You can find out exactly who it was at Reading and Writing [http://chujoe.net/archives/000154.html] where Joseph Duemer did a bit of detective work.

I've seen that bug you refer to about the comment text replacing the entry; it's an auto-fill bug in Safari, I think (the comment page text field is named "text" and so is the field on the entry page). As long as you don't hit "save" on the entry page, the entry won't be replaced by the comment. All the "Lolita" spams I've gotten have come from the same IP address so I just banned it from commenting within the MT interface. I can't wait until the MT-Blacklist is done.

We have been getting these comments posted constantly--this morning we had to delete and resave 15 posts. It's a huge pain, because the time we spent deleting this garbage could have writing our own stuff.

Thanks, guys. I have had this same problem on my site and was checking into it myself. Nice to find the answer where I wasn't looking!

And Teresa, I am reading "Making Book" for the first time. I am enjoying it tremendously.

Comes from Florida; could have guessed.

<Traveller>
Nuke the state from orbit; it's the only way to be sure.
</Traveller>

On a more serious topic, this post on the Movable Type message boards has a suggestion for dealing with these roaches by setting up a trap that automatically bans them.

I've read those Movable Type message-board suggestions; unfortunately, they hover just beyond my level of technical understanding.

I desperately want the MT people to address this with some kind of patch or option that non-stupid, but non-technical, people like me and Teresa can understand. Now. Because if this problem isn't addressed in a hurry, it won't be long before we give up on this hobby.

Electrolite just got hit with a slew of Lolitas. Patrick is deeply displeased.

THIRTY-TWO OF THEM!!! Electrolite got hit with thirty-two Lolitas. The first thirty hit in a wave, and then the last two got posted while he was banning the sender.

I hunted down and killed every one of them. It was tedious and time-consuming. I could have been writing.

If you have a weblog or guestbook and have the abililty to block posts, I suggest you add 209.210.176.20 to your gag list RIGHT NOW.

I've got a DIY Movable Type setup and it has a few quirks, one being that I can't identify IP addresses.

I woke up this morning to find 15 Lolita comments. I was not happy. Deleted every one, wrote to the guy who hosts my blog to see if we can maybe finally implement IP banning.

Hi, Patrick and Teresa,

There are a fair number of technically-skilled people who read these weblogs and who would be perfectly thrilled to help you out with the suggested fix.

It's not my area of expertise, but if push comes to shove, I'd take a shot at doing it for you.

(There! That should shame someone better than me into helping you out.)

Addendum: I've been getting all kinds of spam comments on my blog lately. One-word comments that say "interesting" or "cool," and then the commenter's URL is something like www.us-discount-insurance.com. AAARRRRGHHH! I've also gotten, on one post where I discuss an email service I really like, about 15 comments from Nigerians hoping I can introduce them to Bill Gates.

Somewhat more understandable, but no less annoying, are the "my-blog-is-awesome-come-read-it" spam comments. Trust me, if you leave this kind of comment, you can rest assured that I will not go read your blog.

j, I know I'd appreciate the help. I expect Patrick will too, when he calms down a little. Right now his opinion is as follows: "My idea of how to technically address this problem is that someone should go to this guy's apartment -- we have his address! -- and technically punch him in the nose, after which he should be technically chased down the street, on foot!, by a pack of wild dogs." Then he started ranting about marine predation, a scenario which I gather involves crustaceans nibbling on this guy's eyeballs.

I have no objections. In the meantime, though, I want to implement some spam-blocking measures. Lolita's proprietors aren't the only spammers who've been hitting my site. My guess is that the knowledge of how to spam weblog comments sections is spreading in the spammer community. Best batten down the hatches now.

What it looks like the posted script is trying to do is set a trap cgi, that, if accessed, will put a block into the .htaccess file.

I'm not convinced that this would be effective, since the easiest way to find the cgi for the message boards is to follow the link on the weblog page, and .htaccess only works if your apache server is configured to use it -- something J. Random Weblogger may not have access to change.

Worse, given the email spammer wars, I think you are in for a long, and quite possibly futile, war of attack and countermeasure. I like to think that filtering works -- but I've gotten over 100,000 spam emails hitting my server, despite more and more desperate attempts to stem the tide.

The more complex solution in the link, at first glance, looks more effective. Dropping IP addresses into a gag file may work for a while -- until they start using cracked machines as proxy servers, in which case, they'll dance from machine to machine.

I wish I could offer you a better answer. But, in truth, in the war against spam, we're losing, and badly.

