Jump to content


Photo

Movable Type Blogs


  • Please log in to reply
64 replies to this topic

#1 TCH-Alan

TCH-Alan

    Immediate Family

  • Members
  • PipPipPipPip
  • 234 posts

Posted 10 December 2004 - 05:55 AM

We have seen an increase in comment spamming on Movable Type blogs. This is now happening more often since spammers have discovered this as a new way of spamming.

TotalChoice Hosting would like to strongly suggest all Movable Type users to take some simple actions to prevent your blog from being spammed. There is a very useful article at:

http://www.elise.com...erning_spam.php

The very effective measure is to rename the mt-comments.cgi script, the article at the URL above explains how you can do this (scroll down to "How do you fight spam on your blog?"). When renaming your script, you should rename it to something completely different such as joesay.cgi.

There are many other suggestions that the article suggests which we also recommend for Movable Type users to perform.

#2 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 15 December 2004 - 09:19 PM

OK I've been working with Elise Bauer and a few members on the ProNet digging up links and trying to understand why comment spam on MT blogs has suddenly increased. We are still not sure how exactly it is happening, the entry above has been updated with some new techniques, the important one is outlined here I suggest it is implemented

Fighting Comment Spam Flood Attacks

One way that spammers can cause trouble is by repeatedly pinging your server, hundreds of times an hour, trying to leave their comment spam. This can cause server CPU overloads and crashes and can even have your web host shut down your account.

Movable Type has a built in comment throttle which limits comments from a single IP address from coming in beneath a specified time threshold. The default throttle seconds is set to 20 and can be found in the mt.cfg file in your MT installation files. You can change the throttle to a higher number (I have mine now set to 40 sec).

MT's comment throttle is limited in that it only throttles comments from the same IP address. Most sophisticated spammers who are conducting the flood attacks are using dynamic IP address that change with almost every comment. Phil Ringnalda has a plugin solution - Real Comment Throttle Plugin 1.0 that throttles by total number of comments, regardless of their source IP address.

The spammers don't have an unlimited supply of IP addresses, so you may get multiple attempts from the same IP address. In this case, Mark Carey has posted a MT AutoIPBlock plugin that automatically blocks the IP address of someone trying to post a comment that matches your blacklist. It does this using the .htaccess file so repeated requests don't reach the MT scripts, thus reducing the load on your server.



#3 Funkalicious

Funkalicious

    New To The Neighborhood

  • Members
  • Pip
  • 15 posts

Posted 15 December 2004 - 09:41 PM

OK I've been working with Elise Bauer and a few members on the ProNet digging up links and trying to understand why comment spam on MT blogs has suddenly increased. We are still not sure how exactly it is happening, the entry above has been updated with some new techniques, the important one is outlined here I suggest it is implemented

Fighting Comment Spam Flood Attacks

One way that spammers can cause trouble is by repeatedly pinging your server, hundreds of times an hour, trying to leave their comment spam. This can cause server CPU overloads and crashes and can even have your web host shut down your account.

Movable Type has a built in comment throttle which limits comments from a single IP address from coming in beneath a specified time threshold. The default throttle seconds is set to 20 and can be found in the mt.cfg file in your MT installation files. You can change the throttle to a higher number (I have mine now set to 40 sec).

MT's comment throttle is limited in that it only throttles comments from the same IP address. Most sophisticated spammers who are conducting the flood attacks are using dynamic IP address that change with almost every comment. Phil Ringnalda has a plugin solution - Real Comment Throttle Plugin 1.0 that throttles by total number of comments, regardless of their source IP address.

The spammers don't have an unlimited supply of IP addresses, so you may get multiple attempts from the same IP address. In this case, Mark Carey has posted a MT AutoIPBlock plugin that automatically blocks the IP address of someone trying to post a comment that matches your blacklist. It does this using the .htaccess file so repeated requests don't reach the MT scripts, thus reducing the load on your server.

