OK, I was reading a blog entry on Jesse Warden's site yesterday (Link: Blogspam == DNS Attack) and thought I'd try and post a couple links and scripts that have helped me try and reduce spam on Flash-MX.com. I'm sure that our little site gets nowhere near the traffic of more successful blogs and we've never been bombed by spammers [yet] but maybe these will help somebody else out there using Movable Type.
Let's get started!
The first link I came across a couple months ago was this page on Learning Movable Type; Concerning Spam. It covers several useful techniques and methods for trying to foil filthy spammers. Now, not all techniques work for both MT 2.6 and the newer MT 3.1, but definitely worth checking out and applying a few techniques.
My favorite method for fighting spam is renaming the default blog comment posting script from mt-comments.cgi to, well, anything but that name. It is important to understand that this really is a temporary solution though. Once Google has indexed your pages, spammers will be able to get the name of your new comment posting page and hammer that. So ideally you'd need to rename this script monthly or so. Not only do you need to rename that CGI file, but you also need to modify a single line in your mt.cfg file and then rebuild your site (or usually just your individual entry pages). If you have a large site with lots of entries this can definitely be a pain in the ass and a bit time consuming, but definitely easier than dealing with dozens of spam messages a day. For detailed instructions on renaming the comment script check out the link above on the Learning Movable Type site.
Don't believe me on how easy it is to find a person's comment posting script? Try the following search in the world famous google: "inurl:cgi-bin site:flash-mx.com filetype:cgi". Yeah. One simple Google search tells you the exact name of this site's comment posting script with a minimal amount of effort.
Now, a second technique that has proven extremely successful is closing comments after a set number of days. For example, I've found that comments posted after about 14 days after a news entry has been posted tend to be spam. Obviously that isn't always true, but seems to be a fairly accurate rule of thumb. This pretty much boils down to the fact that once Google has indexed your sites and latest entries, you'll probably be spammed. That's just a fact of life. There are several ways to close comments after a set number of days. I've found a couple Movable Type plugins that actually do this, although I was only able to get one of the two to work. The script I got working was MT-Close by David Raynes (Link: Closing comments on old entries). The only real problem I found with this script is that there wasn't a dead simple way to automate it. I would have assumed that the script would have automatically closed comments after a set number of days, but it appears that you have to run the page manually and use the user interface. Sure, I'm sure that with 10 minutes worth of ColdFusion and a scheduled task (or 10 minutes PHP and a cron job) you could do this yourself, but that isn't the point), but the real drawback I saw to this method was that you still have to rebuild your individual entries after running this script. Being a generally lazy person, I instead spent about 5 seconds and wrote the following bit of CF which should close comments automatically after 30 days, and not require any interaction from me, or any sort of template rebuilding. And it only uses one single line of code which I placed in my Individual Entry Archive template.
<MTEntryIfCommentsOpen>
<CFIF DateDiff("d", ParseDateTime( "<$MTEntryDate$>" ), Now()) LTE 30>
<div class="comments-head">Post a comment</div>
This simple code runs every time the page is displayed and says "if the current entries posted date is less than or equal to 30 days, display the comment entry form". I didn't bother putting in a CFELSE tag, but you could easily add a friendly note saying that the thread has been closed. This has worked pretty well for me but you may want to tweak the dates based on how much spam you're receiving. If you tend to get a lot of spam after 10 or 15 days, try dropping the days from 30 down to 10 or whatever number you want.
That about does it. Obviously the first step I take in installing any Movable Type blog is to install MT-Blacklist by Jay Allen. Whether you're using MT 2.661 or MT 3.1, you should definitely be using MT-Blacklist to try and filter out unwanted keywords or domains. If you find that a lot of spam comes from the same IP, then you can start blocking IP addresses from Movable Type's Weblog Config > IP Banning interface. Or if you get a lot of spam from places advertising Poker, Gambling, Drugs or whatnot, start entering really vague keywords/domains into MT-Blacklist's regular expression engine. If you happen to be using MT 3, you can even enable comment moderation so that comments aren't visible on the site until you approve them. While this can make your site not display spam messages, they still may clog up your database and back end quite quickly, so moderation shouldn't be used as an only line of defense.
I'm sure there are dozens of other methods out there for fighting spam, everything from having to decypher an image and type it in (similar to how many domain registry places use when you try and do a whois search) or I've even seen some complex Bayesian filter for MT methods kicking around.
So this list isn't any sort of definitive guide by any means. I'm constantly tweaking my blacklist rules and downloading the latest entries from the spam clearinghouse site's master list. I'm also constantly monitoring the comments which get emailed to my gmail account so I am notified when a user posts. I'm also constantly trying new plugins and techniques trying to fine tune the whole process.
If I find any other resources I'll post them in the comments below.
Posted by peter on December 07, 2004 at 12:05 PMunfortunatley Blacklist doesnt seem to play too well with MT3.11, from my experience so far with it and others i have talked to about it. I've done the rename the comment script thing, and you're right, it works great, for a few days. There was at Burningbird that worked great for me using MT2.6 (http://weblog.burningbird.net/archives/2002/10/29/comment-spam-quick-fix) but it doenst seem to work with 3.11. Maybe someone knows how to tweak it to make it work.
Posted by: flashape at December 7, 2004 06:10 PMI use the "close old comments" method manually. Basically, as soon as I get a piece of blog spam, I close all comments more than a few days old. The simplicity to effectiveness ratio is pretty good.
Posted by: Keith Peters at December 8, 2004 04:32 AMI made a Flash front-end and all my blog spam stopped. It seems like everyone is complaining about blog spam when this is the obvious solution, especially for Flash developers (?!).
Posted by: mike at December 8, 2004 08:33 AMi figured that the spammers were hitting the comments script directly, and not even going through the web site itself.
Posted by: flashape at December 8, 2004 12:33 PMYeah, most of my blog spam seems to happen after Google has indexed my content. So my method for simply hiding the comments after X days probably does little, if anything at all, to fight spam. I think one of the better solutions would be to rename your comment submission page every 30 days and rebuild your site, but like I said, that can be pretty intensive if you have over a hundred entries that need to be rebuilt. I've taken to adding general entries such as "pills" the blacklist and that seemed to have a temporary effect. I think perhaps running a script to actually close comments may help. Or I really liked the idea of a Flash based comment form like Mike sort of suggested above. Not necessarily a whole Flash front-end, per se, but even a comment entry form may do the trick. Mind you, that would probably not work too well with MT 3 and their new TypeKey system.
Posted by: peter at December 8, 2004 12:40 PM