I have just been the target of a massive spam comment attack. In the night of
January 23rd, my weblog received about two hundred and fifty (250!) spam
comments. The sheer size of it is not the only thing that worries me:
it’s the way it was done.
Usually, MT-Blacklist makes it trivial to get rid of such spam and it also
allows you to despam your weblog retroactively (i.e. not just the comment that
was just posted and for which you just received an email notification). The
problem in this particular attack is that these 250 comments
- All came with a different email address.
- Were posted all across my weblog, not just on one entry (they commented
on about thirty posts).
- But worst of all, they advertised a wide range of web sites, not just
This last point is the reason why MT-Blacklist was a little less effective at
getting rid of that spam than it usually is, since MT-Blacklist despams based on
the URL of the poster or its IP address (most of the time useless). Ideally, I
would have liked MT-Blacklist to have an option "Add the websites contained in
the last 250 comments to my blacklist and despam my entire weblog", but since
this is not supported, I had to do some manual work.
Basically, I went through my Inbox and blacklisted the domains one by one.
Once I thought I had found most of them (going through 30-40 emails), I asked
MT-Blacklist to despam my entire weblog. Then I repeated this procedure
until the last comment posted on my welcome page was a legitimate comment again.
Total time, about a half hour. Not too bad.
Now, all this made me think a little bit about the spam comment phenomenon.
Obviously, the blacklist method will not scale for much longer, so how could I
stop the problem at its source: preventing spammers from posting in the first
This is obviously impossible, so maybe I could push the reasoning one step
further and make sure they don’t find my weblog in the first place… The
question now is: how did they find my weblog?
If I were a spammer and I were looking for weblogs to comment, I would start
by determining what seems to be the de facto weblogging software. Movable Type
is an easy choice. Then I would take a look at the source and find how comments
are posted. I would quickly find out that the main entry point is called "mt-comments.cgi"
and I would google it.
did this, and… holy smurf on a snowboard! My weblog appears in sixth position!!! Now
things are slowly falling into place. I think the first measure I will take is
to rename mt-comments.cgi to something different (how about vxtyzb.cgi?) and
I will patch my installation of Movable Type to use this new page. Hopefully, this
shouldn’t be too hard.
I have a few other ideas to make these bastards’ lives harder but it will be
for a next entry.
Update: I made the change. It’s a simple matter of modifying
mt.cfg, renaming the script and rebuilding the whole site. I am very happy
to report that if you click on the link shown by the google request above, it
will now 404. Yeah.