as this means we might get free stuff we do like in the future.

In short, we are preemptively selling out, even though no one is buying yet.  So send us stuff we want and we’ll tell people it’s great.  We won’t write any holier-than-thou blog posts about how we’re too good to accept free stuff.  If you would like to send us gifts, but you are unsure what products we would like, just drop us an e-mail and we’ll be glad to work something out.

PS- if anyone knows a Microsoft PR rep who has an Xbox 360 they are just dying to bribe a blogger with, send them here.

I’d be surprised if anyone cares, but my site now supports the hAtom microformat.  At least, I think it does.  I couldn’t find an hAtom validator so I’m not 100% sure I’m conforming to the standard.  But it’s pretty simple so I’m gonna say yes.  As far as I know hAtom is only slightly more supported than RFC 1149.  But I think that’s only because of the recent avian flu concerns.

You won’t notice any difference in the site1 (which is how microformats are supposed to work, after all).  Except for what they call the Datetime Design Pattern.  This is where you stick an abbr tag around a human-readable date, and set the abbreviation’s title attribute to a machine-parsable ISO 8601 timestamp (i.e. “2007-11-26T19:57:00-05:00”).  The problem with this is that now if a user hovers over my timestamp, he sees this very unfriendly tooltip.  This is exactly the opposite of what the abbr tag is supposed to be used for!  (And, more generally, what the title attribute is supposed to be used for.)  There is no reason to display this information to the user.  Surely there must have been a better way.  I’m tempted to make a non-displaying abbr tag for the hAtom “published” date.  An XML parser would still read it regardless of its style, but users wouldn’t have to see this ugly timestamp.

My site may disappear briefly sometime in the next week.  Or it may not.  I thought it would be gone already apparently not.  I’m switching registrars to GoDaddy, since it costs less than half what my hosting provider charges.  But rather than saving that extra eight dollars, I spent seven of them to buy vacantnebula.com (that’s without the hyphen), which redirects here.  The main point of this is to make it easier for me to tell people my URL, and subsequently to help people who forgot about that hyphen.  The phrases “vacant hyphen nebula dot com” and “vacant nebula dot com, with a hyphen between vacant and nebula” seem to confuse people.