Yesterday, the amount of comment spam here and on MemeFirst quite simply got ridiculous. Barely 9 months after getting (and blogging) a first instance, and despite in the meantime removing every possible incentive to posting such spam, volume started growing exponentially as automated spam delivery mechanisms exploiting Movable Type’s standard commenting scripts got more sophisticated. Over the past month, the use of randomly generated emails and rotating IP addresses has allowed spammers to easily circumvent MT’s built-in defences at a rapid clip.
Myself, I was waiting for MT 3.0’s upgraded comment filtering technology. In the meantime, MT-Blacklist, a plug-in that filters URLs for proscribed content, has made it harder for spam to make it through, though not impossible, especially if the sites being promoted by spam use conventional words in their URLs. And, though spammers now have to continuously change the content of their spam, they can still usually get away with bombarding a large number of blogs before they all update their blacklist or the blacklist clearinghouse gets updated. In that sense, MT-Blacklist also chases after a moving target, much like banning IP addresses is ineffective against a spammer continuously changing her IP address.
But last night, as my list of recent comments swelled with the labor of the dregs of humanity, I was willing to settle for something quick and dirty to solve the specific problem of automated spamming engines afflicting my blog. This is what I came up with — and it only takes two minutes to install.
The idea was to personalize my blog’s comment submission process so that a spammer needs to either post spam in person or else manually tweak his comment submission engine so that it works specifically for my blog. Basically, it becomes as annoying for him to post spam as it is for me to remove it. With the burden shared in this way, I’m guessing the spammer won’t bother with my blog, as I care a hell of a lot more about it than he does. And if a spammer visits my site, examines my comment submission process and manually tweaks his engine, I simply alter my process. I feel their pain, and it feels good.
The hack involves requiring a human mind to complete a simple instruction, such as “type the letter ‘A’ in this textbox” or “Type the third letter of this sentence in the textbox,” before MT accepts the accompanying comment. Here’s how:
In your cgi-bin folder, navigate to and edit the file cgi-bin/lib/MT/App/Comments.pm. Do a search for the following piece of code:
if (!$q->param(‘text’)) {
return $app->handle_error($app->translate(“Comment text is required.”));
}
Replace this with:
if (!$q->param(‘text’)) {
return $app->handle_error($app->translate(“Comment text is required.”));
}
## my addition
unless ($q->param(‘spam’) eq ‘A’) {
return $app->handle_error($app->translate(“Type the anti-spam text exactly as shown.”));
}
## my addition
Save and close. Now go to the templates screen in your Movable Type user interface, and make sure that all templates that allow you to submit comments have the following HTML snippet added to the comment submission form (I placed mine just above the comment textbox):
<label for=”spam”>Today’s anti-spam measures are brought to you by the letter “A”. Please type it here:</label> <input id=”spam” name=”spam” />
In standard builds of MT the templates you want to alter are: Individual Entry Archive, Comment Listing Template, Comment Preview Template and Comment Error Template.
What happens now is that when a comment is submitted, MT checks that the accompanying question is answered correctly; if it is, the comment is accepted. The question is asked in the HTML, the answer is found in the Comments.pm code I addedAdvanced MT users: It’s actually a lot simpler to put that HTML snippet into a template module and to refer to the module wherever a template contains a comment submission form. This way, when it is time to change the question/answer pair, you only need to alter the HTML in one spot. More about MT modules here.
Update 2004-05-19: This hack is not compatible with MT-Blacklist. MT-Blacklist is not a proper plugin in that it completely bypasses Comments.pm with its own comment-handling files. Altering Comments.pm as described here has no effect as long as MT-Blacklist is installed.
Update 2004-09-10: It is compatible with MT-Blacklist, as the comments below attest to. (I don’t use it though. There really is no need now.)
Update 2004-10-29: Strang’s Blog has a post that explains how to get this to work for MT 3.11 templates..
Of course, a spammer can still visit my blog, determine the required answer for the anti-spam question, and then program his submission engine accordingly. But the catch is that he has to do this manually every time I change the question/answer pair. You can alter the question/answer pair whenever you want: in Comments.pm, just replace the ‘A’ in the above example with whatever letter, number or word you want, as long as it is inside single quotes; and also make sure the question in the HTML snippet leads unambiguously to that answer.
The reason this is not a plug-in is because I don’t know Perl. I guessed-and-pasted this out of desperation, but it works like a charm. If I knew Perl I would probably build a library of question/answer pairs that I can rotate at will. And, additionally, if you are willing to forgo having comment submissions on the static Individual Entry Archive template in favor of using only the pop-up comment templates, which render MT tags on the fly, you could build a system that automatically rotates the question/answer pairs every X hours or days, overlapping successive pairs so that commenters on the crux of an changeover are not abandoned.
