TV version (Display Regular Site)

Skip to: Navigation | Content | Sidebar | Footer


Weblog Entry

MT Comment Spam

January 12, 2004

So let’s say you run a reasonably popular weblog that’s open to comments from anyone and everyone. Let’s also say in the same breath that you don’t necessarily believe that turning off comments on older entries is a good way of squashing the comment spam problem, though it is terribly effective. For the sake of completeness, let’s also say that you’ve bought into the idea that blacklists are inherently flawed, a losing proposition, and so you haven’t bothered using them.

But let’s also say that you have received a proportionately infinitesimal volume of spam despite it all, given how attractive a target your weblog must be.

What gives?

Well, I was going to tell you about the two days of battling spam I had this weekend. I was going to tell you how, by keeping on top of it, you could have eliminated the need for things like Blacklists and such. I was going to cover how spammers use Google to find open targets, and by reducing your spam profile you could have used other people’s lack of security as a buffer to protect yourself.

But then I saw this (thanks Mark) and I realized that all bets are off. This is the same thing that happened to me this weekend. The free ride is over. Comments on older posts are getting turned off today, and comments on future posts will be scattered and available only for a short time. It was fun while it lasted.

I don’t like it, but that’s the sound of inevitability.

update: Six Apart released MT 2.66 on 01/14/04, which introduces new measures to combat comment spam.


Reader Comments

1
Jeff Walden says:
January 12, 01h

> MT’s default comment form doesn’t validate under XHTML Strict (‘name’ attributes not allowed in form tags).

Which XHTML? One site I administer validates with the name attribute in input tags (it’s XHTML 1.0 Strict). In fact, removing the name attribute breaks it because browsers don’t send the id attribute with the data, they send the name attribute.

Geof says:
January 12, 01h

My logware of choice now has comment moderation, but then the burden goes to the administrator in approving comments made.

I have advocated the platform-independent “register for a commenting handle” idea before, but I don’t know how that doesn’t scale without some serious bank behind it … and if Google did it, the tin-hats of the blogosphere would shit a brick.

I miss the bad old days when GreyMatter disabled comments after the entry slipped off the front page of your log. I really like the idea of disabling comments after N days–if folks really want to comment a year later, let ‘em send you an email.

travis says:
January 12, 01h

I maintain a very boring little personal blog that only a few of my friends and family bother to read, yet I’ve been the victim of plenty of comment spam. How I fought it was to introduce a robots.txt that denied requests from all. This may not be good for sites that want to be shown on Google, but I haven’t gotten a spam comment on any entries made since I implemented the robots.txt

This might be useful information to people trying to fight comments spam.

patricia says:
January 12, 02h

i went through a period where i was getting spam every day. i went the closing comments route. because i don’t get a ton of visitors and old entries don’t usually get comments anyway. i also changed the name of the comments form. that’s helped some. i’ve seen referrals from search engines looking for the mt-comments.cgi and all they get is my 404 page.

i still get some now and again, but i don’t think it’s from a spam bot.

Greg says:
January 12, 02h

Good idea, it won’t harm to much but will help a lot to keep posts clean.

Matt says:
January 12, 04h

I SWEAR I wrote this and posted it already, but here we go again.

All in all, this is a very sad development. It pains me to see comments or entire weblogs driven away by spammers. How I address this problem now is an optional moderation, which I toggle occassional. The moderation allows me approve comments before they are posted. I can also approve/delete through one click from the notification email or do a bunch at a time online. The next step is to allow most comments through but only hold comments for moderation that have spam keywords or some other trigger.

January 12, 05h

My tiny tiny blog that gets very few hits or comments - I’m something like 150:100 posts:comments - has been deluged lately as well… 15 spam posts in the last few days. It’s getting pretty ridiculous. Some of them aren’t even attempts to raise google ratings, they’re just idiotic, like one saying ‘nice photo’ in reply to an entry without a photo.

The best part of all is that my comments don’t display e-mail addresses or website URLs, so it’s even more pointless.

Dris says:
January 12, 05h

I’ve come up with a proposal that could help curb spam on blogs:
http://dris.dyndns.org:8080/permalink.html?id=437

I don’t know how well it would work, but it would have to be widely used to be effective.

Jon J says:
January 12, 08h

I merely skimmed the comments, so forgive me if I’m repeating someone else.

