Easy End to MT Comment Spam

19 Jul 2004

When I first started getting comment spam, I thought I could delete it manually. I didn’t realize how much I already had. When hours of manual deletions weren’t enough, I googled “comment spam” and found MT Blacklist. It’s a brilliant plug-in that allows MovableType users to deny comments from known spammers as well as easily delete from the database existing comments posted by spammers.

This is all well and good, but it depends on the blogger regularly updating his spammer definitions and then running MT Blacklist to remove newly posted spam. It’s certainly way better than deleting it all manually, but it’s far from automatic at this point, and it’s still a big pain.

I was quite pleased then, to discover another, simpler solution, which when used in conjunction with MT Blacklist should keep your Movable Type blog pretty much spamless:

…Spammers have automated scripts that look for Moveable Type blog sites and they then post to our comments using a direct call to the “mt-comments.cgi” script. If you installed Moveable Type into the default directory (/mt) then they know exactly where the script is and how to call it.

The solution is simple: rename the script to some odd name (ex. qwerty.cgi) and edit your mt.cfg to point to the renamed CGI script. Look for the line that is commented out and reads “# CommentScript mt-comments.cgi”. Uncomment the line and change the name of the script to the new name. You need to rebuild the site before it takes effect. Users will not be able to post comments while you are doing this but the entire process only takes a few minutes.

I made this modification about three weeks ago and have not had a single comment spam since then. [source]

Don’t forget to rebuild! Your comments won’t work until you do.

Granted, this is not a permanent solution, but it has drastically reduced my own comment spam, and I’ll take the break from comment spam as long as I can have it!

Share

John Pasden

John is a Shanghai-based linguist and entrepreneur, founder of AllSet Learning.

Comments

  1. Hey, thanks John. This information is highly appreciated.

  2. Awesome.

  3. I installed it for myself about 3 days ago, no more comment spam since. Crossing my fingers on that one though..

  4. I’ve been getting swamped by spam comments lately, so I’ll have to give this a shot. Thanks John!

  5. devil's advocate Says: July 19, 2004 at 5:38 pm

    Unfortunately, this kind of trick wont last for too long once the spammers find out about it.

    After all, it’s trivial to get around because the correct name of the file is listed in the html source for the comments page. In Sinosplice’s case: http://www.sinosplice.com/mt/mt-safecom.cgi

    How long before the spammers’ automated script just scans the page and uses this value?

  6. Devil’s Advocate,

    Yeah, I know. That’s why I said Granted, this is not a permanent solution, but it has drastically reduced my own comment spam, and I’ll take the break from comment spam as long as I can have it!

    Until a better solution comes, this buys time while other people (the good guys) work on the problem.

  7. What about a script that, when run as a daily (or semi-daily) cron job (assuming you have access to your own cron on your host), changes the script name randomly (could be just about anything, so long as it was changed automatically in both places) and rebuilds the site (using the MT-Rebuild script). That way even if the spammer scanned the site and added it to the list of sites to spam it would only be a valid script for a little while at which point he’d have to rescan.

    Just an idea.

  8. John B.

    Yikes. My site doesn’t load fast enough as it is, I’d hate it to have to rebuild all of the posts every few hours.

  9. Even once a week, maybe. Just so you can’t sit on the list forever without the spammer doing more work. You’re right, though, that would be quite a load if done even semi-frequently.

  10. Devils Advocate Says: July 22, 2004 at 4:01 pm

    John B – Unless of course the spammer’s script was designed to scan the page and then send comment spam straight away. Then it would just be wasted effort for no reward.

  11. As it’s been pointed out, the spammers will develop scripts to glean the comments script filename so this won’t hold up forever.

    I got my introduction to automated porn spam over the weekend. I logged in and found over 1000 spam comments, and subsequently discovered that MT had no good method of deleting the crapload. Since then, I’ve also installed Jay Allen’s Blacklist plugin.

    Spam sucks. I just want my blog to be a quiet place for a quiet guy.

  12. This one makes sence “One’s first step in wisdom is to kuesstion everything – and one’s last is to come to terms with everything.”

Leave a Reply

Your email address will not be published. Required fields are marked *