Comment Spams Straining Servers Running MT

dJ phuturecybersonique writes "Netcraft reports that 'Comment spam attacks on Movable Type weblogs are straining servers at web hosting companies, leading some providers to disable comments on the popular blogging tool. The issues are caused by bugs in MT, forcing publisher Six Apart to recommend configuration changes while it prepares fixes.' More..."

Wow

It's a good thing Slashdot doesn't have this problem.

Not just comment spam

[cybrthng]

But DoS attacks as well. Running several political blogs I often get "freeped"

The best solution for me:

1. User email address verification
2. server generated images to verify real user for registration
3. Regular cookie expiration after x amount of time
4. host filtering (referr filtering usually gets ride of "freepers" unless they open a new window

However - nothing beats good moderators, quality users and sticking to your nich. Don't go pissing people off tossing your blog around the world yourself and not expect to get anything in return.

It's a jungle out there :)

Re:Not just comment spam

[doormat]

Some context: This is a "freeper". They have also been known to use militant mob-style tactics to bother/silence those who dont agree with them, as parent has dealt with. Kinda ironic ya know... they are freepers yet they work hard to silence those who dont agree with them.

Re:Not just comment spam

[LiquidCoooled]

sage advice :)

The worst part of being a slashdot member is watching people devistate and ruin a server because of childish acts of vandalism.

Take for instance whenever slash points towards wikipedia, within minutes the page will be modified to some trolls' agenda.
Having to wade through the crapflood of comments on blogs and forums after slash has been there is almost embarassing sometimes.
The servers can generally cope with a slashdotting and work perfectly just hours or days after the initial hit, however the trolls handywork can end up staying for longer.

Re:Not just comment spam

[tepples]

Correcting lack of access to text on the Internet is easy: just buy a PC with a screen reader and an account with an ISP. Correcting lack of access to distorted images of text on the Internet, on the other hand, is non-trivial: if the CAPTCHAs are easy enough for blind people's OCR, then they're easy enough for spammers' OCR. If you must use a CAPTCHA, then make it something other than an image. Ask yourself: what questions can a blind person answer that a spambot can't?

Old news.

[1_interest_1]

This has been going on for quite awhile now, and still no official fixes from SixApart?

Shame on them.

Netcraft confirms ex-MT users love WordPress

[IO+ERROR]

There are many reasons to use WordPress instead of Movable Type.

First and foremost, it's free (speech and beer) and distributed under the GPL.

Second, the actual developers of the software actually participate in the support forums, so if you do have a question, it's likely to be answered very fast by someone intimately familiar with the software.

Third, it's a lot less susceptible to comment spam, especially after applying a few plugins and hacks. I've never received a single one, and that's not for lack of spammers trying.

Fourth, it's very easy to customize the look and feel of the site without knowing any PHP. HTML and CSS is about all you need to know. Knowing PHP helps a lot if you want to really customize it, but it isn't a requirement.

Finally, they've already included a Movable Type import utility, so those of you who are sick of MT for this and many other reasons can move over with little hassle.

Signed,
A very happy WordPress user and occasional contributor.

Re:Netcraft confirms ex-MT users love WordPress

[Xofer+D]

The down side to WordPress is that it's really very immature code. Not only does it handle UTF-8 characters poorly, but even casual usage turns up a number of bugs in various different parts. This suggests to me that the developers fixed it in one section but didn't fix it in other parts of the code - not exactly thorough. I ran into all this stuff inside my first three hours of usage.

Of course, all of this is fixable, and just calls for more people to jump in and get involved. I learned a bit of PHP and hacked myself a fix for the UTF-8 issues I was having, inside five hours of my first wordpress installation (note that's two hours after I found the problem and figured out how to replicate it reliably). I also installed and improved upon some of the comment spammer blacklist plugins, which ended up working very well. Prior to fiddling with wordpress, I had no PHP experience at all. I am not a programming god, either.

The developers are also responsive to suggestions - I posted a bug about some of the UTF issues I could not solve, and it was resolved for me. Thanks, matt!

I think that it's important to manage expectations when advocating software, which is why I want to make it clear the wordpress does not yet seem rock-solid stable. However, I think that with enough eyeballs (Hi, everyone!), it will definitely become the secure, flexible platform that most of everyone wants.

Spammers need not apply.

Re:Easy Solution

Or make an in-between page for every URL linked. So, someone leaves a link, it gets made into http://www.example.com/linkout.php?linkid=23890 (or whatever), then linkout.php just SHOWS the link (not a redirect) with a noindex,nofollow tag (for Google) and robots.txt entry. No PR, yet a user can still click. Another alternative would be to be use javascript since Googlebot doesn't seem to parse it yet.

comment spams made me switch

[SethJohnson]

I had to ditch Moveable Type explicitly due to comment spam. The real problem with it was that there was no way to delete more than one at a time. The web app only displays the last five comments and then you have to go digging through every article to find the other spams. Real pain in the ass. I switched to Wordpress, which is also beseiged by comment spam from Online Poker outfits. In Wordpress, however, you can mass-edit with all comments listed with checkboxes to delete whichever are spams.