I recently posted about the same problem and someone was kind enough to point me to this plugin for MT:

http://mt-plugins.org/archives/entry/bayesian.php

Haven’t had time to try it out, but from what I read, it looks pretty promising…

Dris says:
January 12, 09h

I’ve put a little more thought into this whole thing, and here’s what came out.

Because the reason for this spam is PageRank for the spammers’ clients, Google really ought to come forward with a solution. They aren’t to blame for the spam, by no means, and I really like the company. But, as the world’s most popular search engine, and with such influence, they have the responsibility to make sure their technology doesn’t cause problems for the web it depends on.

Saying that, here’s what I would suggest if I were a Google insider.

Long ago, search engines used meta tags to index web pages. Unfortunately, these were abused, so most search engines don’t take them into account. However, the reason the tags could be abused was because they were a means of *boosting* their search rank by telling robots what to index. What we need is something that does the opposite, telling search engines what *not* to index. I proposed a possible way to do that in the link on my last comment.

The gist of it is that you would surround your comments with some sort of identifier, thus telling indexing robots that the information shouldn’t be indexed.

However, Dave pointed out (in the comments at that link) that telling search engines not to index your comments would mean they wouldn’t be part of legitimate search queries. I too can attest to the fact that blog comments often have very good information, and that wouldn’t be desirable.

We could have something telling robots to index the content but not the links. That way, spammers wouldn’t improve their PageRank, and searchers would still find comments among their search results. However, I can’t see how that would be a general standard, due to the fact that link indexing isn’t used by all search engines (at least, not the same way Google does it).

So, perhaps Google could come forward with a way to let its bot know that certain content shouldn’t be considered for PageRank linkage. Or, perhaps the bot could simply rate links in the section lower than the website’s actual PageRank, as opposed to not indexing them at all.

Whatever the case, if a solution is to be had, Google will certainly have to play a key role in it (and perhaps in coming up with it).

All that said, I think the best way to keep spam from gaining PageRank is the redirect script mentioned earlier. The only problem is, not everyone’s blog has means of using such a script (though since MovableType is dominant and is server-side, the majority blogs should be able to employ one). Some of those who do may not have the knowledge to put one forth.

Perhaps someone should write a MovableType plugin that automatically turns comment links over to the redirect script. That would make it easy for non-technical MT users to use. If a good number of blogs use it, there will no longer be a profit in comment spam because there will be no more PageRank to gain from it.

Of course, by “a good number of blogs”, I mean almost every MT-powered blog out there. If the majority of a spammer’s hit list still has unprotected comments, those with the plugin will still get spam.

Perhaps Six Apart would consider putting the plugin into the default package…

Besides all that, whether the spam stops or not, it’s good to make sure that at least *your* site isn’t giving out spam PageRank.

Whew… Sorry, that was kind of long and meandering… I’ll continue to think about this, and hopefully come up with something feasible.

Jeff says:
January 12, 09h

Movable Type seems to be easy to spam… you’re not the only one with this particular problem…

AkaXakA says:
January 12, 09h

Oh my word. Automated blog spamming…but just for MT (for now).

I bet that’s another reason to move over to another cms…

But still, couldn’t someone write a anti-MTspam plugin. Doesn’t the auto-spam have some way to be identified, a certain watermark or anything?

13
Michael R. Havard says:
January 12, 09h

That’s the problem with popularity. Once your tool reaches a certain level of acceptance it becomes a target for others to use/abuse. Switching to another CMS might work for awhile until that CMS becomes popular or some jerk-off finds a way to make a more generic blog spammer that encompasses many CMS/blogger tools.

zlog says:
January 12, 10h

What ever happened to the ‘not displaying the posters url/not auto-linking urls’ method? It may not be ideal but it’s a far greater method than just turning comments off.

15
Josh says:
January 12, 10h

I think the best route would be to develop a MT plugin that asked a simple question (as opposed to using an obfuscated image). It doesn’t even have to be a facts database, per se (“What is three times five?”).

Hrm. Perhaps its time for me to learn Perl.

Dave S. says:
January 12, 10h

zlog – I wouldn’t leave it to spammers to be so discerning. It’s not worth the effort to spam a site that’s turned off comment poster’s URLs if you’re doing it by hand, but if you’re using automated software who cares? Obviously as the site owner I do, but it’s not like I have a say in this.

