For a site we developed, a custom guestbook was added by us, to replace a previous 3rd party guestbook, which had been turned off a while ago due to security problems. A relatively simple affair to create, but with effort put in to make it secure against database injection and other nasties. And in this purpose it has been all good.
All entries are moderated, and this is made quite clear. Do you think this would deter the spammers? Not one bit. First week things are pretty quiet, second week about 30 attempted spam entries, and for week 3 almost 200. Wow there are some bored and desperate people. Not one of them got their viagra spam links on, but it didn’t stop repeated attempts. So possible bot activity as well.
A few extra lines of code to highlight the types of attempted spam we had seen, and auto reject the submission. This has had a positive effect, and the next week is down to under 30. I am not sure what these are trying achieve. Maybe the ‘Thank you for your submission entry’ makes them feel loved.
As an extra step we are adding some IP related filtering, and tweaking the word filtering. This should bring it back to single digits which is liveable.
We did consider captcha entry, email verification, but it was agreed this provides and inconvenience to the real users.