In Moveable Type and Wordpress, you can pretty much eliminate the script-driven spambots by renaming the comment cgi handler and then editing all other files that reference it. I didn't think of this till after I swtiched to Wordpress, though.

Re:comment spams made me switch

[Sethb]

I just implemented their TypeKey service on my MT blog when it came out. I used to get comment spam nearly daily, but in the five months since I turned on TypeKey I haven't had a single instance of it. I don't know why more blogs aren't using it, since it is free, and it works quite well for me...

Re:comment spams made me switch

[jacobito]

Perhaps this was added in version 3.x, but you certainly can delete more than one comment at a time in Movable Type, and there is no need to "dig through" each post to find the latest comments, whatever the number. I believe that the comments page displays 20 comments at a time by default. It's unfortunate, though, that Six Apart pissed everyone off by licensing 3.x as they did, or more people would be taking advantage of 3.x's small but worthwhile improvements.

I agree with other posters that renaming the comment CGI handler is ineffective. It's ineffective because enough people have tried that technique that it has become worthwhile for spammers to work around it. Other potential solutions will probably end up with similar results. Want to stop spammers by forcing comment previews? Then the spammers will preview their comments. Want to stop spammers by throttling x number of comments per hour? Then you'll end up with exactly x number of comments, fewer legitimate comments, and you'll still have spam. Want to stop spammers by forcing a login from a central authentication server? Spammers will register their own accounts on that central authentication server, too. Etc.

I'm sorry to say that spam cannot be prevented, only mitigated. The best you can hope for is not having to manually delete every single comment you receive, as automated solutions weed out some (hopefully) high percentage of them. Meanwhile, any solution short of refusing comments altogether will eventually be defeated to some extent by spammers, assuming that enough people use that solution to make it worth the spammers' time and effort to defeat. One consequence of this is that switching from one popular blogging platform to another popular blogging platform is not going to save you from spam in the long run.

A simplistic solution

[happyemoticon]

If your case is like mine, where mt is stored in a directory just off of your public web site, do this: use a .htaccess to put a password on your whole MT directory. They can't access comments.cgi (assuming it's just a bot doing the spamming), they can't post comments. I don't really like the idea of people touching my CGIs anyway. Make sure your robots.txt excludes the MT directory as well.

That is, assuming you don't give a damn about people's comments.

Why your Moveable Type blog must die

[__aajqwr7439]

You are all pretentious twats

Every last one of you. You're all latte-sipping, iMac-using, suburban-living tertiary-industry-working WASPs who offer absolutely no new insights on anything whatsoever apart from maybe one specialist field if we're lucky.

Quite an enjoyable rant.

xox,
Dead Nancy

Re:Why your Moveable Type blog must die

[happyemoticon]

I live in the urbs, I drink cappuccinos, and I work for an academic research unit. My computer is not an iMac, but a PC with XP and Slackware. I'm a euromutt of catholic derivation, and I have pretty broad interests.

But that's pretty damn funny, I'll admit. They forgot, though, that they're all writing dark fantasy novels which will never be published.

There are far too many weblog addicts out there who are excessively vain, and are under some kind of bizarre pretense that they matter, and they seem to exist solely by jacking each other off. Hrmph. But you have to admit, MT users are a little less likely to be whiny baby-bats than, say, livejournal users.

challenge the user

[lseltzer]

We had a similar problem on our ziffdavis.com blogs (like my security blog) and we think we have solved it with with one of those graphic field challenges to the user (enter the value in the nearby graphic).

Re:challenge the user

[jacobito]

Captchas are currently great for weeding out automated spammers; unfortunately, they're also great at weeding out people who cannot see. This unnecessarily renders your site inaccessible to a portion of your audience. From a geekier perspective, this sort of assumption-laden web design runs completely contrary to the accessible, device-independent spirit of the original WWW.

Of course, since the blog you linked doesn't even work at all as I write this, maybe you're not concerned with accessibility for anyone!

http://blog.ziffdavis.com/seltzer

GET /seltzer HTTP/1.1

HTTP/1.x 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 18 Dec 2004 22:39:46 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Transfer-Encoding: chunked
Cache-Control: private
Content-Type: img/jpeg; charset=utf-8

Re:I have a plan

[the-banker]

No this doesn't sound workable, since a person operating at 99.5% accuracy would not make any money.

For example, they check 2,000 e-mails to earn a dollar, so they check 200 to earn 10 cents. If they make one mistake in that 200, then their entire payment for the 200 goes away.