Jesper says:
January 12, 10h

Josh: wow. That’s a terrific idea. I am reminded of a quote by Zaphod Beeblebrox from The Hitchhiker’s Guide to the Galaxy:

“That is really amazing,” he said. “That really is truly amazing. That is so amazingly amazing I think I’d like to steal it.”

And I will, if you won’t mind. ;)

zlog says:
January 12, 10h

Dave: You have a point.

Wouldn’t spammers waste (ermm use?) resources in a more advantages way? E.g. that site isn’t sending anyone our way, move on to the next site (there’s plenty to choose from). My method would be at least a deterrent.

(For the record: zlog has never received any comment spam. Not once. Honestly.)

Mike says:
January 12, 10h

Just a thought, I don’t know mt at all and this could be interpreted as a bit of a hack, but what about having a piece of text (no images, real text) that has to be either typed in or cut and pasted into a box located with the personal information?

Check the text vs. a textfile or database and if it’s there the comment goes up, if not they get three swings, third strike their ip is banned for x hours.

Have 20-30 strings of text that rotate, so it’s never the same. Or even generate a random string and check against the random string so it’s ‘never the same’.

This would be an accessible approach (I think), and relatively easy to set up. You’d be setting yourself apart from the masses again, thereby ‘reducing your spam profile’…

(apologies in advance if this idea is way out to lunch).

20
Josh says:
January 12, 10h

Sure, but it won’t stop real humans from spamming:

http://golem.ph.utexas.edu/~distler/blog/archives/000284.html

Of course, you’re talking about little potential profit from non-automated spamming, but perhaps a combination of the Extremely Simplified Turing Test and MT-Blacklist might prove fruitful.

Scrivs says:
January 12, 10h

Well I have been turning off comments on older posts since I started my site and it helps kill two things: spam and forgotten comments. Stopping spam is the greatest advantage, but the other is when someone posts a comment on an entry that is a couple of months old. Sort of like does a tree make a noise when falling if no one is around to hear it?

Matt says:
January 12, 10h

If you use MT with MySQL as the backend, check out this script to automatically disable comments after a week:

http://www.sifry.com/alerts/archives/000323.html

Might solve your problem until a new version of MT comes out that automates this.

ste says:
January 12, 10h

I haven’t yet had this problem (not since I restarted my weblog a few months ago at least), but I’m hoping that the comment registration that was announced for the next version of MT will help…

24
Zelnox says:
January 12, 11h

Does this sound feasible: a service for blogs commenting authentication.

Of course, there are users who will shy away from posting, because they do not want to divulgate too much personal information just for a comment (as opposed to a forum). Still, this service must work for all interested blogs for it to be successful. A user will only have to register once; but authenticate for a new session. There should be some sandbox to make it difficult for spammers to join this.

Moreover, a blog administrator can lower every visitor’s security clearance to a minimum. By this, a user will have restricted access to the blog’s extra features (such as posting comments). One must be registered to earn the right to gain more features.

Hmm, how about this? If you have played an RPG (role-playing game) before, you will be aware of the experience points a player acquires by doing certain actions. Perhaps this can be useful in this blog service as well. Let’s say a subscriber to this blog service has been registered for over a year without posting something considered as spam, the subscriber will gain some experience points. After a determinate amount of points, this subscriber will “level up” and gain more privileges. At anytime, posting spam will make the subscriber lose experience. If you want to be ruthless, you can use a three-strikes-you’re-out method. But, what happens if some veteran used an account up to level 50, and then some evil genius compromises that account and wipes it clean by spamming three times?

What do you think? I think it sounds complicated to implement, since not every blog owner uses MT. Anyone adventurous enough to try this? ^_^

Stephen says:
January 12, 11h

Okay people, time to get thick-skinned… Every man for themselves! Make your own CMS. j/k of course. :D

Boy does this suck. I rather like Josh’s idea and enjoyed the gratuitous Adams quote so I say try it and see how users respond! Maybe I’ll try it myself…

“Joey has 5 apples. Susie has 3…” Oh the fun.

January 12, 11h

I’m not worried about humans manually spamming my comments. That’s more-or-less a fair fight. It’s the robo-posters, like the one that hit Dave over the weekend, that are the real threat.

