January 26, 2004Major spam attackI have just been the target of a massive spam comment attack. In the night of January 23rd, my weblog received about two hundred and fifty (250!) spam comments. The sheer size of it is not the only thing that worries me: it's the way it was done. Usually, MT-Blacklist makes it trivial to get rid of such spam and it also allows you to despam your weblog retroactively (i.e. not just the comment that was just posted and for which you just received an email notification). The problem in this particular attack is that these 250 comments
This last point is the reason why MT-Blacklist was a little less effective at getting rid of that spam than it usually is, since MT-Blacklist despams based on the URL of the poster or its IP address (most of the time useless). Ideally, I would have liked MT-Blacklist to have an option "Add the websites contained in the last 250 comments to my blacklist and despam my entire weblog", but since this is not supported, I had to do some manual work. Basically, I went through my Inbox and blacklisted the domains one by one. Once I thought I had found most of them (going through 30-40 emails), I asked MT-Blacklist to despam my entire weblog. Then I repeated this procedure until the last comment posted on my welcome page was a legitimate comment again. Total time, about a half hour. Not too bad. Now, all this made me think a little bit about the spam comment phenomenon. Obviously, the blacklist method will not scale for much longer, so how could I stop the problem at its source: preventing spammers from posting in the first place? This is obviously impossible, so maybe I could push the reasoning one step further and make sure they don't find my weblog in the first place... The question now is: how did they find my weblog? If I were a spammer and I were looking for weblogs to comment, I would start by determining what seems to be the de facto weblogging software. Movable Type is an easy choice. Then I would take a look at the source and find how comments are posted. I would quickly find out that the main entry point is called "mt-comments.cgi" and I would google it. So I did this, and... holy smurf on a snowboard! My weblog appears in sixth position!!! Now things are slowly falling into place. I think the first measure I will take is to rename mt-comments.cgi to something different (how about vxtyzb.cgi?) and I will patch my installation of Movable Type to use this new page. Hopefully, this shouldn't be too hard. I have a few other ideas to make these bastards' lives harder but it will be for a next entry. Update: I made the change. It's a simple matter of modifying
mt.cfg, renaming the script and rebuilding the whole site. I am very happy
to report that if you click on the link shown by the google request above, it
will now 404. Yeah. Comments
Wouldn't it be nice if comments were simply moderated? My blog already emails me when somone comments. If I get time, I'm going to change the code for my blog (open source blog software) to where it emails me, but doesn't post the comment until I approve it. The email could come with three links: No benefit to a spammer if his comment never ends up on my website. Posted by: Dan Martin at January 26, 2004 01:45 PMI think it is possible to stop this kind of comment spamming! What to do is to use the same method PayPal is using to stop bots from signing up. What they do is to present an image with a blurred and skewed number on it, and ask the user to type in that number. Only humans can do that, so it would stop bots. Posted by: Mats Henricson at January 27, 2004 12:19 AM"Only humans can do that" This reminds me the old definition of AI: AI is "What computers still can't do" We're doomed :) Posted by: Santiago Gala at January 27, 2004 02:58 AMMats, MT can already do that... the only problem is, there are wider usability implications which put a lot of people off employing the mechanism. Posted by: Ben Poole at January 27, 2004 04:22 AMOnly humans can do that, so it would stop bots... and visually impaired people, people using text browsers (me, part of the time), people using mobile browsers on a tight bandwidth budget who disabled image downloads... I like Dan's suggestion, but I think it just doesn't scale... Cedric would have received 250 e-mails which he would have to either select "Reject and Blacklist" or ignore. But still, that's 250 e-mails... Posted by: Carlos Villela at January 27, 2004 04:57 AMI wish I could feel sympathetic, but I've had many many days where my various email accounts get spammed with 250 messages per hour, even after spam filters are in place (to be fair, that includes some mailing lists I moderate that require manual attention to avoid false positives). I would feel very relieved to have 250 messages/day have happened only once (but, hasn't happened, because at the moment I'm not a blogger :-). Craig McClanahan Posted by: Craig McClanahan at January 27, 2004 11:27 PMThanks so much for posting this -- I had the same problem, not with visible spam per se, but with literally hundreds of attempts to execute mt-comments.cgi in the space of just a few minutes ... and your idea of renaming the file was just what the doctor ordered. Your tips for how to do so were also extremely helpful! Posted by: Brendan Loy at September 5, 2004 06:56 PMI forgot to mention the part of my story that makes it a truly tragic tale, namely, that my webserver actually shut down my entire site for "abuse of server resources" because of the spam attacks! (Or whatever they were.) So it wasn't just an inconvenience, it was absolutely necessary in my case that I find a way to stop the attacks... so yeah. Thanks again! Posted by: Brendan at September 5, 2004 06:59 PMYes! Nice blog for all. Posted by: brickred.com . at June 23, 2005 11:50 PMHi, I have the same problem and I have to install mt-blacklist! It’s a great comment-spam-filter? I use it for weeks and am perfectly happy with it. Posted by: giełda samochodowa at August 21, 2005 10:17 PMaaaaaa Posted by: nieruchomości at March 9, 2006 04:46 AMI use MT Blacklist. I use the "All" criteria at the top of the Despam results page to list the last 50-200 posts (all selected for deletion by default) and then untick the comments which are legit. This is a great approach for the bulk spamodes as you can then import all the urls from all the posts at the same time. Meanwhile, I'm renaming my mt-comments.cgi file... Posted by: .carla at June 19, 2006 04:40 AMInteresting information. Posted by: avandia lawsuit at August 31, 2006 09:19 PMHello, here my special gift cherokee all dat azz houston texas jobs wx mailto charlie mars hair removal strip wax heavy bag workout usbntmap.sys shen gong wu wava saltwater shark for sale 95 arctic cat puma bearing dodge kristin herrera [URL= http://france-vacation-rental.raisebottle.com/bearing_dodge.html ]bearing dodge[/URL] [URL= http://alex-skolnick.unbeliresult.com/kristin_herrera.html ]kristin herrera[/URL] [URL= http://body-calculator-free-index-mass.18highdate.com/95_arctic_cat_puma.html ]95 arctic cat puma[/URL] [URL= http://bl-mailto.ultralongrx.com/heavy_bag_workout.html ]heavy bag workout[/URL] [URL= http://bl-mailto.ultralongrx.com/wx_mailto.html ]wx mailto[/URL] [URL= http://youth-basketball-camp.1stdia.com/wava_ftf.html ]wava[/URL] [URL= http://youth-basketball-camp.1stdia.com/usbntmap_sys.html ]usbntmap.sys[/URL] [URL= http://massage-teen.iii.la/charlie_mars.html ]charlie mars[/URL] [URL= http://cornwall-cottage-newquay.1stdia.com/cherokee_all_dat_azz.html ]cherokee all dat azz[/URL] [URL= http://cheek-implant.napoleonsecret.com/houston_texas_jobs.html ]houston texas jobs[/URL] [URL= http://shen-gong-wu.napoleonsecret.com/index.html ]shen gong wu[/URL] [URL= http://cornwall-cottage-newquay.1stdia.com/hair_removal_strip_wax.html ]hair removal strip wax[/URL] [URL= http://saltwater-shark-for-sale.incoolshop.com/index.html ]saltwater shark for sale[/URL]
Over worked and too little fun,need a vacation in the Caribbean,think I'll go to Charlisangels escort resorts in Dominican Republic. Posted by: Erick at November 30, 2007 04:31 PMPost a comment
|