<{POST_SNAPBACK}>



MT has always been vulnerable to spam attacks and the reason it has gotten worse lately is because the support for MT Blacklist has gone by the wayside. It's great there are plug ins available, but it might be better to spend a few bucks and move up to Expression Engine, and never have to deal with this nonesense at all. I did just that a few months ago and I have not once had to deal with any spam.

To the first poster in this thread: Renaming the comment script doesn't work. I know numerous people who have tried this and it has always failed within a short period of time.

Not being argumentive, just adding my 2 cents, for whatever it's worth, LOL. :)

#4 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 15 December 2004 - 09:52 PM

To the first poster in this thread: Renaming the comment script doesn't work.  I know numerous people who have tried this and it has always failed within a short period of time. 

<{POST_SNAPBACK}>


I've found it to be rather effective if implemented correctly. It isn't just a matter of re-naming the script because then spammers can scan the mt.cfg file and get the name again. You will need to re-name the script and then implement protection of mt.cfg

#5 Funkalicious

Funkalicious

    New To The Neighborhood

  • Members
  • Pip
  • 15 posts

Posted 15 December 2004 - 09:55 PM

That's good, if it works for you. Personally, I found MT to be more trouble than it was worth, so that's why I ditched it, but to each their own. :)

#6 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 16 December 2004 - 03:56 AM

Six Apart have released some posts and information about the problem. Read more here

#7 annie

annie

    Immediate Family

  • Members
  • PipPipPipPip
  • 490 posts

Posted 16 December 2004 - 06:50 AM

I'm just wondering if James Seng's Scode is working on TCH's servers? I had to give up (for now) on another host. Probably something stupid causing it to not work.

Also, do you know if his code still is impervious to automated attacks?

#8 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 16 December 2004 - 06:56 AM

The SCode plugin is a good one, it does work on TCH servers because I used to use it until I learnt of the problems it created (accessibility wise only). The only time it is effective is against bots.

I'm not sure whether or not I would recommend its installation. Its upto you, the problems it creates are things to do with people not being able to see/enter the codes -- I've faced this a lot -- but it may offer some benefits against the spambots...

#9 annie

annie

    Immediate Family

  • Members
  • PipPipPipPip
  • 490 posts

Posted 16 December 2004 - 08:10 AM

I was fooling around with the stuff in the links. And then suddenly the blog was gone! Got a 404 error, and nothing I did worked.

So, I thought, hey, what if?

So I removed the contents of the htaccess file, and suddenly the blog was there again.

Turns out this was the problem:

Options -Indexes
<IfModule mod_rewrite.c>
<IfModule mod_dir.c>
DirectoryIndex index.php index.html index.htm default.htm default.html default.asp /mtview.php
</IfModule>
RewriteEngine on RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /mtview.php [L,QSA]
</IfModule>
<IfModule !mod_rewrite.c>
ErrorDocument 404 /mtview.php
ErrorDocument 403 /mtview.php
</IfModule>

-----------

More specifically, mtview.php is missing...
I think I need to add a path to it somehow, because it's present within the directory my blog is residing in.

Solution: change the path to the relative path your mtview.php file is residing at.
Then make sure that file isn't world writeable (mine was). Then it should work.

#10 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 16 December 2004 - 10:01 AM

Yeah, it needs to be relative paths..See the tutorial Elise and I wrote on it (on Elise's page, the code is formatted incorrectly)

#11 HCSuperStores

HCSuperStores

    Immediate Family

  • Banned
  • PipPipPipPip
  • 359 posts

Posted 16 December 2004 - 11:29 AM

Hello Everyone and Allen!

I personally don't use MT ... but I do have a suggestion and a vested interest in TCH finding a solution to this problem.

My server was affected last night because a server-wide "bad words" filter was implemented. This caused some innocent words and posts to be flagged as "inappropriate" and therefore some of my scripts bombed with a server error.

So anyway, on to a solution ....

I don't believe a blind, server wide solution will work because it would be rather impossible to be sure that you are not affecting all the other software, commercial and custom, that exists.

So my solution is to enforce standards within the MT software that are effective at stopping this problem.

In examining the LINK at the beginning of this post, there seem to be a number of settings or configurations that, if implemented, would stop or severely reduce this issue.

