Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comment Spams Straining Servers Running MT

michael posted more than 9 years ago | from the critical-mass dept.

Spam 186

dJ phuturecybersonique writes "Netcraft reports that 'Comment spam attacks on Movable Type weblogs are straining servers at web hosting companies, leading some providers to disable comments on the popular blogging tool. The issues are caused by bugs in MT, forcing publisher Six Apart to recommend configuration changes while it prepares fixes.' More..."

cancel ×


Sorry! There are no comments related to the filter you selected.

Wow (3, Funny)

Anonymous Coward | more than 9 years ago | (#11126175)

It's [] a [] good [] thing [] Slashdot [] doesn't [] have [] this [] problem [] .

FIRST PSOT (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11126179)

Yes YES YES Oh YES I finally made it, I can go tell my chillins Im famous!


hammer revolution (836067) | more than 9 years ago | (#11126525)

--; 'd

I have a plan (0)

Anonymous Coward | more than 9 years ago | (#11126181)

I'm going to start a comment spam deletion/marking service. I'll charge bloggers 1/10th of a cent per comment checked (1000 comments for a dollar), and hire people in some foreign country, like India or China, paying them 1/20th of a cent per comment read. For every proven mistake they make, I will fine them 10 cents, and credit 5 cents to the blogger. Sound workable?

Re:I have a plan (1)

tomjen (839882) | more than 9 years ago | (#11126225)

That is all good and well, but if i remember correctly some company offered such a service for your email. Dont you think they will do this if they can make money that way?

Re:I have a plan (3, Interesting)

the-banker (169258) | more than 9 years ago | (#11126306)

No this doesn't sound workable, since a person operating at 99.5% accuracy would not make any money.

For example, they check 2,000 e-mails to earn a dollar, so they check 200 to earn 10 cents. If they make one mistake in that 200, then their entire payment for the 200 goes away.

Besides, you are throwing a human resource at a technology problem and when the technology is fixed, *poof* your business is gone.

In the case of MT the problem isn't the amount of spam, its the way in which static pages are rebuilt when they don't need to be, and mostly manifests itself in shared user environments (per the article). Your service wouldn't help this, because the problem isn't in the spam being displayed its the generation of the pages with the spam on it, which would have to be completed before your spam auditors could ever even see the copy.

Not to mention all the problems around fulfillment. So they see spam, what do they do? Send an e-mail? Do you think people would give your little spam army access to delete comments on the spot? Or do you plan on using some sort of live filtering to further slow down a bottle necked process?

Some things, like voting, should have human intervention and control. Others like this aren't as suited to the task.

Re:I have a plan (1)

AndroidCat (229562) | more than 9 years ago | (#11126777)

1. Get paid to comment spam for customers.
2. Get paid for removing your own comments after a delay to get spam hits.
3. ???
4. Profit!

So it's dead? (1, Funny)

miyako (632510) | more than 9 years ago | (#11126184)

So...Netcraft confirms it, blogging is dead?

Re:So it's dead? (1)

macshit (157376) | more than 9 years ago | (#11126505)

So...Netcraft confirms it, blogging is dead?

Hold on -- blogging was once alive?


Easy Solution (1)

goodgoing (810124) | more than 9 years ago | (#11126195)

Why don't bloggers just disable HTML in comment posts, the spammers are looking for Google PR aren't they?

Re:Easy Solution (2, Interesting)

Anonymous Coward | more than 9 years ago | (#11126214)

Or make an in-between page for every URL linked. So, someone leaves a link, it gets made into (or whatever), then linkout.php just SHOWS the link (not a redirect) with a noindex,nofollow tag (for Google) and robots.txt entry. No PR, yet a user can still click. Another alternative would be to be use javascript since Googlebot doesn't seem to parse it yet.

Re:Easy Solution (1)

AmericaHater (732718) | more than 9 years ago | (#11126915)

Can you expand on this with a code example? do you mean the link is show as text with no anchor tag or what? If you use a robots file wouldnt you have to confine all links to one page in its own directory?

Its an interesting sounding idea that I might hack up.

Re:Easy Solution (1)

Eric Giguere (42863) | more than 9 years ago | (#11126355)

Hmm... semi off-topic, but it would be neat if search engines like Google could be trained to ignore negative score Slashdot comments. On systems where there's built-in feedback, that would be one way to combat the spam, just train the search engine crawlers to ignore comments with poor scores.

See your HTTP headers []

Re:Easy Solution (1)

Rob Carr (780861) | more than 9 years ago | (#11126394)

"On systems where there's built-in feedback, that would be one way to combat the spam, just train the search engine crawlers to ignore comments with poor scores." 1. Google should punish URLs with negative feedback! 2. Or Google should ignore URLs in comments. Dang, I'm still shaking - Steelers 33, Giants 30. Great game.

Re:Easy Solution (3, Informative)

tepples (727027) | more than 9 years ago | (#11126399)

it would be neat if search engines like Google could be trained to ignore negative score Slashdot comments

Given that the static page is written at a Score:1 threshold, and that Google obeys Slashdot's suggestion in robots.txt not to index the dynamic pages, this is already the case.

