I'm curious, in the context of "consider upgrading to these fine, fine software products," does anyone have any thoughts or experiences on the relative spam-killing merits of Movable Type vs. WordPress? I have got to get off of Blogspot, but have not yet made up my mind on which tool to use.

Advance thanks for thoughts, rants, &tc.

I think that since MT Blacklist uses regex matching, that sort of thing would be transparent to you as it would spot such a comment as spam without your doing anything special.

From my logs, it seems like waves of comment spam are preceded by a day or so's logjam of dubious referrers and robot-like leafing through all possible URLs at my site. I set up an .htaccess file to deny access to any request where the referrer (not the actual user's PC's name) was a .info or .biz domain. This has eased my worries, but YMMV.

It was fairly painless to get clean up while making a couple phone calls.

What really annoys me is that it's quite blatantly the SAME GUY every time, cycling through random IP addresses in an attempt to use a bottom-feeding advertising method that my site blocks at the door anyway. Ngggh!

But it's still too many... if the spammers have bots that are smart enough to have anticipated all my mods and figure out how to automate spamming me, that leaves MT-Blacklist as my only defense, and my protection is only as good as my latest blacklist.

Time for more complications...

I get a dozen to a hundred spam attempts every day. Since I installed MT 3.1x/MT-Blackist 2.x about six weeks ago, the software has only failed to block one (1) comment spam attempt, out of all the hundreds or thousands I've received. And it's blocked no legitimate comments.

Or is that the point?

> Is it just me, or is the comment/site spammer methodology counterproductive? Really, what is the point?

I've been told that the spam is not for humans, but for Google. Google builds it's page ranking system partly by seeing how many different sites point to a given page, on the theory that the more sites that have a link to a page, the more interesting the page must be.

This theory used to be reasonably true, before people started playing games like this to artificially boost their page rankings.

Of course, I'm still on MT 2.64 because I don't have the money to upgrade to the newer version. Mebbe when I'm no longer a student, I'll do that, since people seem to like MT3.

Zed: I'm going to keep your list of tips around so that if I have to do more than renaming the comment script, I've got a URL handy with tips for implementing them.

-kat

For example, when the spam got to be at its worst, I noticed that it was the same few posts, in 2 different blogs, that were always getting hit.
And I have been unable to determine a common denominator between those posts.

No one has seemed to have an answer as to why those particular posts were the targets all the time.

Or is it really just a coincidence that they always hit those posts?

Another question, hopefully only marginally more annoying than the first one: I notice that, in talking about spam solutions here, the universal consensus seems to be blacklisting and moderating comment attempts. I'm impressed that it's so effective, but as a way to reduce moderation work, has anyone considered placing hurdles before the comment posting? Are there sound practical reasons against it?

I'm not talking about requiring user logins or authenticating via e-mail. Those sound like too much work for the casual commenter. But what about one of those "read this non-OCR-able swirly text and type in what it says" challenges? Would something like that turn off an average reader from commenting? Or putting a time interval between allowed comments?

I know that such plug-ins exist for WordPress, because I stumbled across them, and I'm sure they must exist for Movable Type. Do people not use them primarily because MT-Blacklist does the job? Or because they're perceived as too much hassle for the user?

I don't know about those swirly graphics things... But for me that would be a last resort implementation, because quite frankly, I find them very annoying on other people's comments. I don't want to make it harder for real people to post real comments.

However, on my own blog, I did implement some kind of "pre-posting" kind of thing. I really can't explain what it is, except it involves a hidden field. A friend directed me to some blog where the instructions for adding it to the form/cgi was in a post.

Immediately after adding this hidden field, I stopped getting spam comments. But I was warned it could be a coincidence.

Then, less than a week later, I installed mt-blacklist.

For some months, I used to get spam comments every week, usually about 5-10 in a week, usually over the course of 1-2 days, across 2 blogs and about 5 blog posts.

After installing those 2 protection measures a few weeks ago, I've gotten a grand total of ONE spam comment that slipped through mt-blacklist. And also, a grand total of ONE spam comment that mt-blacklist took care of & prevented from posting, according to my activity log.

That's 2 spam comments that I know of over about 3 weeks, when I normally would've gotten about 30 in that time.

So I'm convinced now that the hidden field thing is what's fending off the bulk of spam comments.

But I'm no expert. And of course it could be a coincidence that maybe it just so happens in the past 3 weeks, I would've only gotten 2 spam comments without either of those measures.

(I'm sorry, but I didn't keep the URL to the blog/post that explained that hidden field thing - but I can ask the person who gave me the link, if someone can't find it - I believe the blog is a popular one if that helps.)

Sounds like recommendation #1 on Blogspam.

