Category: Spam

Comments are tending to remain spam-free (thank you, TinyTuring). A few occasionally are popping up as added by real (evil) people at keyboards; these tend to be fairly obvious on all my blogs, and get deleted as soon as they’re spotted. I’m hitting the Manage Comments section of my MT installation at least every few days, in case something comes up on one of my less-watched blogs (I don’t always see the Comments e-mails).

Trackbacks continue to be the biggest problem, but are largely managed. Basically, trackbacks on all blogs except this one and BD’s are moderated (the exceptions are because we both are more likely to spot stuff quickly), and both blogs have low thresholds for flagging stuff to be moderated (or junked) anyway. 

By the same token, some very crafty trackbacks have been showing up lately that aren’t easily filtered — titles and excerpts from “real” text, and links to domains that look relatively innocuous. These have the greatest likelihood of slipping through, but I’ve been monitoring both my e-mail notifications and the MT trackbacks screen pretty closely, as well as noting IP ranges for those innocuous domains (and, quel surprise, they often are part of the same bloc, which then gets IP-banned).

It does remain intensely frustrating — like having a wall that invisible taggers keep spray painting — but I refuse to let the bastards grind me down.

Other tools used: AutoBan (which throws a temporary IP block into the .htaccess file any time something.gets flagged as junk, thus reducing processing burden — right now blocking 151 IP addies for the next 2 days), and the built-in SpamLookup (which includes IP blacklist lookups at bsb.spamlookup.net, sbl-xbl.spamhaus.org, and bl.spamcop.net and domain blacklist lookups at bsb.spamlookup.net, sc.surbl.org, and multi.uribl.com).

I’ve been working with the Hosting Matters folks to get FastCGI up and running on the server I’m on. 

The biggest problem (from a spam perspective) that Movable Type has is that it’s all script based, and everyone who hits a script spawns a new instance of it (as I vaguely understand), which, during heavy attacks, means a lot of serious overhead on the server.  Since 99% of the anti-spam measures in MT are script-based (fired off after someone invokes the comment or trackback script), that’s a real problem.

MT supposedly works now with FastCGI.  Under that setup, a script, once fired off, stays in memory, and is reusable from there.  That would seriously reduce the impact of spam attacks.  Problem is, I haven’t been able to get even a simple “Hello World” FCGI script to run.

I tried working this back last January and had no luck.  Hopefully I can get it running now.

I’m also seriously pondering making the move over to MT4 while I’m off here in Faerie (but not these couple of days I’m in the office).  It won’t specifically address the spam issue, but I’d like to be on something approaching the latest-greatest.  My biggest question mark at this point is the fork between MT Open Source and MT4 proper.

UPDATE 1:  HM reports they’ve gotten one of the Hello World scripts running, huzzah, and I’ve verified it, huzzah.  That should mean, once I’m at a computer I can access the error log from (just to monitor) that I can try the general conversion to FCGI with my MT 3.34 installation.

UPDATE 2:  And the server is under “attack” again, meaning I can’t do diddlysquat.  *sigh*

UPDATE 3:  Server is clear again.  HM suggests (and is facilitating) the MT4 conversion, so I’ll be doing some testing tonight, with an eye toward converting sooner as opposed to later.

I’ve been working with the Hosting Matters folks to get FastCGI up and running on the server I’m on. 

The biggest problem (from a spam perspective) that Movable Type has is that it’s all script based, and everyone who hits a script spawns a new instance of it (as I vaguely understand), which, during heavy attacks, means a lot of serious overhead on the server.  Since 99% of the anti-spam measures in MT are script-based (fired off after someone invokes the comment or trackback script), that’s a real problem.

MT supposedly works now with FastCGI.  Under that setup, a script, once fired off, stays in memory, and is reusable from there.  That would seriously reduce the impact of spam attacks.  Problem is, I haven’t been able to get even a simple “Hello World” FCGI script to run.

I tried working this back last January and had no luck.  Hopefully I can get it running now.

I’m also seriously pondering making the move over to MT4 while I’m off here in Faerie (but not these couple of days I’m in the office).  It won’t specifically address the spam issue, but I’d like to be on something approaching the latest-greatest.  My biggest question mark at this point is the fork between MT Open Source and MT4 proper.

So more spammy badness this morning.  Nothing got through to the page — the application layer held up — but the attacks caused serious site problems as the applications spun into high gear to keep the Visigoths at bay.  And, in this case, it was a comment script attack, rather than the more common (these days) trackback script.

I’m just damned sick of it.  I renamed both scripts (twice), but it had a heavy enough impact that the kind folks at Hosting Matters sent me a note about it and took some interventions themselves.

Rrg.

I’ve pondered shutting down the trackback bits, even though I make a lot of use of them myself within the application (as an internal cross-reference).  But as today’s attack showed, it’s still a problem on the comment side.  Indeed, one of the key protections I have — TinyTuring, which has kept every single casual bot comment spam since August 2006 — probably made things worse in this case, as it meant that every faux comment attempt fired off the comment script before being blocked (and if it had hit the junk filters and been blocked, AutoBan would have pushed the IP address into htaccess and blocked further attacks from that source).

As it stands, I have a number of IP ranges generically blocked (sorry, all my potential readers in Russia and China); that doesn’t prevent IP spoofing, I suppose, but at the moment it’s the best I can do, on top of the other tools.

(Ironically, most people gripe about e-mail spam; I’ve gotten to the point where the majority gets filtered and the rest I can toss with as much ease as junk mail at home.  It’s the blog spam that’s taking up too much of my time.)

A suggestion has been received that I bail on Movable Type and move over to WordPress or some other blogging tool (not that they’re immune to spam attacks, but the type of scripting that MT has means a lot more system resources are chewed up in defending against it).  I can’t tell you how much I don’t want to do that for a variety of reasons (the vagaries of migration, learning a new platform, etc.).  I’ve had a vague hope that MT4 will be a bit more robust in this, but I don’t recall reading anything about that one way or the other.

So time to crack the books again on MT and anti-spam.  Just what I want to do on my Winter Vacation.

Any other thoughts out there? 

Been getting a fair amount of spam here which seems more designed to test or overload spam defenses than actually do anything.  It’s all made up of single links to something like “http://www.google.com/search?q=fgfrfpjq” and other nonsense terms.  Clicking through the searches lead to no such string being found in Google.

If the trackbacks aren’t coming off of blacklisted sites, there aren’t a lot of options, short of turning off trackbacks (which I decline to do) or banning google.com references from trackbacks (possible, but I need to think of the implications).  Or, of course, being diligent in checking trackbacks.

Getting hit pretty nastily over the past few days by spambots here — not that anything has actually made it to the live pages, but my “junked comments” and “junked trackbacks” listings are long and nasty-looking — various kills from the SpamBlocker plug-in for MT and from scripts trying to bypass the TinyTuring text CAPTCHA.  And I have AutoBan blocking things on an IP level based on the junking filter — and that’s generating lots of access errors in the site error log.

All of which leads to occasional performance snafus around here, but the shields are holding and my animus toward the spammers remains unabated.

(I like this spambot slowdown method .. I might have to play with it some time.)