Re:Easy Solution (1)

blowdart (31458) | more than 9 years ago | (#11126506)

Well referral spam has been going on for ages (I list mine [] , but don't link to the urls) and people still publish web logs.

Ease of use is going to win every time.

Because spambots don't care (1)

stripmarkup (629598) | more than 9 years ago | (#11126606)

I disabled html in comment posts a long time ago. Spammers don't care, their spambots keep spamming blindly. Statistically, they will find lots of sites that allow html.

Not just comment spam (3, Interesting)

cybrthng (22291) | more than 9 years ago | (#11126199)

But DoS attacks as well. Running several political blogs I often get "freeped"

The best solution for me:

1. User email address verification
2. server generated images to verify real user for registration
3. Regular cookie expiration after x amount of time
4. host filtering (referr filtering usually gets ride of "freepers" unless they open a new window

However - nothing beats good moderators, quality users and sticking to your nich. Don't go pissing people off tossing your blog around the world yourself and not expect to get anything in return.

It's a jungle out there :)

Re:Not just comment spam (3, Informative)

doormat (63648) | more than 9 years ago | (#11126241)

Some context: This is a "freeper" [] . They have also been known to use militant mob-style tactics to bother/silence those who dont agree with them, as parent has dealt with. Kinda ironic ya know... they are freepers yet they work hard to silence those who dont agree with them.

Re:Not just comment spam (0)

Anonymous Coward | more than 9 years ago | (#11126419)

Not really that ironic, considering Slashdot still has "Your Rights Online" [] moderated by michael and timothy. Militant mob-style tactics sure are popular on the internet.

(Oh, sorry, that should be "internets.")

that's not the usage in this context (1)

Trepidity (597) | more than 9 years ago | (#11126628)

While it started from FreeRepublic users, the verb "to freep" now can refer to hordes of people from any political blog, whether right- or left-leaning. The two most common sources of freepers are FreeRepublic itself (right-wing) and DailyKos (left-wing).

Re:Not just comment spam (3, Informative)

LiquidCoooled (634315) | more than 9 years ago | (#11126245)

sage advice :)

The worst part of being a slashdot member is watching people devistate and ruin a server because of childish acts of vandalism.

Take for instance whenever slash points towards wikipedia, within minutes the page will be modified to some trolls' agenda.
Having to wade through the crapflood of comments on blogs and forums after slash has been there is almost embarassing sometimes.
The servers can generally cope with a slashdotting and work perfectly just hours or days after the initial hit, however the trolls handywork can end up staying for longer.

Re:Not just comment spam (1)

kv9 (697238) | more than 9 years ago | (#11126285)

Harry Fuecks [] has some ideas [] also.

Re:Not just comment spam (1)

nkh (750837) | more than 9 years ago | (#11126304)

2. server generated images to verify real user for registration

I don't know if something like that have already been done but there was a paper on neural networks used to crack captchas. It was very efficient on basic text (even with a medium amount of distortion) and showed that intelligent spam bots could be written in the future (not that I want to scare you though ;)

Re:Not just comment spam (1)

Firethorn (177587) | more than 9 years ago | (#11126448)

Yeah, but the amount of power it takes to decode them at least limits the amount of posts it allows.

The question becomes one of spam. Whether it's in your email box, or the comments of your blog, it's the same.

You want it to be easy to filter out the spam and still make it easy for legitimate readers to make comments.

Looking at the slashdot system, a mail-verified registration system seems to be mostly sufficient.

On my blog the spambot was putting porn weblinks into the webfield, and a generic 'dude that's cool' or 'I want to know more' type of text in the comment field.

However, mine was easy, it was all coming from one subnet, so I blocked that.

Re:Not just comment spam (1)

eschipul (689147) | more than 9 years ago | (#11126326)

IANAB (I am not a blogger) but it seems to be that track back is at least a partial solution. Perhaps assumed negative on the automatic track back post until it is activated by the author.

Re:Not just comment spam (1)

LordNimon (85072) | more than 9 years ago | (#11126391)

3. Regular cookie expiration after x amount of time

I really hate it when web sites do that. Does anyone know of a Mozilla plug-in or something that will let me edit the expiration date of any cookie, preferably when the cookie is being set?

Re:Not just comment spam (1)

tepples (727027) | more than 9 years ago | (#11126415)

server generated images to verify real user for registration

Use a visual CAPTCHA and completely disrespect readers with impaired vision.

Re:Not just comment spam (0)

Anonymous Coward | more than 9 years ago | (#11126484)

Post information on the Internet and completely disrespect readers with impaired Internet connectivity.

Re:Not just comment spam (2, Insightful)

tepples (727027) | more than 9 years ago | (#11126609)

Correcting lack of access to text on the Internet is easy: just buy a PC with a screen reader and an account with an ISP. Correcting lack of access to distorted images of text on the Internet, on the other hand, is non-trivial: if the CAPTCHAs are easy enough for blind people's OCR, then they're easy enough for spammers' OCR. If you must use a CAPTCHA, then make it something other than an image. Ask yourself: what questions can a blind person answer that a spambot can't?