Rename mt-comments.cgi. Spammers find MT sites by searching for mt-comments.cgi in Google. Rename the file and your site will be harder for them to find. To do this, copy the mt-comments.cgi script to a new name, ending with the .cgi suffix. Edit the mt.cfg file to reflect the new name.

Force "preview" before allowing comment submissions. Forcing site visitors to preview their comments before submitting them will not only give you more error-free comments, but will put yet another hurdle up against automatic comment spam bots


Use a "Captcha". A captcha is a security code that a commenter must enter in order for her comment to load. The benefit is that it screens out automated comment spam bots. The downside is that it keeps visually disabled people from contributing a comment. James Seng has posted a captcha security plugin for Movable Type.


If TCH were to adopt a standard that says "Any account that uses MT MUST have these security measures in place to use this software" it would virtually eliminate the issues we are experiencing. But TCH could also write a script that may run once a night that would enforce these admin options, making these changes automatically.

The first time the script is run would be the largest expected load on any server. Afterwords, it would only affect new MT installations and the server load would be negligible if anything at all.

This solution would keep things at a software-specific level and not affect any other commercial or custom software running on the server.

Any thoughts???

#12 LisaJill

LisaJill

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,660 posts

Posted 16 December 2004 - 11:34 AM

I think that those are all good ideas. The problem is that, by and large, the people that use MT have enough trouble installing it, much less installing the captcha hack and modifying the comments template to have to be preview first, and then finding their way around renaming a .cgi file and changing mt.cfg.

Anyway, the renaming of the file is the easiest one to get around, they can just parse the page to find out the correct cgi script.

I switched away from MT many months ago for a variety of reasons that didn't include spam :oops: But I find it disheartening that the producer (SixApart) of one of the main software packages for blogging hasn't already issued major updates that cover these problems, and quickly. More and more hosts are being forced to ban MT. I think that's a real shame. :lol:

SixApart has treated this as a backburner issue for far too long, while other packages are quick on the uptake of adding anti-spam abilities inherent to the product. It's a shame that 6A didn't remain with just Mena and Ben, I think it did better then. :lol:\

[Edit] as an afterthought - TCH doesn't run scripts to see what scripts are being on the servers, at least not that I'm aware of! For TCH to police this type of after-software enhancement would bring an incredibly large burden on the support staff. They would have to monitor WHO has MT installed and WHAT those people did to MT!

While I'm only a mod here and do NOT speak on behalf of TCH for this point, as well as not being a business strategist by any stretch of the imagination - I can't imagine such policing would provide a positive cost/profit scenario. Especially considering the incredibly low cost of the shared hosting plans, which are the ones taking the brunt of the abuse.

Edited by TCH-Lisa, 16 December 2004 - 11:39 AM.


#13 HCSuperStores

HCSuperStores

    Immediate Family

  • Banned
  • PipPipPipPip
  • 359 posts

Posted 16 December 2004 - 11:39 AM

Hey Lisa --- agred. It sounds like MT is difficult to install.

This is why I suggest that TCH write one scirpt that would run every night on each of the shared servers to make the changed automatically.

TCH just has to figure out what it wants to enforce, and then have the script do this.

Because this has become a load issue for the servers, it seems the logical choice from my perspective.

#14 LisaJill

LisaJill

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,660 posts

Posted 16 December 2004 - 11:40 AM

HC, I edited my post fairly in depth and I think that those thoughts may respond, in part and of my own opinion, to your idea of a script to monitor things. =)

#15 LisaJill

LisaJill

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,660 posts

Posted 16 December 2004 - 11:42 AM

To add to that - as far as a script that automatically makes these modifications - that raises all sorts of ethical and moral issues that I don't feel TCH should be getting anywhere near. I sure don't want TCH doing anything that modifiies what *I* run. I imagine that most people would agree. I'd rather take the chance of suspension, to be completely honest.