And, as I said in the above-mentioned post (the third in a series on Comment Spam, the first two being
http://golem.ph.utexas.edu/~distler/blog/archives/000236.html
and
http://golem.ph.utexas.edu/~distler/blog/archives/000250.html
) the robots can be beaten.

The only thing that surprises me about the attack that hit Dave’s blog over the weekend is that it took until now for it to happen. These spambots have been around for months.

And there are plenty of things Dave could do besides shutting down old comments, though that certainly is a start…

Dave S. says:
January 12, 11h

Really, all, there’s not much you can suggest that hasn’t been suggested long ago. Drop ‘movable type comment spam’ into Google and get 200k results. From image- and question-based challenging, to global/local authentication, to Goldbergian-type chain reactions of Javascript and Perl/PHP/whatever, it’s all been covered. This is the e-mail arms race all over again, and last time I checked I’m pretty sure the spammers are winning that one.

Turning off comments on old entries is easy and effective. If Six Apart releases MT3.0 with significant, and I mean significant security updates that make batch deleting spam easy, individual spam posting harder, and don’t piss of the commenters themselves, I’ll look into it. Until that point I won’t be applying patch upon patch to stay one step ahead, when I’ve got a clear way out. It’s not worth my time (or yours).

January 12, 11h

There are many solutions for fighting email spam which have become pretty effective. Why do you think the spammers are winning that race?

Keith says:
January 12, 11h

This is really sad to hear.

In my opinion comments are about 75% of what makes blogs (and related sites) valuable. I know it would be very hard for me to keep my site going if I didn’t have that sense of community and building a connection with my readers.

There was a day a few months back where I thought seriously about killing the whole site because of comment spam. I felt like turning of the comments would make the site no longer worth maintaining.

The Web is about people and making connections and it fucking kills me that there are folks out there who have no problems killing everything the Web is about with things like spam.

January 12, 12h

Email spam is a tough case. After all, you’re saddled with the SMTP protocol, which you can’t go about breaking.

Comment-spam is totally different. The only thing that makes robot-posting of comment spam feasible is software monoculture. There may not be a de jure Standard for spambot writers to code against, but there is a de facto one.

Break the mold, and the spambot writers are at a distinct disadvantage.

Or you could say, “I’ll just wait for Six-Apart to come up with a solution, which I probably won’t implement on my blog, anyway, because I don’t want to replace my existing templates …”

Jon Hicks says:
January 12, 12h

So whats up with Blacklists Dave?

I can see a problem where users merge their blacklists with others, but not when used ‘solo’. I’ve been using Jay Allen’s Blacklist plug-in for months now, and its worked amazingly well. Only 2 comment spams have ‘got in’ in 3 months. When I check the activity logs, I can see all the refused comments, and feel that (for now at least) they’re being held back well.

Dave S. says:
January 12, 12h

Summing up a lot of my thinking on patchwork hacks:

http://diveintomark.org/archives/2002/10/29/club_vs_lojack_solutions

http://diveintomark.org/archives/2003/11/15/more-spam

If I were armed with a MySQL back-end and a ton of canned SQL statements I could adapt to clean up after attacks, maybe I’d feel differently. But a) I’m not / I don’t, and b) that would still require time and energy I really would rather spend elsewhere if you don’t mind.

Yes, I’m aware of all the things I can do now:

http://cheerleader.yoz.com/archives/000849.html

See point b) above. Don’t even dare dismiss it as laziness, because I’d genuinely do everything I could to keep on top of this if I felt it was an effective use of my time. I use Movable Type because I am not interested in building my tools, but using them.

January 12, 12h

Would it be possible to build an add-on for MT that would write out the name of “posted by” in javascript, similar to the output from hivelogic’s hiveware enkoder?

34
AJ says:
January 12, 12h

Your latest decision is the best one you can make for now. That’s what I’ve been doing for several months. I’ve only had one comment since then that looked like a setup test for automated spam, but nothing ever came of it. Nothing else since.

I’ve come to several realizations:

1. After a post is more than a week or two old, the number of new comments drop significantly, unless it’s something that’s evergreen and is getting linked to from all over. Those might merit staying open for comments a little longer.

2. The number of people interested in reading comments significantly dies down immediately after the number of new comments taper off.

3. Anyone making a comment more than two/three weeks after the original post is – 95% of the time – not adding anything significant or worthwhile for the site’s author or any of the readership. At that point, comments would be best directed directly to the site’s author(s) via email or a contact form.