Re:Not just comment spam (0)

Anonymous Coward | more than 9 years ago | (#11126784)

Why don't we limit the entire world such that nothing is inaccessable to the lowest common denominator human? Time to get rid of everything that can't be fully utilized by a blind, deaf, dumb, anosmic, quadrapalegic, retard with no no limbs.

Re:Not just comment spam (0)

Anonymous Coward | more than 9 years ago | (#11126802)

You insensitive clod!!!

I am a blind, deaf, dumb, anosmic, quadrapalegic, retard with no limbs!

Nobody reads blogs anyway. (0)

Anonymous Coward | more than 9 years ago | (#11126512)

The blog authors doubtless believe that the whole world is beating a path to their little diary but the fact is they're talking only to themselves.

Nobody cares what some zit-faced teenaged virgin thinks about anything, and nobody is going to waste their time reading those thoughts on some angst-ridden, semi-literate webpage.

Hell, they don't have any worthwhile experiences to share, and precious-little -- if any -- knowledge about anything not pertaining to pr0n sites.

This is not a tragedy in any way.

Old news. (3, Insightful)

1_interest_1 (805383) | more than 9 years ago | (#11126201)

This has been going on for quite awhile now, and still no official fixes from SixApart?

Shame on them.

Netcraft confirms ex-MT users love WordPress (4, Informative)

IO ERROR (128968) | more than 9 years ago | (#11126206)

There are many reasons to use WordPress [] instead of Movable Type [] .

First and foremost, it's free (speech and beer) and distributed under the GPL.

Second, the actual developers of the software actually participate in the support forums [] , so if you do have a question, it's likely to be answered very fast by someone intimately familiar with the software.

Third, it's a lot less susceptible to comment spam, especially after applying a few plugins and hacks [] . I've never received a single one, and that's not for lack of spammers trying.

Fourth, it's very easy to customize the look and feel of the site without knowing any PHP. HTML and CSS is about all you need to know. Knowing PHP helps a lot if you want to really customize it, but it isn't a requirement.

Finally, they've already included a Movable Type import utility [] , so those of you who are sick of MT for this and many other reasons [] can move over with little hassle.

A very happy WordPress user and occasional contributor.

Definitely (1)

casuist99 (263701) | more than 9 years ago | (#11126364)

I've been using MT for 2 years now, and the comment spam is actually making a significant bump in the traffic to my server (I doubt anyone else actually reads my stuff...). I had looked at Wordpress a while back and didn't think it was quite "on par" with Movable Type, but MT has done it's best to alienate even myself.

I share my MT installation with my brother. Not surprisingly, we like having our own weblogs. MT now charges for something that simple.

The fact that Wordpress is released under the GPL and is actively developed gives me some further impetus to make the switch.

Thanks for the links - should be useful as I change over from MT over Christmas break.

Re:Definitely (1)

IO ERROR (128968) | more than 9 years ago | (#11126617)

You can take a look at my blog [] to get some idea of what is available, but be aware that I run nightly builds [] (don't try this at home, kids!) so a few things you see might not be available. And the Google search box at my site [] definitely is not part of WordPress, and might never be; I developed that bit myself. I can't imagine anything you can do with MT that you can't with WP.

Re:Netcraft confirms ex-MT users love WordPress (2, Interesting)

Xofer D (29055) | more than 9 years ago | (#11126647)

The down side to WordPress is that it's really very immature code. Not only does it handle UTF-8 characters poorly, but even casual usage turns up a number of bugs in various different parts. This suggests to me that the developers fixed it in one section but didn't fix it in other parts of the code - not exactly thorough. I ran into all this stuff inside my first three hours of usage.

Of course, all of this is fixable, and just calls for more people to jump in and get involved. I learned a bit of PHP and hacked myself a fix for the UTF-8 issues I was having, inside five hours of my first wordpress installation (note that's two hours after I found the problem and figured out how to replicate it reliably). I also installed and improved upon some of the comment spammer blacklist plugins, which ended up working very well. Prior to fiddling with wordpress, I had no PHP experience at all. I am not a programming god, either.

The developers are also responsive to suggestions - I posted a bug about some of the UTF issues I could not solve, and it was resolved for me. Thanks, matt!

I think that it's important to manage expectations when advocating software, which is why I want to make it clear the wordpress does not yet seem rock-solid stable. However, I think that with enough eyeballs (Hi, everyone!), it will definitely become the secure, flexible platform that most of everyone wants.

Spammers need not apply.

multiple blogs (1)

Skeezix (14602) | more than 9 years ago | (#11126685)

Do they support multiple blogs with a single installation yet? That was the big reason I didn't move to Wordpress a while back...

Re:multiple blogs (2, Informative)

IO ERROR (128968) | more than 9 years ago | (#11126726)

Multiple blogs are partially supported in 1.2, and 1.3 will have much better support for this type of installation (e.g. web hosting, etc.)

