I offer open comments on a few sites, but those use Akismet filters so drive-by comments aren't published until approved. If you aren't using anything to filter comments, my bet would be that you would soon abandon the idea. Even filtered comments that use a basic captcha are mostly (something like 40:1) automated variations on, "Nice post! Visit my site at https://example.com!" There are a lot of bots leaving comments. I mean, really a lot. The oldest site where I allow public comments has been online since 2009 and there might be 100 or so valid comments published on a few hundred articles.

I agree that it would be nice but not easily done. I've found it to be a high maintenance option. Then there are those that seem to see the comments form as a help desk and ask you to make personal arrangements or answer specific questions for them. Of course if that is the purpose, it might be worthwhile. Just be prepared to clean it up on a regular basis.

I've seen a couple of sites that offer comments with no signup, but they ask for the usual name, email, message and remember them via cookie and your first comment is pre-moderated.

I like the implementation, but can see that one bad actor just needs a bunch of IPs and made up e-mail addresses to fill up your pre-moderation queue to the point where you'd consider alternatives.

>Are open comments a strategy or is it more trouble that it is worth?

It's certainly a strategy, but, you're opening yourself up to spammers, and bad actors of all flavours, imho. You might be letting the genie out of the bottle, and it just won't go back in.

Open comments may cause a flood of spam messages if the system is unable to handle them in an automated way. Be prepared to handle several hundred to thousands per day, dependent on the comment software you use on your site and how wide-spread your domain name becomes in the world of malicious users.

That said, I have used open comments and forum posts for a long time by using a strategy where bots have to prove they are not bots, instead of humans have to prove they are humans. The normal approach for open comments is to put up barriers which hamper user experience. This could be manual approval, captchas or something else. I didn't want to do that because it hurts the humans and doesn't sanction the bots. Instead, I carefully looked at the logfiles and determined that almost all artificial posts follow certain patterns. By adding routines to the sites which detect these patterns it is possible to mitigate 99%+ of all malicious comments before they ever reach the sites. But it costs time and sweat to make such a system functional and you have to decide for yourself if it is worth doing that.

I carefully looked at the logfiles and determined that almost all artificial posts follow certain patterns.

Indeed, I'll second that. This should be part of the plan. If I wasn't doing this, I would not have enough time to do the cleanup. Steps to prepare should plan for assault.

Logged in an authorized posting is a bear in and of itself... open becomes a nightmare of maintenance and moderation. Have to decide if the extra work is worth the FEW human posts likely to happen.

Thanks for the feedback, much of it confirms my thoughts. I'm thinking that there may be a component of trial and error, where one implements some measures to stop the bots, tests the effectiveness and goes from there.

One measure I'm considering is:
Delaying the appearance of the comment button, by 60 seconds. Given the topic, it would be highly unlikely that a legitimate user would land on the page and be ready to comment in less than 1 minute. I think it will prevent most bots from seeing that it is even possible to leave a comments. I am assuming that most bots wont stick around for 60 seconds to wait to see what additional feature could be loaded to the page at some undetermined point in time.

Using the logfile patterns as suggested by Lammert is great but it presupposes that one has a log file. This is a new website so I have no history on which to base myself. How in depth do you go with logs? Are you just matching UA's and IP's or are you also watching behavior?

Delaying the comment button may take care of a large part of the problem. Bots don't seem to hang around to see the page, they come in with a "comment" pre-loaded. For a human visitor, a text image noting that the submit button appears when text is entered may help bewildered visitors. Bots don't usually read images.

Finding the balance in delay times is essential ... you can lose a visitor if it "takes too long".

I've tried the "open comments" three times since 2008 ... none of them have been worth the extra effort to keep it clean and the log file/bot stomping has gone through the roof.

YMMV.

Please advise your results if you go forward!

So I going to give the open comments a try, using the delay. I will let you folks know how it works out.

Do you think that randomizing the delay time will help, that is for each request the delay time varies randomly between 45 seconds and 1 minute?

Can't say ... from a personal point of view 4 or 5 seconds is often too long and I've hit the back button or clicked on a different bookmark.

YMMV.

ON THE OTHER HAND, if you put in a countdown clock "You may post in xx seconds" might go a long way to keeping folks on site, if they really have a yen to post something.

If you vary the time delay, I hope you can check for any differences in human behavior for longer or shorter delays. I would expect bots to not find a way to submit their payload and just move on. Humans may or may not notice if they're occupied in composing a comment. Much depends on the type of comments being left. A sentence or paragraph? One word, yes, humans might notice.

I did a site for a client several years ago, back when I did contract work. It's still live, even though it's super outdated.

But what I found was that a lot of bots didn't actually go through the page, they just recorded the form's action link and plugged in GET variables. So they didn't bother going to example.com/contact and submitting the form, they went directly to:

example.com/cgi-bin/form.cgi?comment=blah+blah+blah

Using POST instead of GET should prevent that. You can also block all IPs that attempt to submit via GET.

But I blocked non-US IPs, logged IPs and user agents that submitted to block repeated submissions, etc, and they still got hundreds a day.

At the very least, I would recommend that you block these from all fields:

sex
director
asdas/
name
http
viagra
cialis
health
[
]
<
test
XRumer

And make sure that any textarea field requires at least one whitespace, or you'll get a ton of "test" submissions.

I also block any IP or user agent that attempts to access any of these through the URL or query string:

crossdomain
wp-
administrator
shell.php
a.php
b.php
tiki-register.php
wso.php
xmlrpc.php
information_schema
table_schema
union+all+select

After doing that, it went down to maybe 10 bot submissions a week.