The more that people personalize their comment submission forms, the less spammers can exploit the standard MT comment submission process.
Interesting scripting to get around the spammers. Wish it would work on my regular inbox for email. hehe
Hello! I am the Auditor in charge of international transaction in one of the biggest software companies here in Nigeria. During the course of our auditing, I discovered a very valuable top secret perl script against comment spam in an office computer. After going through some old files in the records I discovered that the programmer of the script since long had died without a [Heir/WILL], hence the script is finders/keepers, if I only could raise the money to get it out of the country. And that is why I contact you. If I do not remit this script out urgently it will be forfeited for nothing. And it could be sold for millions!
You are the first and the only person that I
am contacting for this business, so please reply urgently so that I will inform you the next step to take urgently.
Il y a un plugin MT appelé “Scode” (http://mt-plugins.org/archives/entry/scode.php) qui fait exactement la même chose, en mieux vu qu’il produit un code chiffré sur un .gif, généré via CGI (donc, illisible par une machine, ce qui n’est malheureusement pas le cas de ton “A”; qui de plus, reste fixe.)…
Comme ça c’est plus accessible pour les aveugles. Et c’est moins de travail pour mes visiteurs de laisser le browser ajouter un ‘A’ la automatiquement, car je vais changer ça seulement quand quelqu’un m’attaque. Jusqu’á maintenant, ç’a marché parfaitement. En plus, c’est impossible pour une machine de comprendre “Today’s anti-spam….” Il ny a pas de methode pour savoir qu’on doit ecrire ‘A’ — on doit être humain.
C’est clair que c’est une bonne solution. Je me demande juste, dans ce cas, pourquoi la plupart des script “non-human detector” utilise la formule “génération de .gif aléatoire comportant un numéro”.
J’imagine qu’avec le temps on verra si ça fonctionne…
Is there no language in which people won’t disagree with you?
Au contraire, it seems like French is the only language in which people DO agree with me. Not that you’d have the savoir faire to distinguish between opposing arguments in French.
I really like this approach. I’ve been trying to get James Seng’s SCode plugin to work for about 4 hours now…it’s completely blocking any comment entries at all!
I’m going to uninstall it and see if yours does the trick.
I just installed your little anti-spam hack. Thought I should let you know that your hack IS compatible with MT-Blacklist, you just have to add it to the proper file.
If you have MT-Blacklist installed, you should not add the addition source code to /lib/MT/App/Comments.pm
Instead, add it to the appropriate section of /extlib/jayallen/MTBlPost.pm (you’ll need to read Jay Allen’s notes in the head of MTBlPost.pm to know which section of the code to modify…it’s different depending on which version of MT you are running).
Thanks, Stefan, for the nice anti-spam measure.
Oh, by the way, it also works for short phrases as well…you don’t have to limit yourself to a single letter.
Med Stefan mot burkskinka
Nu har jag lånat Stefan Geens hack mot kommentars-spam. Det verkar fungera bra, hoppas att det håller. Heder till Stefan!…
Anti-spam hack
Trots att den här bloggen bara funnits ett par veckor börjar spam hitta in i kommentarerna. Jag har just installerat Stefan Geens hack för att se om det kan lösa problemet. Det tar bara tio minuter att installera och än…
Kommentarer och epostlista
Tack för alla tips. Nu har jag dels fått instruktioner av hakank hur jag snabbt med MT Blacklist kan ta bort horder av idiotkommentarerna. Och av Pierre Andersson och Stefan Geens har jag fått instruktioner hur jag kan bygga in…
Kommentars-burkskinka igen
Annica Tiger har problem med kommentars-spam. Själv har jag inte (ta i trä) fått ett enda spam sedan jag installerade Stefan Geens enkla men geniala lösning. Jag vill verkligen rekommendera den. Tack Stefan!…
Stefan Geens rockar
Okej, så det kanske känns som en aningen rövslickande rubrik på dagboken, men jag tycker att det är rätt passande för tillfället. Har precis installerat Stefans lilla anti-spam hack (jag missade det nog när det kom och varifrån jag hittade…
Thanks a lot. A few weeks ago I was bombarded by approximately 10000 SPAM-comments! Thanks to your smart little antidote I truly hope I will get rid of almost all spam from my site completely. Again, thank you so much.
Kampen mot spam går vidare och lite Bloglines-siffror
I morse när jag satte på min gmail såg jag precis när första attacken av spammaskinen kom. Jag hade fått en kommentar som länkade vidare till en sajt som hette något som har med läkemedel mot huvudvärk (på engelska förstås)….