4. Closing off comments after a period eliminates getting those weird ones from people who found a particular post from a Google search, but are not familiar with a site, and have no idea as to the typical content, its audience, or its etiquette and tone.

5. MT’s default comment form doesn’t validate under XHTML Strict (‘name’ attributes not allowed in form tags). If you remove the name, use ID instead, and modify the .js file to account for the changes, making such simple changes inhibits those who’ve written auto-spam scripts to target MT installs. One-off scripts aren’t worth the trouble. Even more so when only 3-5 entries at most are still open for comments.

And finally: By avoiding writing anything about comment spam (and email spam in general) your site will show up in exactly 0 Google searches for any “spam” queries made by spammers looking for publishers who’ve written about the spam problem, are annoyed by it, or think they’re now immune to it because of some new trick they’ve implemented. Defense by silent anonymity.

January 12, 12h

I’m in the process of creating my own (highly simplified) CMS to avoid this problem. After being such a fan of hand-coding, it seemed awful to use a system such as Movable Type to do my dirty work for me.

For me, comments have become one of the coolest aspects of blogging. On sites such as this one, the discussions that accompany posts can often be insightful and interesting, so it would be awful to see the spammers get the upper hand.

Jeremy says:
January 13, 01h

It’s unfortunate that this has to happen, but you have to do what you can to stop I say. With a site with such large amounts of traffic, I would expect alot of spam…

Maybe it’s just a problem with Movable Type now?

Ben Pirt says:
January 13, 02h

Hello all,
Here’s an interesting (and slightly disturbing) story for you all. I work with a design and new media group who use a company to provide ‘online publicity’ services for them and their (quite big name) clients. I was chatting with one of the directors to other day and we got onto this subject.

It turns out that the online publicity is actually a bunch of convicts (I kid you not) who are paid a very small amount of money by an enterprising individual to trawl the web and make posts in places which will increase traffic to the site they are being paid to promote. Now according to him, they only post in valid places - such as a hi-fi enthusiasts BB for an audio equipment manufacturers website. But he didn’t sound entirely convincing on this. And I can see them just littering the web with links pointing to the site in question.

All in all quite disturbing, and it doesn’t bode well for being 100% successful in blocking comment spam. I was going to make a remark about being pleased about not using MT for this reason, but when I saw Josh’s post ‘Sure, but it won’t stop real humans from spamming’ I realised it made no difference.

fwiw: I think the asking a question idea is excellent. It reminds me of the authorisation schemes I remember from a few old computer games. They would prompt: Enter the 5th word from the 2nd line of the 3rd paragraph of page 23 of the manual. Very difficult to get around that one :-)

January 13, 02h

I’m working on something like what a few here have suggested - a simple system that draws words from a user’s entry database and creates simple questions based on them. It’s entirely accessible (doesn’t use images) and should be very easy to use.

There are just a couple of issues to work out and then it’ll be ready to go!

If anybody’s interested in alpha testing, please drop me a line at david@swagu.com.

Dris says:
January 13, 04h

I thought about a similar thing as well. It will certainly stop the current bots, but I’m sure it will be changed soon.

The thing is, there can only be so many questions. Even if you were to generate the questions randomly, the bot could parse them. A couple steps you could take include user-definable questions and obfuscation of the question and the word.

January 13, 04h

Well, the way I’m going to do it is to select words from each person’s entries, so there won’t be a specific “bank” of words. I suppose a bot could learn to parse the questions, but one could phrase them in any number of ways; it’d be quite difficult to do.

MJH says:
January 13, 06h

I know I’m late to the show here, but I’ve skimmed most of the comments on this. I have to laugh at all the discussion on comment spam.

I liken comment spam to the problem of having you car stolen. Bare with me. When you buy a car, you’d like to protect it. So, you go out and get one with an alarm, or have one installed. Whatever. Its the newest and best alarm system out there. Lets call this great alarm system the “Blacklist Alarm”, if you follow… Its the best and greatest alarm from the greatest company so EVERYONE gets one.

So, now the car thieves have a new enemy. But, to their advantage, they have a common enemy: The Blacklist Alarm. So all they have to do is crack it once, and they gain access to every car with it. In essence, the new advanced, and more expensive (money can equal time developing here), alarm system has been reduced to basically the equivalent of putting a normal keyhole on a door of your car. Basically useless.