TCH is my host, not my parent. =)

#16 LisaJill

LisaJill

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,660 posts

Posted 16 December 2004 - 11:44 AM

Oh, and I'm not sure if you understand how MT works - but for a script like that to work it would have to make those modifications and then rebuild the site. Rebuilding is processor intensive (and part of why these comment spams take down servers, comments cause a rebuild) - and so the script itself would require a lot of processor for itself and for the processes it would spawn.

I think that this is no-mans land. The burden should not lay on TCH for this, but on SixApart for a comprehensive solution within their package.

(My post count is flying up, since I think in gaps!)

#17 HCSuperStores

HCSuperStores

    Immediate Family

  • Banned
  • PipPipPipPip
  • 359 posts

Posted 16 December 2004 - 11:46 AM

I understand that running a script might seem a bit drastic, and parental like. But it might serve as an option instead of banning MT entirely.

As far as a parental or watching issue ... I'm sure TCH sets particular server wide setting, to the best of their ability, that keep things balanced and protected. Not as an attempt to control minute details, but for the stability of all accounts on any server.

:oops:

#18 LisaJill

LisaJill

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,660 posts

Posted 16 December 2004 - 11:48 AM

Certainly they do, but those things effect server specific items, and do not make direct changes to people's installed scripts. Anyway, I added even more arguments against and as we can clearly see, I've convinced myself. I'm good at that, you see? *winks*

Edited by TCH-Lisa, 16 December 2004 - 11:50 AM.


#19 HCSuperStores

HCSuperStores

    Immediate Family

  • Banned
  • PipPipPipPip
  • 359 posts

Posted 16 December 2004 - 11:51 AM

My post count is going up too ... but I've been in my hole a while anyway. I need to stretch the fingers a little! :lol:

Yes, you might have to be sure that you don't do this to 100 MT accounts at once as it would kill the server. But you could make the script intelligent enough to only do, say 5 a night. So eventually all would be updated.

Every one that you modify means that much more protection.

Once all the MT accounts are updated, the load would be minimal.

Yes, I would rather have the software vendor be the responsible party. But I suspect this is "free" software and thus is the price you pay.

And Lisa, I know nothing about MT but the little I have read. But it seemed from the little that I have read that a smart script could accomplish the job and if written correctly, could do so without any negative impact on the server.

The question is would TCH customers revolt over some or all of these changes? Or does TCH want to get at this level with MT clients? I don't know ...

:oops:

#20 TCH-Rob

TCH-Rob

    Help Desk Manager

  • Members
  • PipPipPipPip
  • 7,797 posts

Posted 16 December 2004 - 11:58 AM

Or does TCH want to get at this level with MT clients? I don't know ...


I am going to guess no we dont. We can only police so much and it really is up to the end user to make sure the software they are running is secure. Otherwise we wouldnt have to suspend accounts, we could just write a script to fix it.

BTW, your post count is almost caught up to me now.

#21 LisaJill

LisaJill

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,660 posts

Posted 16 December 2004 - 11:59 AM

SixApart has a very basic free license, but the real version starts at $70. It's not open source, nor is it free.

Anyway, the GPL'd software items have addressed these issues, or are addressing them, and have at least recognized that they are issues. *winks*

I ran MT for a long time and did much support on their forums. This was prior to v3.0 (I switched during the beta, over massive disillusionment, another post eh?) but unfortunately, the issues have remained the same, and just as unaddressed as ever.

I personally think, that at the cost of hosting here at TCH, the cost-benefit analysis doesn't stack up favorably to doing this. Even just creating the script would be a pain in the y'know'what, and then keeping it up to date with MT releases? yikes. =)

And we get a LOT of new customers constantly (a good thing, for sure!), so this wouldn't be minimal issue after the first running, it's an ongoing general load increase. :lol:

I think it would be better to stick all those MT people on their own cluster of servers. An all out MT hosting package - but that almost sounds vengeful. :oops:

Edited by TCH-Lisa, 16 December 2004 - 12:00 PM.


#22 HCSuperStores

HCSuperStores

    Immediate Family

  • Banned
  • PipPipPipPip
  • 359 posts

Posted 16 December 2004 - 12:01 PM

BTW, your post count is almost caught up to me now.


:lol: :oops:

I could only hope to be at your level, or at Lisa's for that matter!!!

