Slashdot Log In
Comment Spams Straining Servers Running MT
Posted by
michael
on Sat Dec 18, 2004 04:08 PM
from the critical-mass dept.
from the critical-mass dept.
dJ phuturecybersonique writes "Netcraft reports that 'Comment spam attacks on Movable Type weblogs are straining servers at web hosting companies, leading some providers to disable comments on the popular blogging tool. The issues are caused by bugs in MT, forcing publisher Six Apart to recommend configuration changes while it prepares fixes.' More..."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Wow (Score:3, Funny)
So it's dead? (Score:2, Funny)
Re:So it's dead? (Score:2)
Hold on -- blogging was once alive?
Whoa.
Not just comment spam (Score:4, Interesting)
The best solution for me:
1. User email address verification
2. server generated images to verify real user for registration
3. Regular cookie expiration after x amount of time
4. host filtering (referr filtering usually gets ride of "freepers" unless they open a new window
However - nothing beats good moderators, quality users and sticking to your nich. Don't go pissing people off tossing your blog around the world yourself and not expect to get anything in return.
It's a jungle out there
Re:Not just comment spam (Score:4, Informative)
Parent
that's not the usage in this context (Score:2)
Re:Not just comment spam (Score:3, Informative)
The worst part of being a slashdot member is watching people devistate and ruin a server because of childish acts of vandalism.
Take for instance whenever slash points towards wikipedia, within minutes the page will be modified to some trolls' agenda.
Having to wade through the crapflood of comments on blogs and forums after slash has been there is almost embarassing sometimes.
The servers can generally cope with a slashdotting and work perfectly just hours or days after the initial hit, howeve
Re:Not just comment spam (Score:2)
The question becomes one of spam. Whether it's in your email box, or the comments of your blog, it's the same.
You want it to be easy to filter out the spam and still make it easy for legitimate readers to make comments.
Looking at the slashdot system, a mail-verified registration system seems to be mostly sufficient.
On my blog the spambot was putting porn weblinks into the webfield, and a generic 'dude th
Re:Not just comment spam (Score:3, Insightful)
Correcting lack of access to text on the Internet is easy: just buy a PC with a screen reader and an account with an ISP. Correcting lack of access to distorted images of text on the Internet, on the other hand, is non-trivial: if the CAPTCHAs are easy enough for blind people's OCR, then they're easy enough for spammers' OCR. If you must use a CAPTCHA, then make it something other than an image. Ask yourself: what questions can a blind person answer that a spambot can't?
Old news. (Score:3, Insightful)
Shame on them.
Netcraft confirms ex-MT users love WordPress (Score:5, Informative)
First and foremost, it's free (speech and beer) and distributed under the GPL.
Second, the actual developers of the software actually participate in the support forums [wordpress.org], so if you do have a question, it's likely to be answered very fast by someone intimately familiar with the software.
Third, it's a lot less susceptible to comment spam, especially after applying a few plugins and hacks [wordpress.org]. I've never received a single one, and that's not for lack of spammers trying.
Fourth, it's very easy to customize the look and feel of the site without knowing any PHP. HTML and CSS is about all you need to know. Knowing PHP helps a lot if you want to really customize it, but it isn't a requirement.
Finally, they've already included a Movable Type import utility [carthik.net], so those of you who are sick of MT for this and many other reasons [cafefort.com] can move over with little hassle.
Signed,
A very happy WordPress user and occasional contributor.
Definitely (Score:2)
I share my MT installation with my brother. Not surprisingly, we like having our own weblogs. MT now charges for something that simple.
The fact that Wordpress is released under the GPL an
Re:Definitely (Score:2)
Re:Netcraft confirms ex-MT users love WordPress (Score:3, Interesting)
Of course, all of this is fixable, and just calls for more people to jump in and get involved. I learned a bit of PHP and
multiple blogs (Score:2)
Re:multiple blogs (Score:3, Informative)
comment spams made me switch (Score:3, Informative)
I had to ditch Moveable Type explicitly due to comment spam. The real problem with it was that there was no way to delete more than one at a time. The web app only displays the last five comments and then you have to go digging through every article to find the other spams. Real pain in the ass. I switched to Wordpress, which is also beseiged by comment spam from Online Poker outfits. In Wordpress [wordpress.org], however, you can mass-edit with all comments listed with checkboxes to delete whichever are spams.