Thank you! Thank you! Thank you!
Even with MT-Blacklist I was getting a half-dozen comment spams a day. I followed your instructions, even the MT modules part (huge help), along with Kasey’s comments on the proper file for MT-Blacklist — it couldn’t be easier, even for a novice like me.
You’re my hero!
Fight comment spam
BLOG@STEFANGEENS.COM: For better blogging……
Spam measures modified
Since I can’t seem to get MT-Blacklist to work. I implemented Stefan Geen’s anti-spam measure. I have added a small text field you have to fill in to be able to post a comment to the blog. Since Stefan’s “tweak” was for an earlier version o…
Oh, thank you! We were so swamped with spam, even with blacklist it took us up to an hour daily to delete and delete and delete…
This hack works like a charm and even computer-illiterate me could do this. Take that, spammers!
Thank you. You did a great service to the blogosphere. You deserve a medal or something.
Claudia – very grateful
Take that, spammers!
David from AFoE sent me this wonderful link. It’s this need little code which will make life very miserable for all those spammers who’ve been making our life very miserable. Stefan, who wrote this, deserves a medal or something -…
OK, I admit defeat. I did something wrong and hope that someone can help me.
The code works like a charm, as long as you don’t mistype. Then you get the error message (still OK), but then it won’t let you post even with the correct word — unless you preview first, then it works. Odd, eh?
This is the error message I get when I try to re-post after a failed first attempt:
“MT::App::Comments=HASH(0x82829b0) Use of uninitialized value in string eq at lib/MT/App/Comments.pm line 80.”
I thought I did everything right, I even turned Blacklist off because it seemed not to work even with Kasey’s trick.
Where did I go wrong? Can someone help a willing but confused beginner?
TIA,
Claudia
Well – it works great on my 3.12 install – but I did the same thing on MT 2.66 and it doesn’t work.
unless ($q->param(‘spam’) eq ‘AGREE’) {
return $app->handle_error($app->translate(“You must type the word AGREE in order to post.”));
}
if (!$q->param(‘text’)) {
return $app->handle_error($app->translate(“Comment text is required.”));
}
my $comment = MT::Comment->new;
$comment->ip($app->remote_ip);
$comment->blog_id($entry->blog_id);
$comment->entry_id($q->param(‘entry_id’));
Interestingly enough – on the missing text message if I change it – it doesn’t change the message when I run it. I almost would think I’m running the wrong file or something – but if I create a syntax error that affects the output. I get the error. So – I’m rather stumped.
If someone could email me with a clue I sure would appreciate it.
OK – Got it working. I was using MT=Blacklist and you have to modify the MT-Blaclist file too. MTBIPost.pm
BTW – I make them type AGREE and have a link to terms of use – something I have yet to write – where they agree to pay me $500 per spam.
http://marc.perkel.com
And – thanks for this patch – seems to be working.
Ignite
Firefox 1.0 is due for release this Tuesday (9th November). If you don’t get it, and I’m guessing quite a lot of people won’t because:- You’re prevented from doing so because the download site will be b0rked as a result of the massive amounts of traffi…
Ignite
Firefox 1.0 is due for release this Tuesday (9th November). I’m guessing quite a lot of people won’t get it because:- You’re prevented from doing so because the download site will be b0rked as a result of the massive amounts of traffic it’ll get- Unabl…
Gud är död och själv håller jag på att bli förkyld
Jag vet inte om det är ett omen, men efter det katastrofala valresultatet drabbades jag av en tuff förkylning som vägrar släppa taget. Det är den där jobbiga sorten där man bara är trött och matt hela tiden …
Movable Type Comment Spam
BLOG@STEFANGEENS.COM: For better blogging… has an interesting comment spam solution for MT Blogs. Be sure to read the comments, especially the most recent ones at the end regarding MT version compatibility and compatibility with MTBlacklist etc….
Die Spam! Die!
Another change in the commenting system for you. You can now post without previewing, however, you must now also include the mystery letter in the field at the bottom of the comment page. Right below the smilies, right above the…
Another Movable Type Captcha
There’s a simpler approach to a Movable Type Captcha here. It will probably be easier for spammers to crack since there’s no need for any character recognition to crack the security phrase, but it’s also a lot easier to install….