It's fairly simple to circumvent, but comment spammers don't seem to have gone to the trouble yet.

burningbird

The first time I went there I just quick got the info and left... Didn't realize the info was that old. 2 years.

If spammers haven't gone through the trouble yet, after 2 years, one wonders why... ?

I've never gotten hit with hundreds of spam at once. Even the days I would get hit, it would be 3-4 within a few hours, but not all exactly at the same time.

What I thought was interesting is this..
My friend just transferred his blog to WordPress, and he had 1,000 posts... Hadn't linked the new blog anywhere yet. And in one day, he got comment spam on every post.
Now how does something like that happen?

When I asked people why certain posts of mine, in particular, were getting hit, and others not... Some people suggested it was the way the spammers were finding those posts.
But if someone hadn't even linked their blog yet and they got hit... I'm wondering how. I'm assuming that the bots scan for WordPress comments file name on the system.
But I know that's not the problem with my MT - because I don't have specific comments pages - my comments are ONLY listed in the individual archive page. So there's nothing with the comments.cgi file in the URL for bots to find.

So how do they find me? It doesn't seem to explain that anywhere.

However, a quick look at Google explains that 'But, Google looks at more than the sheer volume of votes, or links a page receives; it also analyzes the page that casts the vote. Votes cast by pages that are themselves "important" weigh more heavily and help to make other pages "important."'

So in short, spam is doubly useless. Grrrrr.

So that's not an adequate argument, I think.

Just like e-mail spam doesn't specifically target people, I don't think comment spam is particularly targeted either. It's all about the numbers. More bait, more bites. That's all.

It just looks for the comment posting scripts, it doesn't care who you are. Once the idiots have found yours, they keep bombarding it - I get loads of folks trying to post spam to my WordPress powered blog, despite the fact that I deleted all the files and replaced it with Drupal aeons ago.

Security hole in the program, basically. The easiest (and I say this with some trepidation) fix is going into the database via phpmyadmin (a web-based MySQL database manager) and doing a mass comment delete from there.

I'm not sure whether the just-released WP 1.2.2 fixes this issue. It very well might.

Anyway, I don't even enable comments on my weblog and I still get spam -- referer spam. (Misspelling not of my making.) The Reffy boys are particularly good at trying to suck my bandwidth for no reason; check your server logs for adminshop or xopy.

It helps that I have a colo box that's currently sitting on an otherwise-abandoned 100Mbps line, with no bandwidth charges.

(Insert updated version of the Mark Twain line about not picking fights with people who buy ink by the barrel.)

Technical point: the comment spammers look for files with a particular name (the script used for posting comments). If they find it, they feed it a "POST" command with their spam. Now if somebody were to write a script that took whatever it was sent, and forwarded that along with some explanation ("This was generated by an unlinked script, apparently by a comment spammer, running from IP address XXX") to the appropriate abuse address for the spammer's ISP, and give it a name the spammers look for, . . .

I was on-line at the time and get e-mail notification, so I was able to blacklist & purge it after only 13 spams got posted.

I checked the MT-Blacklist master list, and the URL wasn't on there. (I have updated my list from the master list a couple of times.)
I sent the URL to be added, though I'm not sure if I did it right.

I'm still curious as to the file name thing of the comment script. My comment script is not available with that file name in it anywhere... But can they get to it anyway?

Possibly stupid idea: if one were to rename that script file to something random, as well as a search-and-replace across the rest of the source code, might one be able to stop all comment spam at the head?

It might make upgrades and plug-ins a pain. And I'm aware, of course, that anyone would be able to find the new script name anyway by looking at the HTML. But if spammers go after the low-hanging fruit, this could possibly raise one's blog entirely above their heads.

Doing so helps, to a degree. It was one of Yoz's famous suggestions last year. But most of the spam bots look, not only for a given file name, but for the presence of certain fields and actions within any of the cgi or php files at a site. Some look also for the default phrases that appear just before the comment entry section (ex: "leave a comment", "html allowed", etc) to help them target a comment-enabled post.

Changing all the names around would make it a lot harder to find that you allow comments and figure out how to spam them. If the changes were applied with a script, that could also be run against upgrades and plugins before applying them.

ijames: the "captchas" - swirly text - are annoying for most people, particularly since the spammers seem to have solved the 'easier' ones (going from the fact Yahoo switched from the clear-ish ones to the current ones). I'm told they're also a right bugger if you've got sight problems.

Hammedy-spammedy
Certainly time for it
Incontrovertibly
To disappear.

Or does it mean heat
Just below the boiling point
Time to make our teas?

But education
Shouldn't be from comment spam
So kill it off, please.

Kill kill kill the spam
Delete Delete Delete it
You know you want to.