TL;DR
blog.haus allows non-member comments to facilitate growth.
This is because the fear of severed conversations is scarier than spam.
Instead, it employs a step-by-step defense strategy (80% rule) that maximizes cost-effectiveness from Honeypot to LLM.
"Do I have to sign up just to leave a comment?"
This has been the question that has lingered in my mind the longest while building blog.haus.
Technically, the easiest route is undoubtedly member-exclusive comments.
It eliminates spam concerns, is easy to implement, and keeps the data clean.
However, demanding login for a single comment in the early stages of the service is essentially declaring "Please don't comment."
In fact, there have been numerous occasions where I closed the tab upon seeing the sign-up screen while trying to leave a comment on other services.
Therefore, I made a decision.
I have decided to open non-member comments.
Now is the time for 'starting a conversation' rather than 'perfect defense'
A blog is not a museum.
It becomes a living space where questions and answers flow and the air circulates.
Of course, the equation non-member comments = spam is quite obvious.
However, I thought that voluntarily cutting off the connection with readers due to the fear of bots that have not even arrived is like putting the cart before the horse.
My strategy is clear.
We do not leap ahead of the problem.
We adapt step by step to reality.
Step-by-step spam defense logic: 80% rule
I have prepared a 3-step logic based on achieving a perceived defense rate of 80%.
Insisting on 100% defense in the initial stages is both an excessive investment sacrificing user convenience and a point where cost-effectiveness sharply declines.
Step 1: Lightweight invisible defense
The goal is to make user discomfort 0.
Honeypot field
A hidden input field that humans never touch but bots habitually fill.
It serves as a kind of bait to catch bots.Writing time verification
Comments submitted within 3 seconds after form load are considered non-human.
Step 2: Active defense (in case of increased influx)
When spam becomes visible to users, the strategy shifts.
- Cloudflare Turnstile
Filters out bots effectively without requiring users to solve quizzes.
Step 3: Intelligent blocking (maturity stage)
This is a story for after the service has grown.
- LLM-based discrimination
Real-time judgment of spam based on context using AI.
The essence of the comment system I want to create
Not giving up conversations for security.
Being as lenient as possible to humans
Making it as tiresome as possible for bots
A system that runs smoothly even without constant monitoring by administrators
This is what I consider security for a growing service.
What do you think?
Are non-member comments really the hell of spam,
or are they hidden opportunities?
To be honest, I'm not completely convinced that this approach is the perfect answer.
If there are risks I may have overlooked or if you have experienced trial and error with similar attempts, please feel free to share your thoughts.
Your insights will make blog.haus stronger.
(No login required.)
Frequently Asked Questions (FAQ)
What is the most effective initial spam defense method for non-member comments?
Honeypot fields and writing time verification that do not compromise user experience are the most effective.
By leveraging the mechanical nature of bots, most initial spam can be blocked.
Why did you choose the 80% rule over 100% security?
Security and convenience are a trade-off.
Even with allowing 20% looseness in the beginning, securing 80% meaningful conversations was deemed much more advantageous for the service's growth.