Re:multiple blogs (1)

jacobito (95519) | more than 9 years ago | (#11126732)

This was also a showstopper for me; I passed on Textpattern for the same reason.

(As an aside, solid multiple blog and multiple user support is one of Movable Type's best features, and it irks me that so many MT plugin developers write their code under the assumption that every MT installation only has a single user.)

comment spams made me switch (2, Informative)

SethJohnson (112166) | more than 9 years ago | (#11126215)

I had to ditch Moveable Type explicitly due to comment spam. The real problem with it was that there was no way to delete more than one at a time. The web app only displays the last five comments and then you have to go digging through every article to find the other spams. Real pain in the ass. I switched to Wordpress, which is also beseiged by comment spam from Online Poker outfits. In Wordpress [] , however, you can mass-edit with all comments listed with checkboxes to delete whichever are spams.

In Moveable Type and Wordpress, you can pretty much eliminate the script-driven spambots by renaming the comment cgi handler and then editing all other files that reference it. I didn't think of this till after I swtiched to Wordpress, though.

Re:comment spams made me switch (1)

happyemoticon (543015) | more than 9 years ago | (#11126273)

That looks a lot more robost than MT (mind you I'm still using 2.65). When this whole comments thing started getting out of hand, I actually edited every damn post since last year to be comments-closed.

Maybe I'll switch too. I was planning to do a redesign during the break. Does it have pretty versatile templating?

Re:comment spams made me switch (1)

eggboard (315140) | more than 9 years ago | (#11126365)

MT 3.x has a Comments page that lets you review 20, 50, etc., comments at a time, select them all to delete, etc.

Much improve and appreciated. I also turn on comment moderation and this fixed the problems I had with comment spam.

Re:comment spams made me switch (1)

Echo5ive (161910) | more than 9 years ago | (#11126550)

Sorry, but renaming mt-comments.cgi to something else takes a spammer all of two seconds to bypass. They just sniff for the text field names in the comment form, and find out the name of the comment handler that way.

I'm a user at TextDrive, and a bunch of users and admins there have a mailing list where we are VERY aggressive in defeating spam. mod_security is great for blocking based on the contents of a POST payload ("contains texas holdem? Sorry, you get an Error 412.") and mod_dosevasive, which is great for hindering a mini-DDoS of comment spam.

Every addition to the block lists is peer-reviewed by the members of the mailing list, to make sure that we only catch spam, and not innocent comments.

We've pretty much put a stop to comment and referral spam on TextDrive thanks to this effort.

Re:comment spams made me switch (0)

Anonymous Coward | more than 9 years ago | (#11126866)

"Sorry, but renaming mt-comments.cgi to something else takes a spammer all of two seconds to bypass."

This is not necessarily true. Not all of the spammers will bother rescanning the source of the page. I have done this on my blog and I have yet to have anymore comment spam since I did so. It's also been over a month now.

mt-blacklist (1)

stripmarkup (629598) | more than 9 years ago | (#11126589)

I tried renaming the comments script and it worked for a while, but spammers are smart enough to work around that. Lately I had been getting spam even a few minutes after renaming the script.

I installed mt-blaclist [] , which pretty much solved the problem for me. It allows you to search by regular expression and massively de-spam and blacklist the urls they point to. All subsequent comments containing those urls or other known spam expressions get trashed automatically.

Re:comment spams made me switch (2, Informative)

Sethb (9355) | more than 9 years ago | (#11126595)

I just implemented their TypeKey service on my MT blog when it came out. I used to get comment spam nearly daily, but in the five months since I turned on TypeKey I haven't had a single instance of it. I don't know why more blogs aren't using it, since it is free, and it works quite well for me...

Re:comment spams made me switch (1)

jacobito (95519) | more than 9 years ago | (#11126779)

Blog spammers are starting by pursuing the low-hanging fruit. As more and more weblogs switch to central authentication systems like TypeKey, I expect that spammers will find it worthwhile to figure out how to spam using TypeKey accounts. If I'm wrong in thinking this, I still haven't heard a good reason from Six Apart or anyone else why that would be the case. I would be happy to be wrong about this, though.

Re:comment spams made me switch (2, Interesting)

jacobito (95519) | more than 9 years ago | (#11126664)

Perhaps this was added in version 3.x, but you certainly can delete more than one comment at a time in Movable Type, and there is no need to "dig through" each post to find the latest comments, whatever the number. I believe that the comments page displays 20 comments at a time by default. It's unfortunate, though, that Six Apart pissed everyone off by licensing 3.x as they did, or more people would be taking advantage of 3.x's small but worthwhile improvements.

I agree with other posters that renaming the comment CGI handler is ineffective. It's ineffective because enough people have tried that technique that it has become worthwhile for spammers to work around it. Other potential solutions will probably end up with similar results. Want to stop spammers by forcing comment previews? Then the spammers will preview their comments. Want to stop spammers by throttling x number of comments per hour? Then you'll end up with exactly x number of comments, fewer legitimate comments, and you'll still have spam. Want to stop spammers by forcing a login from a central authentication server? Spammers will register their own accounts on that central authentication server, too. Etc.

