Archive
For better blogging...
May 4, 2004Yesterday, the amount of comment spam here and on MemeFirst quite simply got ridiculous. Barely 9 months after getting (and blogging) a first instance, and despite in the meantime removing every possible incentive to posting such spam, volume started growing exponentially as automated spam delivery mechanisms exploiting Movable Type's standard commenting scripts got more sophisticated. Over the past month, the use of randomly generated emails and rotating IP addresses has allowed spammers to easily circumvent MT's built-in defences at a rapid clip.
Myself, I was waiting for MT 3.0's upgraded comment filtering technology. In the meantime, MT-Blacklist, a plug-in that filters URLs for proscribed content, has made it harder for spam to make it through, though not impossible, especially if the sites being promoted by spam use conventional words in their URLs. And, though spammers now have to continuously change the content of their spam, they can still usually get away with bombarding a large number of blogs before they all update their blacklist or the blacklist clearinghouse gets updated. In that sense, MT-Blacklist also chases after a moving target, much like banning IP addresses is ineffective against a spammer continuously changing her IP address.
But last night, as my list of recent comments swelled with the labor of the dregs of humanity, I was willing to settle for something quick and dirty to solve the specific problem of automated spamming engines afflicting my blog. This is what I came up with — and it only takes two minutes to install.
The idea was to personalize my blog's comment submission process so that a spammer needs to either post spam in person or else manually tweak his comment submission engine so that it works specifically for my blog. Basically, it becomes as annoying for him to post spam as it is for me to remove it. With the burden shared in this way, I'm guessing the spammer won't bother with my blog, as I care a hell of a lot more about it than he does. And if a spammer visits my site, examines my comment submission process and manually tweaks his engine, I simply alter my process. I feel their pain, and it feels good.
The hack involves requiring a human mind to complete a simple instruction, such as "type the letter 'A' in this textbox" or "Type the third letter of this sentence in the textbox," before MT accepts the accompanying comment. Here's how:
In your cgi-bin folder, navigate to and edit the file cgi-bin/lib/MT/App/Comments.pm. Do a search for the following piece of code:
if (!$q->param('text')) {Replace this with:
return $app->handle_error($app->translate("Comment text is required."));
}
if (!$q->param('text')) {Save and close. Now go to the templates screen in your Movable Type user interface, and make sure that all templates that allow you to submit comments have the following HTML snippet added to the comment submission form (I placed mine just above the comment textbox):
return $app->handle_error($app->translate("Comment text is required."));
}
## my addition
unless ($q->param('spam') eq 'A') {
return $app->handle_error($app->translate("Type the anti-spam text exactly as shown."));
}
## my addition
<label for="spam">Today's anti-spam measures are brought to you by the letter "A". Please type it here:</label> <input id="spam" name="spam" />In standard builds of MT the templates you want to alter are: Individual Entry Archive, Comment Listing Template, Comment Preview Template and Comment Error Template.
What happens now is that when a comment is submitted, MT checks that the accompanying question is answered correctly; if it is, the comment is accepted. The question is asked in the HTML, the answer is found in the Comments.pm code I addedAdvanced MT users: It's actually a lot simpler to put that HTML snippet into a template module and to refer to the module wherever a template contains a comment submission form. This way, when it is time to change the question/answer pair, you only need to alter the HTML in one spot. More about MT modules here.
Update 2004-05-19: This hack is not compatible with MT-Blacklist. MT-Blacklist is not a proper plugin in that it completely bypasses Comments.pm with its own comment-handling files. Altering Comments.pm as described here has no effect as long as MT-Blacklist is installed.
Update 2004-09-10: It is compatible with MT-Blacklist, as the comments below attest to. (I don't use it though. There really is no need now.)
Update 2004-10-29: Strang's Blog has a post that explains how to get this to work for MT 3.11 templates..
Of course, a spammer can still visit my blog, determine the required answer for the anti-spam question, and then program his submission engine accordingly. But the catch is that he has to do this manually every time I change the question/answer pair. You can alter the question/answer pair whenever you want: in Comments.pm, just replace the 'A' in the above example with whatever letter, number or word you want, as long as it is inside single quotes; and also make sure the question in the HTML snippet leads unambiguously to that answer.
The reason this is not a plug-in is because I don't know Perl. I guessed-and-pasted this out of desperation, but it works like a charm. If I knew Perl I would probably build a library of question/answer pairs that I can rotate at will. And, additionally, if you are willing to forgo having comment submissions on the static Individual Entry Archive template in favor of using only the pop-up comment templates, which render MT tags on the fly, you could build a system that automatically rotates the question/answer pairs every X hours or days, overlapping successive pairs so that commenters on the crux of an changeover are not abandoned.
