August 16, 2004

Less Comment Spam

The MT-Bayesian module has been doing a great job of stopping spam comments from getting onto my blog, but I still have to delete them. Although they aren't displayed, they're still counted in the four most recent comments on the main page and, until deleted, they oust real comments from the main page.

So, following this top tip from Mr. Sevitz, I've added a new question to the comments box, which must be answered (one way or the other...)

I'm assuming that the spammers aren't going to bother working out how to get round it for me, and will just move onto the next blog on their list - the good old security through obscurity ploy. We'll see how it goes.

Update: I've just tweaked the initial detection in mt-comments.cgi because some of the spammers use GET rather than POST, so my mt-comments.cgi has this at the start...


# $Id: mt-comments.cgi,v 1.34 2003/02/12 01:05:31 btrott Exp $
use strict;

#### AMc - Start of hack to reduce comment spam
use CGI qw(:standard);

if ( defined(param('text')) ) {
my $data = param('<insert new form parameter here>');
die unless( ($data) && defined($ENV{'HTTP_REFERER'}) );
}
#### End of hack

my($MT_DIR);
BEGIN {

Update #2: I suspect 'bakecookie' isn't the best form field to use, as I've just got two more spam comments, but as both were POSTs I can't see exactly what parameters were passed in. Now updated to use the presence of 'text' form field as an indicator of a submitted comment (seeing as comment spam isn't much use without that field). We'll see.

Update #3: Another few spams got through today (although 30-odd didn't) as they're parsing the comments form. Most of them at least have the honesty to pick "Yes" on the "Are you a spammer" question, presumably because it's the first answer they find. I did think about disallowing comments from people who say they're a spammer, but decided that the lack of a referrer URL was a better solution. I've updated the script above to include the referrer check. I still haven't renamed mt-comments.cgi, but that's just 'cos it'll require checking everywhere it's referenced, so I've gone for the quicker fix. When the spammers start sending a referrer URL, I'll take the trouble to do it.

Update #4: Elise has an excellent introduction to comment spam including further counter-measures.

Posted by Adrian at August 16, 2004 10:43 AM | TrackBack

This blog post is on the personal blog of Adrian McEwen. If you want to explore the site a bit further, it might be worth having a look at the most recent entries or look through the archives or categories over on the left.

You can receive updates whenever a new post is written by subscribing to the recent posts RSS feed or

Comments

Spammers must die.

Posted by: Adrian at August 16, 2004 10:47 AM

Glad you like my tip.

However you have a few bugs.

1. You can select both yes and no for your are you a spammer question.
2. If you say that you are a spam your error message reads

Your comment submission failed for the following reasons:

Your comment has been posted.

Which contradicts itself.

Posted by: Adrian at August 16, 2004 10:49 AM

And if you can see this, I've not broken anything :-)

Posted by: Adrian at August 16, 2004 10:50 AM

Glad you like my tip.

However you have a few bugs.

1. You can select both yes and no for your are you a spammer question.
2. If you say that you are a spam your error message reads

Your comment submission failed for the following reasons:

Your comment has been posted.

Which contradicts itself.

Posted by: Adrian at August 16, 2004 10:52 AM

Oh and you have another bug where if you say no to are you a spammer it fails. I think you have your boolean logic the wrong way round.

Posted by: Adrian at August 16, 2004 10:54 AM

Oh and can you delete that first comment, I was just testing your error message.

Posted by: Adrian at August 16, 2004 10:55 AM

Oh and you might want to change your comment scrip name from mt-comments.cgi to mt-anythingelse.cgi as it makes the spammers life harder too.

Posted by: Adrian at August 16, 2004 10:56 AM

Only I did break it. Hopefully it's fixed now.

Posted by: Adrian at August 16, 2004 10:57 AM

Yep It's fixed.

Posted by: Adrian at August 16, 2004 11:00 AM

No it's not, still broken.

Posted by: Adrian at August 16, 2004 11:02 AM

Actually I stand corrected. It's half fixed.

Your error message on "Are you a spammer - Yes" is still confusing.

Posted by: Adrian at August 16, 2004 11:02 AM

Ah, the perils of doing development on a live system :-) I decided not to confuse people with strange comments to old posts, and so wrote the explanation post first so I could test on that. Only I'd made a stupid error in the HTML form, so with my first comment already knew that the non-spammer bit was broken, and that the I'm-a-spammer bit gave me a confusing error message. Most of it now fixed, although I need to understand a bit more about what I'm hacking to fix the I'm-a-spammer message...

And Adrian, MT-Bayesian had decided that half your comments were spam, which is why they've suddenly appeared.

Adrian.

p.s. I've not been talking to myself, Mr. Sevitz is just continuing his campaign to steal my name ;-)

Posted by: Adrian at August 16, 2004 11:13 AM

See this is why I don't use black lists. They just don't work accurately enough.

Posted by: Adrian Sevitz no Adrian McEwen at August 16, 2004 11:21 AM

And then, of course, MT-Bayesian thought my last comment was spam. This is to test whether the I'm-a-spammer error page isn't as confusing (although it's rather basic).

It also seems that the comment spammers aren't as clueless as I'd assumed, as one spam comment has come in since I added this feature...

Posted by: Adrian at August 16, 2004 11:36 AM

You'll still get spam, but I've gone from 3 a day with 300 on the odd days to 5 a week.

Posted by: Adrian Sevitz no Adrian McEwen at August 16, 2004 06:10 PM

Removing the default answer in the "Are you a spammer" bit seems to have helped - there were two spam comments which just copied the defaults over from the comments page and got through, but since I removed the default selection of "No" there've been 16 attempts but none successfully (although the 16 may include retries because things weren't successful).

I'll see how things go, and the next step will probably be script name as you suggested, and also checking for a referrer URL - the spammers I've noticed don't seem to provide one, although that would be pretty easy to get round.

Posted by: Adrian at August 16, 2004 06:43 PM

Just got my first spam since removing the default option for the "Are you a spammer". All my work circumvented because they used GET rather than POST...

Posted by: Adrian at August 17, 2004 09:21 AM

And now the first POST comments get straight past my new scheme, I'm guessing 'bakecookie' isn't the best form field to look for :-)

Posted by: Adrian at August 17, 2004 11:45 AM

Well, five or six spams through this morning. Time to extend things to the referrer url too methinks.

Posted by: Adrian at August 18, 2004 10:41 AM
Post a comment









Remember personal info?





Note: I'm running the MT-Keystrokes plugin to filter out spam comments, which unfortunately means you have to have Javascript turned on to be able to comment.