I'm sorry to say that spam cannot be prevented, only mitigated. The best you can hope for is not having to manually delete every single comment you receive, as automated solutions weed out some (hopefully) high percentage of them. Meanwhile, any solution short of refusing comments altogether will eventually be defeated to some extent by spammers, assuming that enough people use that solution to make it worth the spammers' time and effort to defeat. One consequence of this is that switching from one popular blogging platform to another popular blogging platform is not going to save you from spam in the long run.

Re:comment spams made me switch (1)

rscrawford (311046) | more than 9 years ago | (#11126799)

Renaming the comment cgi handler worked for a little while until the spambot authors figured out a way around it. I've now added a hidden text field to the comment form, and the comment cgi handler will not accept the comment unless it includes that hidden form element. It's a temporary solution until the spammers figure it out and bypass that too, but for now it seems to work okay. I haven't gotten hit since I implemented it a couple of weeks ago -- before that I was getting a dozen comments from online poker sites every few minutes (none of them got posted, because I have comment moderation turned on by default -- still, playing whack-a-mole with the comments was really annoying).

I also have wp-blacklist installed, and that works great, though it seems to have issues with some of the earlier versions of WP.

Uhh.. it's not that difficult. (0)

Anonymous Coward | more than 9 years ago | (#11126218)

Just disable URL's in comments, and in user information.

Disabling comments is just silly.

A simplistic solution (3, Interesting)

happyemoticon (543015) | more than 9 years ago | (#11126223)

If your case is like mine, where mt is stored in a directory just off of your public web site, do this: use a .htaccess to put a password on your whole MT directory. They can't access comments.cgi (assuming it's just a bot doing the spamming), they can't post comments. I don't really like the idea of people touching my CGIs anyway. Make sure your robots.txt excludes the MT directory as well.

That is, assuming you don't give a damn about people's comments.

Re:A simplistic solution (0)

Anonymous Coward | more than 9 years ago | (#11126352)

That is, assuming you don't give a damn about people's comments.

I'll make a naive comment but: If you don't give a damn about people's comment, why would potential readers care about what you write in your blog?

Re:A simplistic solution (1)

happyemoticon (543015) | more than 9 years ago | (#11126495)

For the most part, the only people who read it are a few close friends and my girlfriend. I mostly use it as a design testbed and a place to rant.

However, there's nothing preventing you from giving your password out to some of your friends, or even putting it on the webpage itself. In a gif, better yet. The scripts that run these things aren't that smart, and clearly the 1000 odd posts on my website weren't done by a human. I'm not important enough..

Re:A simplistic solution (1)

GeorgeH (5469) | more than 9 years ago | (#11126678)

That is, assuming you don't give a damn about people's comments.

Who posts comments on websites anyway? It's not like anyone reads them.

Now then... (1)

commieboyredux (829367) | more than 9 years ago | (#11126224)

How long until we have content/poster filtering for blogs like we have for e-mail? If someone got coding right now, they might make a pretty penny off of this...

Re:Now then... (2, Informative)

jacen_sunstrider (797955) | more than 9 years ago | (#11126343)

Already done! And they're for wordpress! My favorite is Blacklist [] , and it works pretty well, long as I update the definitions every once and awhile.

Why your Moveable Type blog must die (2, Funny)

dead nancy (239321) | more than 9 years ago | (#11126243)

You are all pretentious twats []

Every last one of you. You're all latte-sipping, iMac-using, suburban-living tertiary-industry-working WASPs who offer absolutely no new insights on anything whatsoever apart from maybe one specialist field if we're lucky.

Quite an enjoyable rant.

Dead Nancy

Re:Why your Moveable Type blog must die (0)

Anonymous Coward | more than 9 years ago | (#11126317)

Roger that. One of the highlights of kuroshin. Gotta love it.

Re:Why your Moveable Type blog must die (2, Funny)

happyemoticon (543015) | more than 9 years ago | (#11126333)

I live in the urbs, I drink cappuccinos, and I work for an academic research unit. My computer is not an iMac, but a PC with XP and Slackware. I'm a euromutt of catholic derivation, and I have pretty broad interests.

But that's pretty damn funny, I'll admit. They forgot, though, that they're all writing dark fantasy novels which will never be published.

There are far too many weblog addicts out there who are excessively vain, and are under some kind of bizarre pretense that they matter, and they seem to exist solely by jacking each other off. Hrmph. But you have to admit, MT users are a little less likely to be whiny baby-bats than, say, livejournal users.

Re: flamebait my ass (1)

jgaynor (205453) | more than 9 years ago | (#11126536)

The link above was funny as hell and explained the MT load issue in far more plain language than the original article! Somebody waste some points and get that back up out of the negatives . . .

Mod Parent Down: GNAA troll (-1, Troll)

sakusha (441986) | more than 9 years ago | (#11126895)

Goddam it, stop linking to the GNAA manifesto that distributes MT-killing tools.

