August 16, 2004
Less Comment Spam
The MT-Bayesian module has been doing a great job of stopping spam comments from getting onto my blog, but I still have to delete them. Although they aren't displayed, they're still counted in the four most recent comments on the main page and, until deleted, they oust real comments from the main page.
So, following this top tip from Mr. Sevitz, I've added a new question to the comments box, which must be answered (one way or the other...)
I'm assuming that the spammers aren't going to bother working out how to get round it for me, and will just move onto the next blog on their list - the good old security through obscurity ploy. We'll see how it goes.
Update: I've just tweaked the initial detection in mt-comments.cgi because some of the spammers use GET rather than POST, so my mt-comments.cgi has this at the start...
# $Id: mt-comments.cgi,v 1.34 2003/02/12 01:05:31 btrott Exp $
use strict;
#### AMc - Start of hack to reduce comment spam
use CGI qw(:standard);
if ( defined(param('text')) ) {
my $data = param('<insert new form parameter here>');
die unless( ($data) && defined($ENV{'HTTP_REFERER'}) );
}
#### End of hack
my($MT_DIR);
BEGIN {
Update #2: I suspect 'bakecookie' isn't the best form field to use, as I've just got two more spam comments, but as both were POSTs I can't see exactly what parameters were passed in. Now updated to use the presence of 'text' form field as an indicator of a submitted comment (seeing as comment spam isn't much use without that field). We'll see.
Update #3: Another few spams got through today (although 30-odd didn't) as they're parsing the comments form. Most of them at least have the honesty to pick "Yes" on the "Are you a spammer" question, presumably because it's the first answer they find. I did think about disallowing comments from people who say they're a spammer, but decided that the lack of a referrer URL was a better solution. I've updated the script above to include the referrer check. I still haven't renamed mt-comments.cgi, but that's just 'cos it'll require checking everywhere it's referenced, so I've gone for the quicker fix. When the spammers start sending a referrer URL, I'll take the trouble to do it.
Update #4: Elise has an excellent introduction to comment spam including further counter-measures.
Posted by Adrian at August 16, 2004 10:43 AM | TrackBackThis blog post is on the personal blog of Adrian McEwen. If you want to explore the site a bit further, it might be worth having a look at the most recent entries or look through the archives or categories over on the left.
If you want to hire my company to help you with the Internet of Things then get in touch. If you want to learn more about the Internet of Things, then buy my book Designing the Internet of Things (amazon.co.uk amazon.com).
Spammers must die.
Posted by: Adrian at August 16, 2004 10:47 AMGlad you like my tip.
However you have a few bugs.
1. You can select both yes and no for your are you a spammer question.
2. If you say that you are a spam your error message reads
Your comment submission failed for the following reasons:
Your comment has been posted.
Which contradicts itself.
Posted by: Adrian at August 16, 2004 10:49 AMAnd if you can see this, I've not broken anything :-)
Posted by: Adrian at August 16, 2004 10:50 AMGlad you like my tip.
However you have a few bugs.
1. You can select both yes and no for your are you a spammer question.
2. If you say that you are a spam your error message reads
Your comment submission failed for the following reasons:
Your comment has been posted.
Which contradicts itself.
Posted by: Adrian at August 16, 2004 10:52 AMOh and you have another bug where if you say no to are you a spammer it fails. I think you have your boolean logic the wrong way round.
Posted by: Adrian at August 16, 2004 10:54 AMOh and can you delete that first comment, I was just testing your error message.
Posted by: Adrian at August 16, 2004 10:55 AMOh and you might want to change your comment scrip name from mt-comments.cgi to mt-anythingelse.cgi as it makes the spammers life harder too.
Posted by: Adrian at August 16, 2004 10:56 AMOnly I did break it. Hopefully it's fixed now.
Posted by: Adrian at August 16, 2004 10:57 AMYep It's fixed.
Posted by: Adrian at August 16, 2004 11:00 AMNo it's not, still broken.
Posted by: Adrian at August 16, 2004 11:02 AMActually I stand corrected. It's half fixed.
Your error message on "Are you a spammer - Yes" is still confusing.
Posted by: Adrian at August 16, 2004 11:02 AMAh, the perils of doing development on a live system :-) I decided not to confuse people with strange comments to old posts, and so wrote the explanation post first so I could test on that. Only I'd made a stupid error in the HTML form, so with my first comment already knew that the non-spammer bit was broken, and that the I'm-a-spammer bit gave me a confusing error message. Most of it now fixed, although I need to understand a bit more about what I'm hacking to fix the I'm-a-spammer message...
And Adrian, MT-Bayesian had decided that half your comments were spam, which is why they've suddenly appeared.
Adrian.
p.s. I've not been talking to myself, Mr. Sevitz is just continuing his campaign to steal my name ;-)
Posted by: Adrian at August 16, 2004 11:13 AMSee this is why I don't use black lists. They just don't work accurately enough.
Posted by: Adrian Sevitz no Adrian McEwen at August 16, 2004 11:21 AMAnd then, of course, MT-Bayesian thought my last comment was spam. This is to test whether the I'm-a-spammer error page isn't as confusing (although it's rather basic).
It also seems that the comment spammers aren't as clueless as I'd assumed, as one spam comment has come in since I added this feature...
Posted by: Adrian at August 16, 2004 11:36 AMYou'll still get spam, but I've gone from 3 a day with 300 on the odd days to 5 a week.
Posted by: Adrian Sevitz no Adrian McEwen at August 16, 2004 06:10 PMRemoving the default answer in the "Are you a spammer" bit seems to have helped - there were two spam comments which just copied the defaults over from the comments page and got through, but since I removed the default selection of "No" there've been 16 attempts but none successfully (although the 16 may include retries because things weren't successful).
I'll see how things go, and the next step will probably be script name as you suggested, and also checking for a referrer URL - the spammers I've noticed don't seem to provide one, although that would be pretty easy to get round.
Posted by: Adrian at August 16, 2004 06:43 PMJust got my first spam since removing the default option for the "Are you a spammer". All my work circumvented because they used GET rather than POST...
Posted by: Adrian at August 17, 2004 09:21 AMAnd now the first POST comments get straight past my new scheme, I'm guessing 'bakecookie' isn't the best form field to look for :-)
Posted by: Adrian at August 17, 2004 11:45 AMWell, five or six spams through this morning. Time to extend things to the referrer url too methinks.
Posted by: Adrian at August 18, 2004 10:41 AM