Oh, yeah. The fastest and safest way to delete them is to talk to the database directly. This presumes MySQL -- other SQL will be similar, other than step 1.

1) From the shell, type

mysql -u username -p

Give it the password. The user and pass should be set in the MT interface somewhere.

Once in, you'll get the MySQL prompt. First, we find them.

SELECT FROM mt_comment WHERE comment_url LIKE '%http://COMMENT_SPAM_URL%' OR comment_text LIKE '%http://COMMENT_SPAM_URL%';

Replace the %http://COMMENT_SPAM_URL% with the actual URL they are using, but you will need the single quotes around the string. This should return a bunch of spam -- and no real posts. If so, you can then blow them away with...

DELETE FROM mt_comment WHERE comment_url LIKE '%http://COMMENT_SPAM_URL%' OR comment_text LIKE '%http://COMMENT_SPAM_URL%';

In most SQL implementations, the capitalization of anything not in single quotes is unimportant, but tradition is you all cap keywords of the language, and lc variables and the like.

If you return, and nothing comes back except for a prompt, you almost certainly forgot the semicolon at the end. SQL statements end with a semicolon, if you don't put on, the SQL interpreter will thing you aren't done, and just ask for more. If you did forget, just put the semicolon on the next line, and it'll work. Most complex SQL statements are entered on multiple lines, so don't fret.

When in doubt, do a SELECT, which just retrieves, rather than a DELETE. If you are paranoid, and your database supports it, start with.

START TRANSACTION;

and do the deletes, if you screw up, run

ROLLBACK;

and it'll come back to the point where you typed START TRANSACTION. If you're happy,

COMMIT;

ends the transaction and makes it permanent. There are certain SQL commands that are implicit COMMITs, but that gets complex -- in general, anything that alters the structure of the database or the tables themselves, rather than the data within them, will automatically COMMIT all transactions before execution.

However, you can SELECT to your heart's content without hurting anything. And, when in doubt, "man mysql" wouldn't hurt

Queep, Erik.

Thank you for the information, which reads as though it ought to be admirably clear once I find out what the nouns mean. I'll start tomorrow with "SQL", and go on from there.

I'm sorry to hear that the bad guys are still winning the spam wars. Would it be so terribly wrong to launch DOS attacks againt outfits that advertise via spam?

SQL: "Structured Query Language" Copyeds are naturals at it. You'll grok it in a half day. (Database design is another thing, but you don't need to design the MT database, you just need to read from it, and delete items in it. Piece o' cake. If you played Zork, you'll find that oddly familar. SQL, at it's simplest, is VERB NOUN from NOUN.)

As to DOS.

1) They own many, many, many more machines that you do. You can try -- they'll either ignore you, or slap you down. Note the number of anti-spam lists that have gone away under severe and sustained DOS attacks.

2) DOS attacks not only attack the bad guy, they attack anyone between you and them. Saturate a T3 feeding a router, and everyone connected to that router falls down.

3) Spammers may be more desperate that you are.

You can report these assholes to the FBI, online, by filling out a nifty little form. There is more info here. I don't delete the whole post. I just put this in its place: THIS COMMENT HAS BEEN DELETED. THE PERSON WHO LEFT THIS COMMENT IS A CHILD PORNOGRAPHER. ALL HEADER INFORMATION OF THIS POST HAS BEEN REPORTED TO THE CYBERCRIMES AGAINST CHILDREN DIVISION OF THE FBI.

Teresa,

If you didn't tell it to use MySQL, you're probably using BerkeleyDB (I think--I haven't read up on MT 2.6). And again, let me reiterate--use this form, without the wildcard, to block a range:

209.210.176.

Erik is right that these SOBs can overpower you, but that doesn't mean they will.

Sorry--I was in a hurry to post, and forgot to add that it's not so simple to delete with BerkeleyDB. I think someone would have to write you a script to do it--no command-line prompt.

As the cheerleaders (hopefully, not pre-teen) say:

Block that range! Block that range! Block that range!

Sometimes I wish I weren't so straight-laced. Otherwise I might consider a solution I learned on slashdot recently:

http://yro.slashdot.org/comments.pl?sid=77014&threshold=-1&commentsort=3&tid=111&mode=thread&cid=6855944

Instead, I'll just volunteer to help Jay test his application on an older version of MT.

Sometime in the last two months, in this web log, there was a two-word post, "Nice site," in a comment thread that hadn't gotten a post in years. It didn't make any sense in context.

I didn't follow the link from the poster's name.

I wonder now if that might not have been the first shot in this war.