Re:Mod Parent Down: GNAA troll (-1)

Anonymous Coward | more than 9 years ago | (#11126988)

(Posting anon as the Funny/Troll mods have tanked my karma, and I don't need an Offtopic...)

GNAA what? Maybe a kuro5hin troll, but I don't think so. And the only link I could find on the k5 article that might point to and anti-MT tools (the word 'scripts') wasn't functioning.

So: what the hell are you talking about?

Dead Nancy

Nucleus CMS (1)

einolu (841446) | more than 9 years ago | (#11126260)

besides WP, Nucleus [] is also a good blogging tool, easy to use and its secure. I use this and WP, both are nice. Also I was getting a lot of comment spam using WP, but I turned off letting other sites know when I update and the online casion spam stopped.

Re:Nucleus CMS (1)

jacobito (95519) | more than 9 years ago | (#11126753)

but I turned off letting other sites know when I update and the online casion spam stopped.

I've seen this observation mentioned once before, and I'd like to see this explored further. It seems that spammers are harvesting URLs from sites like [] and [] . I don't doubt that their finding blogs via Google searches, though, so turning off update notifications is probably a temporary solution at best.

challenge the user (4, Informative)

lseltzer (311306) | more than 9 years ago | (#11126268)

We had a similar problem on our blogs (like my security blog [] ) and we think we have solved it with with one of those graphic field challenges to the user (enter the value in the nearby graphic).

Re:challenge the user (2, Insightful)

jacobito (95519) | more than 9 years ago | (#11126710)

Captchas are currently great for weeding out automated spammers; unfortunately, they're also great at weeding out people who cannot see. This unnecessarily renders your site inaccessible to a portion of your audience. From a geekier perspective, this sort of assumption-laden web design runs completely contrary to the accessible, device-independent spirit of the original WWW.

Of course, since the blog you linked doesn't even work at all as I write this, maybe you're not concerned with accessibility for anyone!

GET /seltzer HTTP/1.1

HTTP/1.x 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 18 Dec 2004 22:39:46 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Transfer-Encoding: chunked
Cache-Control: private
Content-Type: img/jpeg; charset=utf-8

Re:challenge the user (0)

Anonymous Coward | more than 9 years ago | (#11126756)

WFM, using linux right?

DCC for comments? (0)

Anonymous Coward | more than 9 years ago | (#11126275)

How about something like the Distributed Checksum Clearinghouses [] for comments? Comments shouldn't generally be exact duplicates, and DCC is good at catching email duplicates which are often spam. It uses some fuziness factors so some alterations will still be caught.

easy fix (1)

GirTheRobot (689378) | more than 9 years ago | (#11126278)

To submit a comment on a blog, you must type in a series of letters and numbers for a non-machine-readable image (like when you forget your password here on Slashdot). This will at least prevent automated blog spam. ...I don't know why this solution isn't deployed already.

Netcraft confirms... (0)

Anonymous Coward | more than 9 years ago | (#11126327)

Moveable Type is DYING.

DotComments (1)

meehawl (73285) | more than 9 years ago | (#11126338)

Call me untrendy, but I still like dotcomments [] .

SixApart is partly to blame (1)

ShatteredDream (636520) | more than 9 years ago | (#11126354)

They hired Jay Allen, creator of MovableType blacklist, as project manager, but MT BL is not part of the standard distribution. It's not a standard feature, nor is there anything designed in house that provides the same functionality if God-forbid Jay Allen won't let them bundle it as a standard feature. The worst part is that it is having major problems working with MT 3.121, the latest release.

Personally I think MT needs to just scrap the entire comment system and start over again. They need to implement a MT BL like system comprehensively, they need to ban ips tied to spam bots and they need to collect the information about the spammers so that MT users can try legal challenges.

Spam bots should be not only a civil offense, but a crime to use. The way that they are used against blogs is basically on par with defacing a website and often the stuff they push is illegal for minors to view. This is why we need something like the Child Online Protection Act. With something like that we could get spammers on criminal offenses for using spam bots indiscriminately.

Re:SixApart is partly to blame (1)

gad_zuki! (70830) | more than 9 years ago | (#11126868)

>This is why we need something like the Child Online Protection Act.

This is exactly why we DON'T need "won't someone think of the children" legislation. You're going to put up with massive censorship because of some blog spam that can be easily fixed with typekey, blacklists, etc? For some useless blog comments we're going to censor the web? Wow. Amazing, how Americans can even suggest such a thing. So much for the land of the free, eh?

Like all mediums, parents should be making sure their children are using it in a way they approve of. Lazy parents and religious nuts (and now the spam ridden) should try to understand this simple concept. The job to keep whatever content you dont like from your children is YOURS, not the state's job.

You don't need to protect "children" (whatever that means nowadays, like a 17 yearold has no idea what sex is). What you need to do is start your own kid-safe internet or TLD or run some censorship softwarre on YOUR machine, not on the global web. Think client side solutions and leave the rest of us alone. Thanks.