#23 TCH-Dick

TCH-Dick

    General Manager

  • Admins
  • PipPipPipPip
  • 5,786 posts

Posted 16 December 2004 - 12:05 PM

I have already brought up using a script to make the changes listed above and it simply wont work. The main reason it wont work is because not everyone installs MT in the same folder, sure you can create a script to modify the mt-comment.cgi in the home/user/www/blog folder (for example) but what about the people that install it in home/user/www/mt or home/user/www/rant or home/user/www/whatever?? you see where I'm going with this..

Then theres also the issue Lisa already mentioned about requiring a rebuild once this script has made all of the changes, thats just to cpu intensive.

Dick DeVance
General Manager
TotalChoice Hosting, Inc
dick@totalchoicehosting.com


Posted Image


#24 MikeJ

MikeJ

    Big Gorilla

  • Members
  • PipPipPipPip
  • 2,369 posts

Posted 16 December 2004 - 12:13 PM

My server was affected last night because a server-wide "bad words" filter was implemented.  This caused some innocent words and posts to be flagged as "inappropriate" and therefore some of my scripts bombed with a server error.

So anyway, on to a solution ....

I don't believe a blind, server wide solution will work because it would be rather impossible to be sure that you are not affecting all the other software, commercial and custom, that exists.

<{POST_SNAPBACK}>


The use of a server-based filter to block the heavy hitting comment spammers is a temporary solution to get things back under control (and we've already relaxed the block list a bit). We are still looking into many options to help MT users to regain control of their blogs, while not affecting non-blog users. We apologize if anyone is affected negatively by our interim efforts. If you find a script of yours is failing or being blocked, please submit a help desk ticket so we can review it.

If any MT users who are getting a lot of comment spam (or were and are successfully blocking it) and know your way around MT 3.0 well would like to volunteer to test out some ideas we have for blocking it and show me some samples of what you are still getting, feel free to contact me... mikej (at) totalchoicehosting.com, or IM at tchgurumikej (AIM or Yahoo).

Edited by TCH-MikeJ, 16 December 2004 - 12:14 PM.

<a href="http://twitter.com/skraggy" target="_blank">Twitter</a> | <a href="http://plurk.com/skraggy" target="_blank">Plurk</a>

#25 HCSuperStores

HCSuperStores

    Immediate Family

  • Banned
  • PipPipPipPip
  • 359 posts

Posted 16 December 2004 - 12:24 PM

As a thought ...

Does it really matter WHERE they installed the MT script? Aren't you looking for a specifically name .cgi file? Could you not queue off of that?

If you find the file, then you know that it has to be attended to. If you don't find it, then you've already renamed it and you don't need to do anything to it.

As far as the CPU load being an issue, you are already suggesting (per the beginning of this thread) that people implement these changes. Wouldn't this cause the rebuild anyway? So either manually, or via an automated script, wouldn't you incur the load regardless?

The script would allow you to methodically go through and do the rebuild at low-CPU usage times. It would be in a more controlled fashion.

As always, just my opinion ... ;)

PS - On the blocked words, I've already noticed an improvement. Just as a note to this, I have software that uses anatomically correct words (medical) often. So any words that you attempt to block like this will cause a problem with my software. It's used daily and I'll communicate those issues to you if I run into them.

#26 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 16 December 2004 - 12:25 PM

The folks at 6A are working very hard (believe me I have them on IM) on patches etc. while the folks on the Professional Network of 6A are busy thinking up ways to further beat the comment spammers.

MikeJ, the best ways are highlighted in Elise's post above. Beyond that I'm not sure what else can be done, I've spent the better part of today trying to find stuff out but hopefully if things from ProNet go into motion there'll be some interesting stuff

#27 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 16 December 2004 - 12:30 PM

As a thought ...

Does it really matter WHERE they installed the MT script?  Aren't you looking for a specifically name .cgi file?  Could you not queue off of that?

If you find the file, then you know that it has to be attended to.  If you don't find it, then you've already renamed it and you don't need to do anything to it.

