Wish her a belated happy birthday from me! :)
I find it gratifying how custom solutions remain the best approach against malicious scripts. As soon as something becomes broadly used, economy of scale is with the spammers/scrapers, but one-off solutions can be utterly trivial and just work near-perfectly. (I guess Fronteers' problem with the slow trickle of comment spam is that it had enough SEO value for actual humans to bother.)
Spam filtering
Interesting question today: What are you doing for spam filtering?
— thanks for giving me a reason to write something on my girlfriend’s birthday, Sander! :) Nothing fancy, actually, to answer your question.
This simple strategy has been working for me for about 20 years, on various websites:
<!-- Other form elements -->
<p>
<label for="comment-spam">Are you a spammer? <em>Fill in “No”</em></label>
<input type="text" name="spam" id="comment-spam">
</p>
<button type="submit">Add comment</button>
<script type="module">
const spamInput = document.getElementById('comment-spam');
spamInput.value = 'No';
spamInput.parentNode.hidden = true;
</script>In my server-side validation I just check if “No” was filled in. If JavaScript isn't available, or type="module" isn't supported, or hell breaks loose, you just have to fill in that bit yourself. Progressive Enhancement. Or some sort of Captcha honeypot whatever, without being annoying for 99.9% of real users. Doesn't keep human spammers out, but I'm ok with manually removing stuff again. For now.
If spam bots do catch up, or someone specifically targets this website with some script, I'll change “No” to “Nope”, and they'll have to start over again. The answer has literally been spelled out for them for years, so any “AI” can fill in the blanks.
A few weeks ago I read Email address obfuscation: What works in 2026?. It's quite amazing how simple solutions can still be so effective.