Besides, you are throwing a human resource at a technology problem and when the technology is fixed, *poof* your business is gone.

In the case of MT the problem isn't the amount of spam, its the way in which static pages are rebuilt when they don't need to be, and mostly manifests itself in shared user environments (per the article). Your service wouldn't help this, because the problem isn't in the spam being displayed its the generation of the pages with the spam on it, which would have to be completed before your spam auditors could ever even see the copy.

Not to mention all the problems around fulfillment. So they see spam, what do they do? Send an e-mail? Do you think people would give your little spam army access to delete comments on the spot? Or do you plan on using some sort of live filtering to further slow down a bottle necked process?

Some things, like voting, should have human intervention and control. Others like this aren't as suited to the task.

Re:Now then...

[jacen_sunstrider]

Already done! And they're for wordpress! My favorite is Blacklist, and it works pretty well, long as I update the definitions every once and awhile.

Re:Easy Solution

[tepples]

it would be neat if search engines like Google could be trained to ignore negative score Slashdot comments

Given that the static page is written at a Score:1 threshold, and that Google obeys Slashdot's suggestion in robots.txt not to index the dynamic pages, this is already the case.

NoIndex HTML Tag

[beebware]

At the start of this year (Jan 2004), I actually proposed a possible solution to avoid this sort of thing. Basically, Google et al starts recognising:

<!-- robots:noindex --> / <!-- /robots:noindex -->

And then bloggers can put the comments section of their sites inside the HTML "no index" markup and hence if they are hit by comment spam, Google and the other search engines ignore that content.

Reusable Proofs of Work

[yerdaddie]

I myself run an MT blog and have been contemplating moving to wordpress to dodge the spam bullet, however temporarily.

It occured to me thought that what would really fix this is to push the load onto the spammers by building a Reusable Proofs of Work (RPOW) system.

For those who are unfamiliar, RPOW is a proposal to stop mail spam by asking the sender to do a little "work" that would make sending a lot emails computationally too expensive.

As I'm in the last throws of my PhD I'll have to delay on this one, but maybe the lazy web can help out on this one, so the same thing doesn't happen to wordpress or whatever blogging monocultures exist.

Re:Reusable Proofs of Work

[saxmatt]

That's what the WordPress plugin Spam Stopgap Extreme does.

Re:Reusable Proofs of Work

[stinkbomb]

As I'm in the last throws of my PhD...

What's the saving throw vs. dissertation committee?

Re:Can someone fill me in?

[crayz]

A few problems, as a Wordpress user and as someone who's run into problems w/ other people's MT blogs:
- spam bots attack WP and MT through various means, one of the most common being to simply POST to the mt-comments.cgi or wp-comments-post.php URLs on peoples sites
- the bots mainly post huge amounts of links to stupid websites, like viagra or poker strategy. the goal is to get a higher google ranking by having links from many different sites
- the biggest problem for WP users is that you get flooded with literally hundreds of comments per day. if you have good filtering you'll at worst just have to sit around and delete some manually
- the biggest problem for MT users(or that MT users cause) is that because of the poor design of MT, the comments script takes up a huge amount of CPU time. apparently it actually goes through the process of rebuilding the static post pages even when comments are moderated or auto-deleted. now imagine you have 500 posts and they all get hit at the same time - it's something close to a forkbomb on the server

The best solution to all of this is to find a way to prevent the stuff from ever getting posted. Once it's submitted you're going to have to analyze it in some way and decide if its SPAM or its good. There are some simple solutions like renaming the comment post scripts, and some more complicated ones like using a verification number or requiring users to register. In any case, it's a very major problem for almost anyone with a blog.

Re:Can someone fill me in?

[68kmac]

Yes, they post comments which are basically just a list of URLs with lost of links to their sites. The theory being that this will increase their page rank. Luckily, MT already has a blacklist to filter those out but it has to be updated constantly.

The funny thing is that we (another weblog system, but suffering from the same problem) are seeing a lot of spam posts recently where they put the link text into the href attribute and the actual URL as the link text. Not sure what they're trying to accomplish with that - maybe it's just more proof that spammers are actually stupid ...

Re:multiple blogs

[IO+ERROR]

Multiple blogs are partially supported in 1.2, and 1.3 will have much better support for this type of installation (e.g. web hosting, etc.)

Re:I have a plan

[kmmatthews]

3. Ruin your business plan by posting it to slashdot.

:)

CAPTCHA - Politically Incorrect, but effective

[diggory]

I run WordPress and used to get hit by many casino/cialis spams. I found that I get no comment spam after using a WP hack (http://www.gudlyf.com/index.php?p=376) called AuthImage, which is a CAPCHA (basic Turing test based on character recog.) I strongly recommend it, and would be grateful to any OSS vigilante who could port it to a proper WP plug-in.