Update – I’ve gotten 8 more of these non blacklistable comment spams since I made this post. Apparently my little random letter doohickey didn’t do the trick. I think I need to go ahead and upgrade to MT 3.2. In the mean time, I’ll be deleting comments. Argh.
I’ve been having a lot of comment spam slipping past MTBlacklist lately and the bummer is that most of it is non-blacklistable. If you have a blog, you’ve probably seen a lot of it too. Comments like this:
Interesting site, and very organized too. Good work. About a year ago I started: http://matrixsynth.com/blog/index.php/2005/09/06/ exclusively_analogue_sequencer_on_the_ba_1 , hours drive from where
It’s been a long time since I so enjoyed reading posts in the net. Two thumbs up! Naked truth: http://www.andrewsblog.net/?p=40 , Extensive methods for this
These comments usually have a generic sounding and random name like Christopher Freeman, Thomas Davis, or Jacob Chapman. The email address is always a random first name at msn, gmail, or yahoo. And the link is always to a real blog entry at a real blog, like Marco’s Mint Review. I’m not sure if this is some backwards way of linking to sites that link to sites of linkspammers to increase google rank, or if they’re just trying to piss off people like me who are using off-the-shelf spam prevention measures. Either way, I’m pissed off.
I wanted to come up with a custom, but easy to setup/change spam blocking solution that didn’t require my visitors to go through some drawn-out authorization or a separate comment preview. My original idea was to have visitors type a random word. I figured somebody had to have already done this, so I Googled around and found this post. Their solution was simple. Look for the code in (mt cgi folder)/lib/MT/App/Comments.pm that validates whether the text field is populated and add another if statement that checks to see if a new text box contains the secret letter. That filled most of my requirements, but I wanted to have a question whose answer wasn’t hard coded on to the comments.pm file, and I wanted a question wasn’t static. I added a little php to my individual archive pages to generate a random letter:
$spoon = mt_rand(0, 25); $alphabetSoup = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $randomLetter = $alphabetSoup[$spoon];
I then added two new inputs to my comment form. One was the textbox for the user to enter a letter, and one was a hidden field, both with a value populated with $randomLetter. I know, I know…this isn’t so secure, but if it stops all comment spam for a week, I’ll be happy. When (if?) I do get comment spam again, I’ll be ready to change it again. Now that I’ve got this authentication built in, I can think of all kinds of fun ways to change it to throw off the commentspam engines. Until then…it’s late, Amy just finished her homework (Yes, she was working on homework till midnight on Sunday.), and I think we’re off to bed.
Dude, Thomas Davis is my dad.
When I upgraded my blog, I didn’t reinstall the plugin for the catch graphic. I’m thinking I need to put it back in as I’m now getting lots of spam.
You may want to set tab order for your comments so the cursor stops at the “Please type the letter “letter”:” text box.
Oops! Good call Brian. 🙂 I fixed that…along with correcting the time on my comment preview box. I was just using the php date function to get the time, but Dreamhost is in California, so I had to adjust the time accordingly.
Your dad’s a link spammer!?!?! All that time playing racquetball with somebody and you think you know them. You can tell him I’ve thwarted his evil efforts and that even though he may continue to wage his war of terror, my resolve is strong, and the American people will not accept his
WMD…er, comment spam.
Seeing the matrixsynth site in these spam comments is really scary. It’s the first site on which I found spam with MY blog linked in it. It almost looks like some sort of virus. Blogs get spammed first and later on they get spamvertised…
Incidentally, your silly letter hack looks a bit like a simplified version of my WP SpamQuiz plugin 😉
Die spammers, die!!!
Did you think of using a captcha?
I thought about using MT-Scode. Call me insane, but I think captcha’s are ugly. I definitely think they have their place in bulletin boards and email signups, but I don’t think spamvertising (thanks for the new word Marco) is high priority enough for people to customize their bots per site. And if it is, I’ll change it up and waste their time as much as they’ve wasted mine.
One of my dreams is to find some time and convert SpamBayes into a web service, and then people could make some plugins to use it in whatever blog engine they run. Then we could have nice adaptive spam filters without captchas or anything.
It would rock to setup a centralized spam-filterer that applies every available anti-spam technique on the planet while being self-learning. It would then quite quickly learn the pattern of this spam too (it does use recurring patterns).
I’ve been thinking about setting up such a service, heck, I can do it, I’m sure. It will just take HUGE amounts of resources which I unfortunately don’t have. Anyone out there with an enormous pipe (bandwidth) and some spare servers who wants to setup a nice community service? 😉
That would be cool, but this new comment spam defies the laws of Spam. It’s seemingly real. I can’t believe I’m already getting spam again.