In Moveable Type and Wordpress, you can pretty much eliminate the script-driven spambots by renaming the comment cgi handler and then editing all other files that reference it. I didn't think of this till after I swtiched to Wordpress, though.
Re:comment spams made me switch (Score:2)
That looks a lot more robost than MT (mind you I'm still using 2.65). When this whole comments thing started getting out of hand, I actually edited every damn post since last year to be comments-closed.
Maybe I'll switch too. I was planning to do a redesign during the break. Does it have pretty versatile templating?
Re:comment spams made me switch (Score:2)
Much improve and appreciated. I also turn on comment moderation and this fixed the problems I had with comment spam.
Re:comment spams made me switch (Score:2)
I'm a user at TextDrive, and a bunch of users and admins there have a mailing list where we are VERY aggressive in defeating spam. mod_security is great for blocking based on the contents of a POST payload ("contains texas holdem? Sorry, you get an Error 412.") and mod_dosevasive, which is grea
mt-blacklist (Score:2)
I installed mt-blaclist [jayallen.org], which pretty much solved the problem for me. It allows you to search by regular expression and massively de-spam and blacklist the urls they point to. All subsequent comments containing those urls or other known spam expressions get trashed automatically.
Re:comment spams made me switch (Score:3, Informative)
Re:comment spams made me switch (Score:2)
Re:comment spams made me switch (Score:3, Interesting)
Perhaps this was added in version 3.x, but you certainly can delete more than one comment at a time in Movable Type, and there is no need to "dig through" each post to find the latest comments, whatever the number. I believe that the comments page displays 20 comments at a time by default. It's unfortunate, though, that Six Apart pissed everyone off by licensing 3.x as they did, or more people would be taking advantage of 3.x's small but worthwhile improvements.
I agree with other posters that renaming
A simplistic solution (Score:4, Interesting)
If your case is like mine, where mt is stored in a directory just off of your public web site, do this: use a .htaccess to put a password on your whole MT directory. They can't access comments.cgi (assuming it's just a bot doing the spamming), they can't post comments. I don't really like the idea of people touching my CGIs anyway. Make sure your robots.txt excludes the MT directory as well.
That is, assuming you don't give a damn about people's comments.
Re:A simplistic solution (Score:2)
Who posts comments on websites anyway? It's not like anyone reads them.
Re:A simplistic solution (Score:2)
For the most part, the only people who read it are a few close friends and my girlfriend. I mostly use it as a design testbed and a place to rant.
However, there's nothing preventing you from giving your password out to some of your friends, or even putting it on the webpage itself. In a gif, better yet. The scripts that run these things aren't that smart, and clearly the 1000 odd posts on my website weren't done by a human. I'm not important enough..
Why your Moveable Type blog must die (Score:2, Funny)
Every last one of you. You're all latte-sipping, iMac-using, suburban-living tertiary-industry-working WASPs who offer absolutely no new insights on anything whatsoever apart from maybe one specialist field if we're lucky.
Quite an enjoyable rant.
xox,
Dead Nancy
Re:Why your Moveable Type blog must die (Score:3, Funny)
I live in the urbs, I drink cappuccinos, and I work for an academic research unit. My computer is not an iMac, but a PC with XP and Slackware. I'm a euromutt of catholic derivation, and I have pretty broad interests.
But that's pretty damn funny, I'll admit. They forgot, though, that they're all writing dark fantasy novels which will never be published.
There are far too many weblog addicts out there who are excessively vain, and are under some kind of bizarre pretense that they matter, and they seem to e
Re: flamebait my ass (Score:2)
challenge the user (Score:5, Informative)
Re:challenge the user (Score:3, Insightful)
Captchas are currently great for weeding out automated spammers; unfortunately, they're also great at weeding out people who cannot see. This unnecessarily renders your site inaccessible to a portion of your audience. From a geekier perspective, this sort of assumption-laden web design runs completely contrary to the accessible, device-independent spirit of the original WWW.
