Comment Spams Straining Servers Running MT

dJ phuturecybersonique writes "Netcraft reports that 'Comment spam attacks on Movable Type weblogs are straining servers at web hosting companies, leading some providers to disable comments on the popular blogging tool. The issues are caused by bugs in MT, forcing publisher Six Apart to recommend configuration changes while it prepares fixes.' More..."

Not just comment spam

[cybrthng]

But DoS attacks as well. Running several political blogs I often get "freeped"

The best solution for me:

1. User email address verification
2. server generated images to verify real user for registration
3. Regular cookie expiration after x amount of time
4. host filtering (referr filtering usually gets ride of "freepers" unless they open a new window

However - nothing beats good moderators, quality users and sticking to your nich. Don't go pissing people off tossing your blog around the world yourself and not expect to get anything in return.

It's a jungle out there :)

Re:Easy Solution

[Anonymous Coward]

Or make an in-between page for every URL linked. So, someone leaves a link, it gets made into http://www.example.com/linkout.php?linkid=23890 (or whatever), then linkout.php just SHOWS the link (not a redirect) with a noindex,nofollow tag (for Google) and robots.txt entry. No PR, yet a user can still click. Another alternative would be to be use javascript since Googlebot doesn't seem to parse it yet.

A simplistic solution

[happyemoticon]

If your case is like mine, where mt is stored in a directory just off of your public web site, do this: use a .htaccess to put a password on your whole MT directory. They can't access comments.cgi (assuming it's just a bot doing the spamming), they can't post comments. I don't really like the idea of people touching my CGIs anyway. Make sure your robots.txt excludes the MT directory as well.

That is, assuming you don't give a damn about people's comments.

Re:I have a plan

[the-banker]

No this doesn't sound workable, since a person operating at 99.5% accuracy would not make any money.

For example, they check 2,000 e-mails to earn a dollar, so they check 200 to earn 10 cents. If they make one mistake in that 200, then their entire payment for the 200 goes away.

Besides, you are throwing a human resource at a technology problem and when the technology is fixed, *poof* your business is gone.

In the case of MT the problem isn't the amount of spam, its the way in which static pages are rebuilt when they don't need to be, and mostly manifests itself in shared user environments (per the article). Your service wouldn't help this, because the problem isn't in the spam being displayed its the generation of the pages with the spam on it, which would have to be completed before your spam auditors could ever even see the copy.

Not to mention all the problems around fulfillment. So they see spam, what do they do? Send an e-mail? Do you think people would give your little spam army access to delete comments on the spot? Or do you plan on using some sort of live filtering to further slow down a bottle necked process?

Some things, like voting, should have human intervention and control. Others like this aren't as suited to the task.

Reusable Proofs of Work

[yerdaddie]

I myself run an MT blog and have been contemplating moving to wordpress to dodge the spam bullet, however temporarily.

It occured to me thought that what would really fix this is to push the load onto the spammers by building a Reusable Proofs of Work (RPOW) [cryptome.org] system.

For those who are unfamiliar, RPOW is a proposal to stop mail spam by asking the sender to do a little "work" that would make sending a lot emails computationally too expensive.

As I'm in the last throws of my PhD I'll have to delay on this one, but maybe the lazy web can help out on this one, so the same thing doesn't happen to wordpress or whatever blogging monocultures exist.

Re:Netcraft confirms ex-MT users love WordPress

[Xofer D]

The down side to WordPress is that it's really very immature code. Not only does it handle UTF-8 characters poorly, but even casual usage turns up a number of bugs in various different parts. This suggests to me that the developers fixed it in one section but didn't fix it in other parts of the code - not exactly thorough. I ran into all this stuff inside my first three hours of usage.

Of course, all of this is fixable, and just calls for more people to jump in and get involved. I learned a bit of PHP and hacked myself a fix for the UTF-8 issues I was having, inside five hours of my first wordpress installation (note that's two hours after I found the problem and figured out how to replicate it reliably). I also installed and improved upon some of the comment spammer blacklist plugins, which ended up working very well. Prior to fiddling with wordpress, I had no PHP experience at all. I am not a programming god, either.

The developers are also responsive to suggestions - I posted a bug about some of the UTF issues I could not solve, and it was resolved for me. Thanks, matt!

I think that it's important to manage expectations when advocating software, which is why I want to make it clear the wordpress does not yet seem rock-solid stable. However, I think that with enough eyeballs (Hi, everyone!), it will definitely become the secure, flexible platform that most of everyone wants.

Spammers need not apply.

Re:comment spams made me switch

[jacobito]

Perhaps this was added in version 3.x, but you certainly can delete more than one comment at a time in Movable Type, and there is no need to "dig through" each post to find the latest comments, whatever the number. I believe that the comments page displays 20 comments at a time by default. It's unfortunate, though, that Six Apart pissed everyone off by licensing 3.x as they did, or more people would be taking advantage of 3.x's small but worthwhile improvements.

I agree with other posters that renaming the comment CGI handler is ineffective. It's ineffective because enough people have tried that technique that it has become worthwhile for spammers to work around it. Other potential solutions will probably end up with similar results. Want to stop spammers by forcing comment previews? Then the spammers will preview their comments. Want to stop spammers by throttling x number of comments per hour? Then you'll end up with exactly x number of comments, fewer legitimate comments, and you'll still have spam. Want to stop spammers by forcing a login from a central authentication server? Spammers will register their own accounts on that central authentication server, too. Etc.

I'm sorry to say that spam cannot be prevented, only mitigated. The best you can hope for is not having to manually delete every single comment you receive, as automated solutions weed out some (hopefully) high percentage of them. Meanwhile, any solution short of refusing comments altogether will eventually be defeated to some extent by spammers, assuming that enough people use that solution to make it worth the spammers' time and effort to defeat. One consequence of this is that switching from one popular blogging platform to another popular blogging platform is not going to save you from spam in the long run.

CAPTCHA - Politically Incorrect, but effective

[diggory]

I run WordPress and used to get hit by many casino/cialis spams. I found that I get no comment spam after using a WP hack (http://www.gudlyf.com/index.php?p=376) called AuthImage, which is a CAPCHA (basic Turing test based on character recog.) I strongly recommend it, and would be grateful to any OSS vigilante who could port it to a proper WP plug-in.

Wow.

[Anonymous Coward]

This is what they said to us about all of the problems MT causes our servers:

"We have MT running at a number of hosting companies with a variety of
configurations without an issue. "

Sure but what is this?

site1
Top Process %CPU 99.9 /usr/bin/perl -w mt.cgi
Top Process %CPU 12.0 [analog ]

site2
Top Process %CPU 99.9 /usr/bin/perl -w mt.cgi
Top Process %CPU 99.8 /usr/bin/perl -w mt.cgi

Long live PHP-only blogs.