Re:SixApart is partly to blame (1)

sakusha (441986) | more than 9 years ago | (#11126919)

You're a little behind the curve. MT hired Jay Allen specifically so he could integrate his antispam tools into the standard MT distribution. He's only worked there a short time, do you seriously expect quality software to appear overnight?

GNAA (not a troll post!) (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11126381)

You all might be familiar with the group of script kiddies known as the "GNAA" [] (I will not repeat what it stands for since it is rather racist and bigoted towards homosexuals and blacks), they post lots of crapfloods here on Slashdot, obscene links disguised as real content, and flood blogs on a daily basis.

I have a Xanga [] blog that I update frequently for my friends and family, its really cool and all but just last night I got like about 200 posts from someone in the "GNAA". The person responsible used this account [] on Xanga, if you're curious.

I'm just wondering.. what can we do about assholes like this? Are there any spam laws that we could nail them with or any sort of computer crime charges they could be hit with? I'm sitting in their IRC channel, #GNAA trying to collect names, IP addresses, and other information, but I'm not sure if it will do any good.

Re:GNAA (not a troll post!) (1)

GNAA Goat-See (775677) | more than 9 years ago | (#11126453)

Yeah, we're going to jail because someone posted a link on your blog.

Re:GNAA (not a troll post!) (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11126466)

goat-see []

I wouldn't act all high and mighty, Mr. GNAA Goat-See. I got your IP address right there and I am logging all the shit you're doing and there is not a thing you can do about it. I suggest anyone else hit by the GNAA to do the same and email the FBI [] computer crimes division. They WILL investigate if enough people complain.

Re:GNAA (not a troll post!) (-1)

Anonymous Coward | more than 9 years ago | (#11126517)

See the little @ sign? that's called operator. It means there IS a damn thing I can do about your logging my actions, which is called "kickban". You fail it. (it is logging my actions)

Moderators? WTF?? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11126501)

Who modded this down? Anyone who knows anything about the GNAA's activities knows that they're big time spammers here on Slashdot and on blogs. I'm posting anonymously becuase I don't want them to retaliate against me for posting this, but I can assure you its not a troll!

Re:GNAA (not a troll post!) (-1)

Anonymous Coward | more than 9 years ago | (#11126618)

As a note, GNAA is NOT generally considered racist or denegrating to homosexuals - because of the origin of the term. See Wikipedia's GNAA Entry [] .

Can someone fill me in? (1)

bigberk (547360) | more than 9 years ago | (#11126397)

I am entirely unfamiliar with the issue of spam as it pertains to blogs. Are spammers placing ads (as in, posting their URLs) to random peoples' blogs? Or is the problem that they are just polluting the comment list with random garbage?

If the issue is posting of URLs, then it should be a simple matter of the blog site checking any URLs against SURBL [] , a spam URL blocklist.

What am I missing here? When did this become such a huge issue?

Re:Can someone fill me in? (3, Informative)

crayz (1056) | more than 9 years ago | (#11126491)

A few problems, as a Wordpress user and as someone who's run into problems w/ other people's MT blogs:
- spam bots attack WP and MT through various means, one of the most common being to simply POST to the mt-comments.cgi or wp-comments-post.php URLs on peoples sites
- the bots mainly post huge amounts of links to stupid websites, like viagra or poker strategy. the goal is to get a higher google ranking by having links from many different sites
- the biggest problem for WP users is that you get flooded with literally hundreds of comments per day. if you have good filtering you'll at worst just have to sit around and delete some manually
- the biggest problem for MT users(or that MT users cause) is that because of the poor design of MT, the comments script takes up a huge amount of CPU time. apparently it actually goes through the process of rebuilding the static post pages even when comments are moderated or auto-deleted. now imagine you have 500 posts and they all get hit at the same time - it's something close to a forkbomb on the server

The best solution to all of this is to find a way to prevent the stuff from ever getting posted. Once it's submitted you're going to have to analyze it in some way and decide if its SPAM or its good. There are some simple solutions like renaming the comment post scripts, and some more complicated ones like using a verification number or requiring users to register. In any case, it's a very major problem for almost anyone with a blog.

Re:Can someone fill me in? (2, Informative)

68kmac (471061) | more than 9 years ago | (#11126504)

Yes, they post comments which are basically just a list of URLs with lost of links to their sites. The theory being that this will increase their page rank. Luckily, MT already has a blacklist to filter those out but it has to be updated constantly.

The funny thing is that we (another weblog system, but suffering from the same problem) are seeing a lot of spam posts recently where they put the link text into the href attribute and the actual URL as the link text. Not sure what they're trying to accomplish with that - maybe it's just more proof that spammers are actually stupid ...

Re:Can someone fill me in? (0)

Anonymous Coward | more than 9 years ago | (#11126740)

Well, an efficient and simple solution in SURBL (see parent)... there is already a well maintained, automatically collected list of spammed URLs. I'm sure spammers send the same addresses via email as they post on web sites.

