Last week sometime, fed up with the unending comment spam (thousands per
week), I had an epiphany. Spammers aren't slowed down by changing
the action of the comment submission form, so it's obvious that they're
parsing that out of the markup for the form. By simply removing
that from the form, theoretically the comment spam should stop. Could it really be that simple?
Sure
enough, it certainly seems to have worked. On submission of the
form, the action is populated with JavaScript (view an entry and check
the source), so the form works exactly as before, but the actual
destination URL isn't available in the source without a pretty clever
parser (or a human).
Since I made the change, i haven't gotten a
single spam comment. Zip. Zero. Nadda. And I'm
not talking zero that have gotten through MT-BlackList; I'm talking
zero.
I know that few who read this are using MovableType, but if
anyone is and is having trouble with spam, I highly recommend this
technique. Just make sure you also rename mt-comments.cgi, update your mt.cfg file, and rebuild, so you're not using the default template (which spammers don't have to parse out to find).
They'll find it again, they always do.
Good job Barney. I had noticed that the spammers had tagged your blog. I know how annoying that could be. If they ever do figure it out (as Jester mentioned) you can also try a variation of email hiding listed here:
http://sig9.com/articles/hide-email
Jester,
I didn't change the template name; that only works for a matter of hours. I removed the ability to figure out the template name without having a full-on HTML/JS parser, rather than some simple text parsing routines (that'll work for 99.9% of sites).
Rey,
The spam isn't about the email addresses, but about automated comment submissions. The email addresses are already mangled a bit to avoid harvesting.
While it was annoying, I didn't mind maintaining my MT-BlackList database a whole lot. The problem is that comments which made it through went to anyone who had subscribed to the threads as well, and that's not very nice on my part. But now that I'm not getting any automated submissions, the subscribers shouldn't get any more spam comment notifications.
Barney, I don't think you understood what I meant. I was describing mangling your form action URL in the same way that some people mangle their email addresses to avoid spammers picking them up.
Rey,
Ah, I see. Yeah, I totally missed what you meant. I'm more confident that forcing a lookup through the JS event system will prevent automated tools than some in-place hiding will. I'm actually already using string splitting as well. If the spammers ever get ahold of the action template again, though, I'll think about the XOR method (or something equivalent).
Most spammers go straight for the mt-comments.cgi, not your HTML page; at least, that's what the bots do.
Jester,
That's absolutely not true. I haven't used mt-comments.cgi in many, many months. I usually changed it (using random strings) about every other week, and still got a TON of spam. So while not everyone is parsing the HTML, there are a significant number of spammers who are.
Hehe, told ya!
Jester, that was a single comment, and from the access logs, it certainly appears to have been manually submitted. Hardly a spam attack with hundreds of comments at once as seems to be the standard MO.
Yep, you called it Jester. :P
Hi, I had also SPAM problem and I installed mt-blacklist! It's a great comment-spam-filter? I use it for weeks and am perfectly happy with it.