The more that people personalize their comment submission forms, the less spammers can exploit the standard MT comment submission process.
Comments
Hello! I am the Auditor in charge of international transaction in one of the biggest software companies here in Nigeria. During the course of our auditing, I discovered a very valuable top secret perl script against comment spam in an office computer. After going through some old files in the records I discovered that the programmer of the script since long had died without a [Heir/WILL], hence the script is finders/keepers, if I only could raise the money to get it out of the country. And that is why I contact you. If I do not remit this script out urgently it will be forfeited for nothing. And it could be sold for millions!
You are the first and the only person that I
am contacting for this business, so please reply urgently so that I will inform you the next step to take urgently.
Il y a un plugin MT appelÈ "Scode" (http://mt-plugins.org/archives/entry/scode.php) qui fait exactement la mÍme chose, en mieux vu qu'il produit un code chiffrÈ sur un .gif, gÈnÈrÈ via CGI (donc, illisible par une machine, ce qui n'est malheureusement pas le cas de ton "A"; qui de plus, reste fixe.)...
Posted by: sebastien cramoisi from 217.117.39.53 on May 6, 2004 12:29 PM
Comme Áa c'est plus accessible pour les aveugles. Et c'est moins de travail pour mes visiteurs de laisser le browser ajouter un 'A' la automatiquement, car je vais changer Áa seulement quand quelqu'un m'attaque. Jusqu'‡ maintenant, Á'a marchÈ parfaitement. En plus, c'est impossible pour une machine de comprendre "Today's anti-spam...." Il ny a pas de methode pour savoir qu'on doit ecrire 'A' -- on doit Ítre humain.
Posted by: Stefan from 213.113.222.248 on May 6, 2004 02:11 PM
C'est clair que c'est une bonne solution. Je me demande juste, dans ce cas, pourquoi la plupart des script "non-human detector" utilise la formule "gÈnÈration de .gif alÈatoire comportant un numÈro".
J'imagine qu'avec le temps on verra si Áa fonctionne...
Posted by: cramoisi from 217.117.39.53 on May 7, 2004 10:53 AM
Is there no language in which people won't disagree with you?
Posted by: Matthew from 208.144.114.4 on May 7, 2004 02:40 PM
Au contraire, it seems like French is the only language in which people DO agree with me. Not that you'd have the savoir faire to distinguish between opposing arguments in French.
Posted by: Stefan from 195.67.83.82 on May 7, 2004 02:47 PM
I really like this approach. I've been trying to get James Seng's SCode plugin to work for about 4 hours now...it's completely blocking any comment entries at all!
I'm going to uninstall it and see if yours does the trick.
Posted by: Kasey from 67.121.178.61 on May 19, 2004 03:13 AM
I just installed your little anti-spam hack. Thought I should let you know that your hack IS compatible with MT-Blacklist, you just have to add it to the proper file.
If you have MT-Blacklist installed, you should not add the addition source code to /lib/MT/App/Comments.pm
Instead, add it to the appropriate section of /extlib/jayallen/MTBlPost.pm (you'll need to read Jay Allen's notes in the head of MTBlPost.pm to know which section of the code to modify...it's different depending on which version of MT you are running).
Thanks, Stefan, for the nice anti-spam measure.
Oh, by the way, it also works for short phrases as well...you don't have to limit yourself to a single letter.
Posted by: Kasey from 134.79.82.61 on May 20, 2004 09:02 PM
Thanks a lot. A few weeks ago I was bombarded by approximately 10000 SPAM-comments! Thanks to your smart little antidote I truly hope I will get rid of almost all spam from my site completely. Again, thank you so much.
Posted by: the Skeptic from 217.209.167.176 on August 7, 2004 11:11 PM
Thank you! Thank you! Thank you!
Even with MT-Blacklist I was getting a half-dozen comment spams a day. I followed your instructions, even the MT modules part (huge help), along with Kasey's comments on the proper file for MT-Blacklist -- it couldn't be easier, even for a novice like me.
You're my hero!
Posted by: GA - Keith from 24.21.140.51 on September 9, 2004 08:20 PM
Oh, thank you! We were so swamped with spam, even with blacklist it took us up to an hour daily to delete and delete and delete...
This hack works like a charm and even computer-illiterate me could do this. Take that, spammers!
Thank you. You did a great service to the blogosphere. You deserve a medal or something.
Claudia - very grateful
Posted by: claudia from 83.103.228.232 on October 29, 2004 07:37 AM
OK, I admit defeat. I did something wrong and hope that someone can help me.