Another Movable Type Captcha
There’s a simpler approach to a Movable Type Captcha here. Installing this looks like a breeze compared to installing James Seng’s SCode, but this be easier for spammers to crack since there’s no need for any character recognition to crack…
Spam-Kopfweh
Ich hatte große Probleme mit Spam und installierte desshalb Stefan Geens Anti-Spam Plugin. Am Amfang war es so effektiv, gar keine Kommentare sind durchgekommen! Die richtige auch nicht und so wollte ich es natürlich nicht haben. Hoffentlich habe ich j…
kommentarsproblem
Stefan Geens Anti-spam-plugin är mycket effektiv. Just nu kommer inga kommentarer överhuvudtaget igenom här! Jag får mejl med folks kommentarer men inget dyker upp på bloggen. Felsökning pågår!…
Adjö spam – hoppas jag
Hoppas, hoppas det ska hjälpa nu. Snacka om att jag börjat krokna på alla nedriga kommentarer som bara är spam. Varje dag dräller de in. Oftast hundratals. För att inte tala om att försök till intrång som jag kan se…
I’ve altered all the files as told, but since I’m also running MT-Blacklist, I’m wondering where exactly you need to add that additional code into /extlib/jayallen/MTBlPost.pm . I can’t see that written anywhere (not in jayallen’s files). Any ideas?
thanks!
ELS, No I don’t as I don’t use MT-Blacklist. Can you ask Jay?
I’ll send a comment, but I was kind of hoping the person who posted the message here about that, would know where as it works for him/her (Kasey)…
Spammiga trackback
Sedan jag installerade det där spamskyddet som Stefan Geens skrivit om har spammiga kommentarer lyst med sin frånvaro. I morse dök det upp en annan trist sak: en trackback som absolut måste definieras som spam. I min activity log ser…
Els,
I saw your comment on my blog, and I responded to you. Please check your email for my message.
Also, the contact form should be working OK now. I fixed it two days ago, so if you tried to reach me via the contact form before that time, then it makes sense that it was broken. I tested the contact form one more time this morning, and it worked for me. So if you tried using it on 12/8 or later, then it sounds like something weird is going on.
Anyway, I’m always happy to help anyone implement this code. If you’re having problems with it and need help, please visit my blog (http://www.doggydiaries.pudgypuppy.com/) and use the “Contact Me” link to send me a message. I can’t guarantee that you’ll get an immediate response, but I will do my best to get back to you within 24-48 hours.
Please Type a Capital Q
If you’ve left a comment lately (and bless you if you have, I don’t know how you guys put up with me), you’ve had to type a simple Q to post. This, in the two days it’s been up, has…
ELS – do a search for the same code
if (!$q->param(‘text’)) {
return $app->handle_error($app->translate(“Comment text is required.”));
}
in MTBlPost.pm (in cgi-bin/extlib/jayallen/ I expect) and make the change as you would for the normal comments.pm described above.
Cheers for this quick fix! I tried SCode today to no avail but this works a treat.
kommentarsproblem
Stefan Geens Anti-spam-plugin är mycket effektiv. Just nu kommer inga kommentarer överhuvudtaget igenom här! Jag får mejl med folks kommentarer men inget dyker upp på bloggen. Felsökning pågår!…
Offshoreoutsourcingworld.com is where the world comes to find Outsourcing news, latest events, articles and provider for their offshore outsourcing needs.
Thank you for the tip! 🙂
Thanks for this. It’s going to come it really handy
MT Blacklist sket sig på ren franska 🙂
Installationen gick hur bra som helst med Yaml tillägget och jag kunde rensa bort och gå igenom alla inlägg för…
Another Movable Type Captcha
There’s a simpler approach to a Movable Type Captcha here. Installing this looks like a breeze compared to installing James Seng’s SCode, but this one will prove easier for spammers to eventually circumvent since there’s no need for any character…
It’s good. Nice blog. keep it up. Visit us at jack
Kommentera mera
Stefan Geens utmärkta antispamfix funkar också med Movable Type 3.2. Enda avvikelsen mot den instruktion som Patrick Strang författat är att denna lilla textsnutt: Today’s anti-spam measures are brought to you by the letter “Q”. Please type it here…
Stefan Geen’s turing test hack for MT 3
Wanting to fix our anti-spam hack, I noticed Strang’s blog and with it the relevant post, has disappeared, so I reproduce this entry that I got from Google’s cache: October 24, 2004 Spam measures modified Since I can’t seem to…
Strang’s blog is gone. I reproduced the post on A Few Euros More. Maybe you should update and put the info here.
Stefan Geen’s simple Turing test hack for MT 3.x
Stefan Geen’s simple Turing test hack is fantastically efficient. I’ve put together a tutorial for people who use MT 3.x If you have older version of MT you can read Stefan’s original post (don’t miss the updates). The hack involves…
Open Thread
Spammers have been a bane for this site for quite some time. Recently I found a new method to make it much harder for them to foul up our site by adding a question that is easy for humans to…
Cool hack…I might try this instead of Scode now.
Thanks.