Of course, since the blog you linked doesn't even work at all as I write this, maybe you're not concerned with accessibility for
DotComments (Score:2)
SixApart is partly to blame (Score:2)
Personally I think MT needs to just scrap the entire comment system and start over again. They need to implement
Can someone fill me in? (Score:2)
If the issue is posting of URLs, then it should be a simple matter of the blog site checking any URLs against SURBL [surbl.org], a spam URL blocklist.
What am I missing here? When did this become such a huge issue?
Re:Can someone fill me in? (Score:4, Informative)
- spam bots attack WP and MT through various means, one of the most common being to simply POST to the mt-comments.cgi or wp-comments-post.php URLs on peoples sites
- the bots mainly post huge amounts of links to stupid websites, like viagra or poker strategy. the goal is to get a higher google ranking by having links from many different sites
- the biggest problem for WP users is that you get flooded with literally hundreds of comments per day. if you have good filtering you'll at worst just have to sit around and delete some manually
- the biggest problem for MT users(or that MT users cause) is that because of the poor design of MT, the comments script takes up a huge amount of CPU time. apparently it actually goes through the process of rebuilding the static post pages even when comments are moderated or auto-deleted. now imagine you have 500 posts and they all get hit at the same time - it's something close to a forkbomb on the server
The best solution to all of this is to find a way to prevent the stuff from ever getting posted. Once it's submitted you're going to have to analyze it in some way and decide if its SPAM or its good. There are some simple solutions like renaming the comment post scripts, and some more complicated ones like using a verification number or requiring users to register. In any case, it's a very major problem for almost anyone with a blog.
Parent
Re:Can someone fill me in? (Score:2, Informative)
The funny thing is that we (another weblog system, but suffering from the same problem) are seeing a lot of spam posts recently where they put the link text into the href attribute and the actual URL as the link text. Not sure what they're trying to accomplish w
NoIndex HTML Tag (Score:3, Insightful)
But isn't that the kind of area you would want? (Score:2)
Perhaps Google could recognize a Moveable Type site and just ignore comments from them.
Reusable Proofs of Work (Score:4, Interesting)
It occured to me thought that what would really fix this is to push the load onto the spammers by building a Reusable Proofs of Work (RPOW) [cryptome.org] system.
For those who are unfamiliar, RPOW is a proposal to stop mail spam by asking the sender to do a little "work" that would make sending a lot emails computationally too expensive.
As I'm in the last throws of my PhD I'll have to delay on this one, but maybe the lazy web can help out on this one, so the same thing doesn't happen to wordpress or whatever blogging monocultures exist.
Re:Reusable Proofs of Work (Score:2, Informative)
Hey I here there's already some software for this (Score:2)
Re:Easy Solution (Score:2, Interesting)
Re:Easy Solution (Score:2)
Hmm... semi off-topic, but it would be neat if search engines like Google could be trained to ignore negative score Slashdot comments. On systems where there's built-in feedback, that would be one way to combat the spam, just train the search engine crawlers to ignore comments with poor scores.
EricSee your HTTP headers [ericgiguere.com]
Re:Easy Solution (Score:3, Informative)
it would be neat if search engines like Google could be trained to ignore negative score Slashdot comments
Given that the static page is written at a Score:1 threshold, and that Google obeys Slashdot's suggestion in robots.txt not to index the dynamic pages, this is already the case.
Because spambots don't care (Score:2)
Re:I have a plan (Score:3, Interesting)
For example, they check 2,000 e-mails to earn a dollar, so they check 200 to earn 10 cents. If they make one mistake in that 200, then their entire payment for the 200 goes away.
Besides, you are throwing a human resource at a technology problem and when the technology is fixed, *poof* your business is gone.
In the case of MT the problem isn't the amount of spam, its the way in which static pages are rebuilt
Re:I have a plan (Score:4, Funny)
Parent
Re:Now then... (Score:2, Informative)
Re:Nucleus CMS (Score:2)
I've seen this observation mentioned once before, and I'd like to see this explored further. It seems that spammers are harvesting URLs from sites like weblogs.com [weblogs.com] and blo.gs [blo.gs]. I don't doubt that their finding blogs via Google searches, though, so turning off update notifications is probably a temporary solution at best.