Kill MT Comment Spam!

Mon Jan 05 2004 00:00:00 GMT+0000 (Coordinated Universal Time)

The videoblogginist of mistresses, Lisa Rein, just let us all know that there will be no more commenting on her blog due to the inundation of comment spam. That's really too bad. As a larger phenomenon, this is an unfortunate escalation in the spam arms race for those of us who value input and being able to comment on a post (for an example, see me getting reamed here on Eric Raymond's blog by a bunch of gun-loving right-wingers).

Fortunately, Movable Type is a powerful publishing system that allows users to write plugins... and Jay Allen has written the spam comment (and spam trackback) killer: MT-Blacklist. I had it installed and running in about ten minutes flat. After uploading the latest Blacklist file and adding a few IP addresses of my own to the list, I de-spammed my whole blog in another two minutes. Now I've got real-time comment spam blocking and I've also added the MT-Blacklist RSS feed to my radar to keep ahead of the spammers as they try to buy more URL and IP addresses.

UPDATE [2004-01-05 14:38:30]: Sean points out that most comment spam can be defeated by a simpler method (adding a personalized hidden field to your comment form... I'll include the directions below).

(this is taken in whole from here)

Both Sam Ruby and Phil Ringnalda had good advice -- don't spend a lot of time on developing a solution to fixing the comment spam problem. Whatever I can do within the form, it's a relatively simple matter for a spammer to read any form value and duplicate it in his spam blast.

I appreciate both their help in gently pointing out that I was spinning my wheels (but I have to get practice for ice driving).

So, here's a quick fix -- it will keep out the lightweights at least. It's a start as other efforts are underway.

This approach will require you modifying the following MT templates:

Individual data entry

Comment Listing Template

Comment Preview Template

Comment Error Page

You'll be adding the following field, on the line before the tag:

You can change both the name and the value field, as long as you're consistent with the name throughout the templates and the code.

Next, open your mt-comments.cgi (or mt-comments.pl) file and add the following code just after the "use strict;" line:

use CGI qw(:standard);

if ($ENV{'REQUEST_METHOD'} eq "POST") {

my $data = param('snoop');

die unless ($data);

}

Most everyone should have the CGI.pm perl module installed. Make sure to change 'snoop' to whatever your little secret field is (let's all use different fields, make the spammer's job a little tiny bit harder.

That's it.

What happens is that when you post a comment, the code checks for a form field of "snoop". If it doesn't find it, it dies. Nothing fancy at all. This will show in your error log or web log file as a premature end to the script. It doesn't prevent others from using the application, and doesn't crash anything.

Again, this isn't fancy, but it's a start. Holler if you have questions. If you're uncomfortable modifying mt-comments, let me know and I'll help you. If you have a better solution, or see problems with mine, please let me know.

Again -- thanks to Phil and Sam for advice, help, suggestions.

Update:

Mark has put together a nice re-cap on the whole comment spamming thing. What I just created is a 'club'. I'm going in for an interview tomorrow and when they ask me what was the last application I worked on, I'll answer "A club". .

Posted by joebeone at Enero 5, 2004 12:16 PM