BURNINGBIRD
a node at the edge  


October 29, 2002
TechnologyComment Spam Quick Fix

Both Sam Ruby and Phil Ringnalda had good advice -- don't spend a lot of time on developing a solution to fixing the comment spam problem. Whatever I can do within the form, it's a relatively simple matter for a spammer to read any form value and duplicate it in his spam blast.

I appreciate both their help in gently pointing out that I was spinning my wheels (but I have to get practice for ice driving).

So, here's a quick fix -- it will keep out the lightweights at least. It's a start as other efforts are underway.

This approach will require you modifying the following MT templates:

Individual data entry
Comment Listing Template
Comment Preview Template
Comment Error Page

You'll be adding the following field, on the line before the </form> tag:

    <input type="hidden" name="snoop" value="goaway" />

You can change both the name and the value field, as long as you're consistent with the name throughout the templates and the code.

Next, open your mt-comments.cgi (or mt-comments.pl) file and add the following code just after the "use strict;" line:

    use CGI qw(:standard);

    if ($ENV{'REQUEST_METHOD'} eq "POST") {

    my $data = param('snoop');

    die unless ($data);
    }

Most everyone should have the CGI.pm perl module installed. Make sure to change 'snoop' to whatever your little secret field is (let's all use different fields, make the spammer's job a little tiny bit harder.

That's it.

What happens is that when you post a comment, the code checks for a form field of "snoop". If it doesn't find it, it dies. Nothing fancy at all. This will show in your error log or web log file as a premature end to the script. It doesn't prevent others from using the application, and doesn't crash anything.

Again, this isn't fancy, but it's a start. Holler if you have questions. If you're uncomfortable modifying mt-comments, let me know and I'll help you. If you have a better solution, or see problems with mine, please let me know.

Again -- thanks to Phil and Sam for advice, help, suggestions.

Update:

Mark has put together a nice re-cap on the whole comment spamming thing. What I just created is a 'club'. I'm going in for an interview tomorrow and when they ask me what was the last application I worked on, I'll answer "A club". .



Posted by Bb at October 29, 2002 03:01 PM


Trackback Count (0)

Comments

Maybe you could try connecting SpamAssassin (spamassassin.org) to MT, they're both in Perl. I haven't seen any of the comments spam yet, but it's quite likely they're very similar to email spam. Maybe the webloggers should just look at the solutions that have been tried for email spam, and pick the best (which is probably SpamAssassin at the moment).

Posted by: Johannes on October 30, 2002 02:12 AM


Post a comment

Name:


Email Address:


URL:


Comments:


Remember info?