What do you do to protect your car then? Do you solder up all the doors and trunk, board up the windows, and cut out the engine, so even if they can get in, they can’t get anywhere? No, cause that renders the car useless.

But, you can center on that fact that a car engine is the main reason they will be able to steal your car. They will drive your car away after they break in. So, what you have to do is find your own unique and secret way of cutting the engine. A kill-switch, in car terms.

And, while theives of course will eventually find your method out, only a few will be willing to invest the time into your car when there are many other, dumb ones right down the block.

So, I’m trying to get at this. Stop ganging up on spammers with common methods like blacklists or whatever else…. AND THEN DISCUSSING YOUR METHOD OF STOPPING THEM. You’re handing the car thief the crowbar, screwdriver and hacksaw.

42
Bob says:
January 13, 07h

Whatever you’re doing, make sure to at least punish the spammers:

meta name=”robots” content=”index,nofollow”

Matthijs says:
January 13, 10h

I dont really have mind breaking solutions for such a thing.. i think you should see it as all teasing.. ignore it, and they’ll move on.

it would be such a shame, to see such a popular site, as mezzoblue die..

Ed says:
January 13, 11h

[Quote]Okay people, time to get thick-skinned… Every man for themselves! Make your own CMS. j/k of course. :D[/Quote]

No, seriously, do it. This is no joke. I made mine 3 years ago and I’d be foolish to use MoveableType now. It takes some time to do it but you’ll be rewarded in the end. Sure, it’s not the best thing since sliced bread but I don’t get any spam. Comments are essential to communication on the web and while disabling comments after a week will work today, the spammers know this and will make it possible for them to spam entries that are less than a week old. It’s easy to give up and say the spammers have won and “It was fun while it lasted”. The point many people have been making (if you still don’t want to make your own CMS) is that there are things you can do. Change your field names. Do something - just don’t give up.

Dris says:
January 13, 11h

I couldn’t help it:
http://dris.dyndns.org:8080/permalink.html?id=440

A long winded attempt at a solution. Like every other solution, it isn’t perfect, but I think it should give ‘em a run for the money.

January 14, 06h

I early November I submitted the following suggestion to beat comment-spam in TypePad. As far as I can imagine, the same must apply to MovableType

I was reading some past news articles on Wired - and came across this one about blogs being spammed.

Spammers Clog Up the Blogs
http://www.wired.com/news/infostructure/0,1377,60912,00.html

Ben, had two solutions:
- bulk deletion of comments generated by a particular IP address
- the ability to delete comments directly from notification e-mails sent every time a user posts

Neither of which solves the problem - It only provides you with a way to react after the spam is posted. What we need to do is to stop the spam from ever arriving in the first place.

A possible solution. Use Referrer info.

I might be wrong, but if we look the amount of blog-spam mentioned in the article - I would say that the spam comes from an external server - sending form data to e.g. “http://www.typepad.com/t/comments”. It is unlikely (but again I could be wrong) that the spammers submit spam manually. It is a very inefficient approach - with a very low ROI.

Solution:
What you have is a hidden field with an entry-ID. This field must be linked to a specific site in your databases. So you have the entry-id and what site it is on.

You can then block spam completely by validating (on the server - not client) if the referrer domain is the same as the domain where the entry-id is linked to. This way it will be impossible to post anything, unless you are standing on the specific domain.

To strengthen it even further, you can validate if the full referrer info is the same as the full blog page URL. This way not only do you have to be on the specific domain, you also have to be on the specific page.

This should prevent any external system from submitting data.

Just a suggestion - it might work?

Dris says:
January 14, 07h

It would be a matter of a half hour to modify robots to hit the entry page first. So, it would thwart current bots, but you can never expect them to remain current. The link I posted above includes this as the necessary first defense against spam robots. Other steps must be taken to make it many times more difficult, but nothing is air tight.

Eric says:
January 14, 07h

I’m not 100% up to speed on the comment spam thing, what is the primary motivation for a spammer to do it? If its old comments I’m guessing that it is just to bump the google rating, right? Isn’t this benefit eliminated with a simple redirect script? So instead of the page linking to:

http://www.spammer.com

it links to

http://www.mezzoblue.com/redirect?http://www.spammer.com

Google wouldn’t see this as a link, and you lessen the incentive for spamming, then you just have to deal with the spammers who want people to actually read the message.

