CAPTCHA is the tax you make every reader pay to stop a few bots. Pick the blurry crosswalks, wait for the images to fade in, get it wrong, try again. Meanwhile a determined spam operation routes around the puzzle with cheap solving services. The people who suffer most are the ones you want to hear from: a first-time commenter who gives up halfway through.
You can keep spam out without any of that. The methods that work best are invisible to real readers.
Honeypots
A honeypot is a form field that humans never see and bots usually fill in. You add a hidden input, style it out of view, and ignore any submission that fills it. Automated scripts tend to complete every field they find, so the trap catches a large share of naive bots with zero friction for people. It costs nothing in reader experience because a real reader never knows it is there.
Rate limits and timing
Real people read, think, and type. Bots fire submissions in bursts. Two simple signals come from that difference:
- How fast a form was submitted after it loaded. A comment posted 400 milliseconds after the page rendered is almost certainly automated.
- How many submissions come from the same source in a short window. A dozen comments in a minute is a pattern, not a conversation.
Throttling repeat submissions and rejecting impossibly fast ones removes a lot of junk before it reaches a queue, and legitimate readers never hit the limits.
Content heuristics and blocked words
Spam has tells: a wall of links, known scam phrases, gibberish usernames, the same message pasted across many pages. Scoring comments on these signals lets you auto-hold the suspicious ones for review instead of publishing them. A blocked-word filter handles the obvious cases outright, so specific terms you never want to see are held or rejected automatically.
None of this asks the reader to prove anything. The work happens on the server, based on what was submitted.
Identity as a filter
Who is posting is a signal too. A brand-new anonymous author deserves more scrutiny than someone who has commented before without trouble. That is why moderation modes matter. You might auto-approve returning verified people while holding first-time anonymous posts for a look. The friction lands on unknown accounts, not on your regulars.
The goal is to move friction off readers and onto submissions. Judge the comment and the pattern, not the person's patience.
A queue as the safety net
No filter is perfect, so the last layer is a pending queue. Anything the heuristics flag lands there for a human to approve or discard in a few seconds. Combined with the invisible checks above, the queue stays small, because most junk is stopped before it arrives.
How Gabden handles it
Gabden layers these defenses so you do not have to bolt on a puzzle. Submissions pass through invisible checks, a blocked-word filter you control, and a spam and pending queue where flagged comments wait for review. You choose the moderation mode: pre-moderate everything, auto-approve, auto-approve returning verified people, or moderate only anonymous users. Readers can still post anonymously, as a guest with a name and email, or signed in with Google or GitHub, and the anti-spam work happens behind all of those without a single crosswalk grid.
The result is a comment section that stays clean while first-time readers can actually finish a comment. If you want to see the moderation controls, you can start a free site, and if spam strategy is on your mind you may also like our take on managing toxic comments. Details on the queue and filters are in the docs.




Join the discussion