Protecting Against Bad Bots
From Docunext Technology Wiki
I have been evaluating some ideas for fending off obnoxious web clients that try to post spam to community oriented websites. Not only does there need to be a convenient system for identification, like OpenID, but there should also be a straightforward, clear, and unobtrusive way to thwart the growing volume of automated "bad bots" that are growing in number on the web.
I'm feeling like a mix of DNSBL checks, requiring clients to accept cookies and javascript to post, and fail2ban accounting would be a good way to protect against bad bots. Since a lot of abuse comes from dynamic ip addresses which may pass from an abusive user to a benevolent user, use of a static block list doesn't make much sense.
Cookies, Javascript, and the POST Method
Actually one of the better method I've found is to require browser user-agents to accept cookies, enable javascript, and test for a set cookie when a request is made using the POST method. It actually works really well! The danger here is setting cookies for well behaved robots like the Googlebot because cookies are cache crashers.
TLS For Posting
I haven't tried it yet, but I think that using TLS for POST requests would slow down some comment spammers.