I like blog comments. I understand why some folks don’t turn on the comments functionality in their blogs, either because of the humongous number of comments they’d get, or because they’re really all about broadcasting info out, not dialoging about it, or because they’ve had Bad Experiences with yahoos in their comments sections.
The latter option seems to be becoming more systemic, and, in fact, blog comment spammers are beginning to crop up like crabgrass.
As potentially attractive as some sort of massive blacklist system for MT (et al.) would be, the failure of such to work in the e-mail arena is not promsing. Besides which, it’s a heck of a lot of work.
I could go for some simpler solutions, and, in some cases, have (and will go for more of them once the problem crops up here).
The underlying message here is, I think, a valuable one: viruses (spam and spammers, too) only spread when there are sufficiently similar systems for them to spread by. Everyone’s e-mail works the same way, so e-mail spam is easy. The majority of Windows systems are configured the same (often with the same security holes left unpatched), so virus propagation through Windows systems is easy. MT comment systems are all configured roughly the same way, so spamming through MT comments is easy. And if it’s easy, it will happen.
The alternative is a comment registration system. I have no problem with that, but a lot of folks seem to think it will hinder free exchange of dialogical goodness on the Net. That seems unlikely (at least on a relatively small and sedate community like this one); a bigger problem is coming up with a registration system that is both easy and difficult to automate for a spambot.
A solution that does inhibit discussion is a comment queue, though I could seem some applications for it. Bottom line, though, I don’t want to have to review comments here before they show up. (If nothing else, the interactions between commenters is usually valuable).
Another after-the-fact solution is a way to clean up spam comments. A couple of hacks to MT give you an option through the comment notification e-mail. I might implement that, if need be (it’s actually not a bad solution for some other problems, too.)
Some other good summaries on this problem, and possible solutions, here, here, here, and here.
And, of course, I’m sure we’ll hear more about it in the future.
I’ve implemented both the comment notification hacks above (since I already have a comments.pm hack). They overlap slightly, but are different enough to be worthwhile (one goes direct to delete confirmation, so it’s slightly faster; the other allows comment edits as well as deletes).
I am going to keep on eye on what you are up to here. I have been lucky thus far with the comment spammers but it cannot last.
Yeah, I’m going to implement the edit/delete hack when I get a chance to back at the house.
Good Lord — I hate to think I’m that cutting edge. :-O
So far, I haven’t had any of the problems described. But at least now I have a relatively straigthforward way to delete comments I need to (and edit ones I want to edit, heh), and links to many other ways to protect myself if matters escalate.
If only some hackers would use their power for good and whip up some spambot-specific viruses.
Yeah, but then they’d never make it into the news, just onto the DMA’s sanction squad “to do” list.
yeah, I got smacked this weekend by some russian guy. this one is spamming at least two ways: in the body of the comment, and by directing readers to his site via the URL listing. it’s all sorta seamy and trashy and it pisses me off pretty thoroughly. looking forward to jay allen’s comprehensive plugin solution for MT blogs, which he’s promising to release today.
The MT-Blacklist stuff just seems overkill to me at the moment (check back with me next time I’m spammed). There seem to be some more straightforward ways of handling it, and my experience with IP blocking and other blacklists makes me think it’s either going tob e a tremendous amount of admin work, have a lot of false positives/negatives, or both. If I had a major league site, I could see that, but I don’t — and most of the major league sites are commentless, anyway.
The other thing about a formal blacklist system is that it creates a monoculture of spam comment protection — which means it’s a big target for spam commenters. A diversity of approaches (or implementations thereto) seems a healthier way to go.
interesting perspective as always, dave. for what it’s worth, ben and mena are more or less endorsing the mt-blacklist plugin, at least in the short term. me, I want something I can plug in and forget about, but part of what’s insidious about these jerks is that they may be committing us all to more maintenance, more oversight, more housekeeping. bummer.
Here’s one way to do security by obscurity. Change the name of the input fields of the comment form. Modify the comment CGI with the new form names. If the comment comes in with the old input names, silently eat the comment.
I might fire up my old MT blog and do just that for the blogging community.
Yeah, those were mentioned in the “simpler alternatives” above. It works — along as folks do it differently (i.e., so long as not so many folks use that defense that it becomes worthwhile trying to break it).
I’m trying to minimize the direct hacks I do on the MT stuff (so that I’m not scrambling next update), so I’d rather not screw around with any of the CGI if I can avoid it.
I’ll be watching the MT-blacklist to see how it’s working, though.
There probably is an even simpler hack. Rename the cgi script to something else. Since everybody uses mt-comments.cgi changing the name to say talkToDave.cgi would probably trip up most bots.
That’ll work as long as (a) everyone who does it chooses a different name, and (b) it’s not done by everyone. If everyone does it, then someone will modify their bot to look for the name to use.
I’m working on an alternative system that would require the spammer to at least manually enter their spam. In essence, if you don’t click a box on your form then the comment will go into a spam trap. Everything else on the form will look the same (same names for all the form values and callbacks).
It’s particularly amusing when they post comments in here. Like someone just (zap!) did.
And again, three more this morning. Heh.
For obvious reasons, this post remains a favorite for comment spammers to spam. Just as obviously, those spams don’t stick around for very long. Give it a rest, folks …
I had never seen blog spam until yesterday, since I don’t read many blogs and those that I do read are pretty good at weeding it out. But yesterday I happened across this. It’s a blog by a Mozilla developer on ideas for future development, and he obviously doesn’t spend much effort on cleaning out blog spam. It’s kind of shocking how bad it can get.
Yup. Sort of like crabgrass.
The dude with that blog is looking at getting blacklisted, if he doesn’t clearn up his act. “If you’re not part of the solution, you’re part of the problem.”