49
elorg says:
January 14, 10h

I’ve done a bit of reading about this problem since I’ve had my MT blog spammed… There are a lot of options, but there are ways around each of them.

For now I’ve been saving my email notifications of the offending comments (for the record), blocking the ip, and delete the comments. I noticed that if I didn’t follow those steps and just removing the comments, they’d almost immediately be replaced with whatever was there before.. 0_o
I recently installed this:
http://james.seng.cc/archives/000145.html
Granted, it’s not fool-proof, but so far I haven’t received anymore spam…

Also, I emailed Google about this situation. If it’s helping the spammers abuse the pagerank system, then they should be notified about it.

So far Google has been understanding. They’re actually pretty gracious and quick to reply. <3 Google.
Originally they told me to report any abuse via their form, but this situation doesn’t exactly apply to it. I explained it to them. They replied back saying that they’ve passed my message along to their QA team.

My hopes is that maybe they’ll create another form for this situation where you can report blog spammers, and if enough people’s blogs are spammed even just once from the same spammer (for levitra.com, migrane-relief.com, etc.), Google will remove them entirely from their directory.
;)

50
frankie says:
January 15, 03h

I’ve seen your updated news from the MT 2.66 realese on this one, postin’ this anyway, in case somebody didn’t notice it:

http://www.movabletype.org/news/2004_01.shtml#000882

I was thinking about building a weblog with MT, but this spam thing makes me think it twice, before I even download it. What’s your opinion, should I wait until 3.0 comes out?

51
Sergi says:
January 16, 03h

What about a image verification plugin for MT. I’ve seen a lot of pages with that technology, and it works pretty well. If someone wants to post a comment, it should write the alphanumerical string written inside an image (p.e. http://forum.gsmhosting.com/vbb/register.php). I think is very difficult for an automated spamming process to bypass this.

52
Sergi says:
January 16, 03h

What about a image verification plugin for MT. I’ve seen a lot of pages with that technology, and it works pretty well. If someone wants to post a comment, it should write the alphanumerical string written inside an image (p.e. http://forum.gsmhosting.com/vbb/register.php). I think is very difficult for an automated spamming process to bypass this.

Eaden says:
January 16, 05h

The upcoming release of bBlog ( www.bblog.com ) has a novel approach to comment spam;

Comments with links in them are put ‘on hold’ in the moderation queue. Other comments get through fine.
Also it can automatically disable comments on a post after a set period of time. This could be expanded to test for things apart from links, such as drug names as well.

Now, here’s why I don’t like the redirect method:

Is a redirected link to some drug site that much better than a straight link?

It will still say www. drug site .com on your blog, so really the only option is to not have the comment there. Either by deleting it, blocking it or automatically putting it in a moderation queue based on certian factors.

January 16, 08h

These methods for preventing Google from following spam links (redirects, robots.txt) also prevent it from following legitimate links. There is a cost in PageRank and indexing for legitimate links in comments. The tradeoff may be worth it, but if possible I would prefer solutions that don’t reduce the number of non-spam links that Google can index.

Matt says:
January 19, 08h

What’s worse than spam? Random jerks posting just for the hell of it: http://golem.ph.utexas.edu/~distler/blog/archives/000291.html p

January 21, 02h

I recently put together a method for automatically closing older posts in Movable Type:
http://speed.insane.com/archives/2004/01/13/automatically_closing_old_mt_entries.php

While I haven’t had much of a problem with comment spam, I know it will happen to us all sooner or later.

57
Andrew says:
January 21, 07h

A little late perhaps - but worked this possible solution out. If you can use the Hiveware Enkoder to hide your email addreses why not your comment link. If you have your comments form pop up in a new window encode the address from <a href=… up to the point where you enter your <$MTEntryID$> (you can include the ? or not up to you). Place the rest of the URL after the </script> including the <$MTEntryID$>and all your javascript to make the pop-up comments form and as far as I can tell no spammers will be able to find your comment script, and if you have changed the name of your script (you really should) they never will find it using spam bots. At the end it should look something like this:

<script>… your encoded link text … </script><$MTEntryID$> onclick=”…javascript…”> …Comment Text … </a>

The only downside is those without javascript turned on and text only browsers won’t be able to use the link.