The code works like a charm, as long as you don't mistype. Then you get the error message (still OK), but then it won't let you post even with the correct word -- unless you preview first, then it works. Odd, eh?
This is the error message I get when I try to re-post after a failed first attempt:
"MT::App::Comments=HASH(0x82829b0) Use of uninitialized value in string eq at lib/MT/App/Comments.pm line 80."
I thought I did everything right, I even turned Blacklist off because it seemed not to work even with Kasey's trick.
Where did I go wrong? Can someone help a willing but confused beginner?
TIA,
Claudia
Well - it works great on my 3.12 install - but I did the same thing on MT 2.66 and it doesn't work.
unless ($q->param('spam') eq 'AGREE') {
return $app->handle_error($app->translate("You must type the word AGREE in order to post."));
}
if (!$q->param('text')) {
return $app->handle_error($app->translate("Comment text is required."));
}
my $comment = MT::Comment->new;
$comment->ip($app->remote_ip);
$comment->blog_id($entry->blog_id);
$comment->entry_id($q->param('entry_id'));
Interestingly enough - on the missing text message if I change it - it doesn't change the message when I run it. I almost would think I'm running the wrong file or something - but if I create a syntax error that affects the output. I get the error. So - I'm rather stumped.
If someone could email me with a clue I sure would appreciate it.
Posted by: Marc Perkel from 65.172.231.34 on November 4, 2004 11:56 PM
OK - Got it working. I was using MT=Blacklist and you have to modify the MT-Blaclist file too. MTBIPost.pm
BTW - I make them type AGREE and have a link to terms of use - something I have yet to write - where they agree to pay me $500 per spam.
http://marc.perkel.com
And - thanks for this patch - seems to be working.
I've altered all the files as told, but since I'm also running MT-Blacklist, I'm wondering where exactly you need to add that additional code into /extlib/jayallen/MTBlPost.pm . I can't see that written anywhere (not in jayallen's files). Any ideas?
thanks!
Posted by: Els from 62.205.115.169 on December 9, 2004 09:42 AM
ELS, No I don't as I don't use MT-Blacklist. Can you ask Jay?
Posted by: Stefan from 195.67.83.82 on December 9, 2004 09:55 AM
I'll send a comment, but I was kind of hoping the person who posted the message here about that, would know where as it works for him/her (Kasey)...
Posted by: Els from 62.205.115.169 on December 9, 2004 11:00 AM
Els,
I saw your comment on my blog, and I responded to you. Please check your email for my message.
Also, the contact form should be working OK now. I fixed it two days ago, so if you tried to reach me via the contact form before that time, then it makes sense that it was broken. I tested the contact form one more time this morning, and it worked for me. So if you tried using it on 12/8 or later, then it sounds like something weird is going on.
Anyway, I'm always happy to help anyone implement this code. If you're having problems with it and need help, please visit my blog (http://www.doggydiaries.pudgypuppy.com/) and use the "Contact Me" link to send me a message. I can't guarantee that you'll get an immediate response, but I will do my best to get back to you within 24-48 hours.
Posted by: Kasey from 134.79.82.61 on December 9, 2004 05:09 PM
ELS - do a search for the same code
if (!$q->param('text')) {
return $app->handle_error($app->translate("Comment text is required."));
}
in MTBlPost.pm (in cgi-bin/extlib/jayallen/ I expect) and make the change as you would for the normal comments.pm described above.
Cheers for this quick fix! I tried SCode today to no avail but this works a treat.
Posted by: wa from 82.152.39.208 on January 2, 2005 09:32 PM
Offshoreoutsourcingworld.com is where the world comes to find Outsourcing news, latest events, articles and provider for their offshore outsourcing needs.
Posted by: stella parker from 202.131.118.126 on January 11, 2005 05:40 AM
Thanks for this. It's going to come it really handy
Posted by: John Maxwell Hobbs from 83.227.118.16 on February 25, 2005 10:40 AM
It's good. Nice blog. keep it up. Visit us at jack
Posted by: john from 202.149.50.6 on June 28, 2005 12:51 PM
Strang's blog is gone. I reproduced the post on A Few Euros More. Maybe you should update and put the info here.
Posted by: David Weman from 85.224.173.83 on November 30, 2005 12:14 AM
Cool hack...I might try this instead of Scode now.
Thanks.
Posted by: harris from 69.228.224.168 on May 22, 2007 07:28 AM
Interesting scripting to get around the spammers. Wish it would work on my regular inbox for email. hehe
Posted by: callie from 213.200.148.213 on May 4, 2004 04:31 PM