Obligatory OSS Advocacy (0, Troll)

RAMMS+EIN (578166) | more than 9 years ago | (#11126421)

Bla bla bla bugs yada yada proprietary yatta yatta use open source!

There, HAND.

yep (1)

crayz (1056) | more than 9 years ago | (#11126438)

I work for a web host and we've had this issue. 744 on mt-comments.cgi. Sorry guys.

NoIndex HTML Tag (3, Insightful)

beebware (149208) | more than 9 years ago | (#11126439)

At the start of this year (Jan 2004), I actually proposed a possible solution to avoid this sort of thing [] . Basically, Google et al starts recognising:
<!-- robots:noindex --> / <!-- /robots:noindex -->
And then bloggers can put the comments section of their sites inside the HTML "no index" markup and hence if they are hit by comment spam, Google and the other search engines ignore that content.

But isn't that the kind of area you would want? (1)

SuperKendall (25149) | more than 9 years ago | (#11126553)

It might help, but I would rather have Google be searching the comments as well as the main post! Even if comment spam is a problem, you don't want to loose all the other comments that might have value.

Perhaps Google could recognize a Moveable Type site and just ignore comments from them.

Re:But isn't that the kind of area you would want? (0)

Anonymous Coward | more than 9 years ago | (#11126901)

Rather than noindex, nofollow might make more sense. Thus comments are indexed, but links aren't counted for PR.

Reusable Proofs of Work (4, Interesting)

yerdaddie (313155) | more than 9 years ago | (#11126483)

I myself run an MT blog and have been contemplating moving to wordpress to dodge the spam bullet, however temporarily.

It occured to me thought that what would really fix this is to push the load onto the spammers by building a Reusable Proofs of Work (RPOW) [] system.

For those who are unfamiliar, RPOW is a proposal to stop mail spam by asking the sender to do a little "work" that would make sending a lot emails computationally too expensive.

As I'm in the last throws of my PhD I'll have to delay on this one, but maybe the lazy web can help out on this one, so the same thing doesn't happen to wordpress or whatever blogging monocultures exist.

Re:Reusable Proofs of Work (2, Informative)

saxmatt (320581) | more than 9 years ago | (#11126559)

That's what the WordPress plugin Spam Stopgap Extreme [] does.

Re:Reusable Proofs of Work (1)

generic-man (33649) | more than 9 years ago | (#11126834)

Good idea. I've found that security by obscurity (by avoiding popular software like MovableType) is an excellent deterrent.

It's not a cure nor a viable long-term philosophy, but it's a deterrent. That's all you need to deter 99.999% of the robot scripts that troll MT comments.

In other news, I've heard that simply renaming mt-comments.cgi is an excellent solution. No sarcasm here: security by obscurity really works as a deterrent.

Hey I here there's already some software for this (1)

Trepidity (597) | more than 9 years ago | (#11126641)

"Blog" software predates the existence of a separate category of "blog software", and most of the older stuff works better. SlashCode, I hear, has been known to run several high-traffic sites. There is also Scoop, which was developed for, and used at a few other places (like Both are also much more full-featured than your average "blog software", especially in that they include threaded comments.

Re:Hey I here there's already some software for th (1)

DrSkwid (118965) | more than 9 years ago | (#11126928)

When I was a lad we had the crazy stuff called newsgroups.

You could post to them, they we're threaded, they had an RFC protocol called NNTP and all sorts of programs understood them. Some of them were even moderated.

I wonder what happended to them?

It's tough on us serving from home (1)

Biggerveggies (517226) | more than 9 years ago | (#11126651)

I've used Wordpress ever since it branched off from b2. Unfortunately, its success has made it a good target for comment spam. The available plugins, such as Farook's WPBlacklist , work really well. However, the amount of incoming spam attempts is sort of like a DDOS attack on us little guys who have servers running on their home cable lines. It just disapointing that we have to put up with this.

Authentication Images (1)

Joystickit (529613) | more than 9 years ago | (#11126699)

The solution is to impliment authentication images, much like paypal or the like use when you register. It generates some odd-looking image with a few characters and digits in it, and you as the user have to type it in.

There is a system like this for wordpress called wp-authimage [] that works quite well. You do have to know a bit of php and it requires GD on your websever, but neither of those things are super-difficult. I used it on a blog I run [] with some friends and it works quite well. Our comment spam went from 100+ per day with MT to 0 with wordpress and this system.

Netcraft? (1)

Chuck Bucket (142633) | more than 9 years ago | (#11126816)

Netcraft comfirms it; Movable Type is dying!

Sorry, had to plug that one. I run Drupal for my CMS, and lately I've been getting some 'free poker' spams in my comments. I've installed the Spam module and am holding my breath. Do modules like that work in MT?

Time for me to go check my friends MT sites...


Cheap and cheerful spam blocking for MT 2.6 (1)

ianmacd (46518) | more than 9 years ago | (#11126842)

Here's a patch [] to prevent comment spam for those of you left out in the cold when Movable Type abandoned MT 2.6.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?