As far as the CPU load being an issue, you are already suggesting (per the beginning of this thread) that people implement these changes.  Wouldn't this cause the rebuild anyway?  So either manually, or via an automated script, wouldn't you incur the load regardless?

The script would allow you to methodically go through and do the rebuild at low-CPU usage times.  It would be in a more controlled fashion.

As always, just my opinion ...  ;)

PS - On the blocked words, I've already noticed an improvement.  Just as a note to this, I have software that uses anatomically correct words (medical) often.  So any words that you attempt to block like this will cause a problem with my software.  It's used daily and I'll communicate those issues to you if I run into them.

<{POST_SNAPBACK}>


I'm actually not sure about this thing about TCH going in and changing user's configs around. I did suggest it last night but on careful consideration I take it back. Like Lisa said things for newbies are hard enough without this complicating stuff up. Also its also been found out that this re-naming isn't that useful anymore. Elise's entry above although highlights the best ways comment spam can be combatted, a lot of them are becoming useless.

If anyone is a member of the ProNet, read the CommentThrottle thread, there are interesting ideas springing up and I'm working with some devs on the best way to battle comment spam. For those that have MT, install MT-Blacklist and perhaps set everything to block, nothing to moderate... Moderation is what is causing the problem, alternatively just delete or chmod mt-comments.cgi to 000 for today. 6A are working damn hard to get those patches out and hopefully once they're out the problem will be fixed and some plugins also released to up the armour.

Edited by arvind, 16 December 2004 - 12:32 PM.


#28 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,798 posts

Posted 16 December 2004 - 12:37 PM

Time to me to chime in on this.

The comment spam is getting out of control.

We have had 15+ server crashes caused by this issue.

Currently we are working very hard to get something in place to bring the servers effected by this back under control. As MikeJ has stated earlier in this post, we implemented a new server bad word list to attempt to protect our servers.

Suspending sites simply isnt working.

We are as of today now working with the 6A team to attempt to come to a conclusion on how to stop this problem.

Until we figure this out I encourage this discussion to move forward.

We will beat this thing ;)

Bill

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#29 annie

annie

    Immediate Family

  • Members
  • PipPipPipPip
  • 490 posts

Posted 16 December 2004 - 12:51 PM

Just to be clear: I don't have MT on a TCH server. I however have it somewhere else. I did rename the comments script today. I've got version 3.11, and I found it was fairly simple to do it. Go to cpanel and file manager, then find the mt.cfg and make the change.

Rename the comments script into whatever you feel like, with a .cgi ending.

Then, depending on how your blog is configured, a rebuild of the individual archives MAY be all you need to do. I didn't have to do anything to the templates, works anyway.

I'm also setting the archives to dynamic now. Granted, that's more complicated than renaming the comments script.

But my comment spam load is manageable. I just got found by an old spammer, but don't get hit every day. I'm fully prepared to rename the script each time a spammer finds me. I also put comments on moderated to avoid the embarassment.

#30 annie

annie

    Immediate Family

  • Members
  • PipPipPipPip
  • 490 posts

Posted 16 December 2004 - 12:57 PM

Oh, I just thought of something. I get a lot of 404 errors from people trying to post to my old B2 installation, and will now get lots of those trying to access the comments script that's been renamed.

Of course, 404s won't be that taxing to the server. I'm wondering how much of a nuisance they are, though.

Also, I'm wondering what you guys know about the spammer scripts. How long will it take them to figure out the script has been renamed, or a blog has changed software. It took the texasholding crew quite a while to figure out I'd switched software. But once I banned an IP number used by one spammer, I got a visit from that rolling IP number thingy next time. Looks to me like they're REALLY evolving fast now. I'm wondering if maybe they're keeping it simple for anyone who doesn't fight it, and using the rolling technique for those who put up a fight - and other techniques they implement whenever they find certain errors in their logs?

#31 HCSuperStores

HCSuperStores

    Immediate Family

  • Banned
  • PipPipPipPip
  • 359 posts

Posted 16 December 2004 - 01:01 PM

Wow ... what a mess. People should spend time being a little more productivein life! ;)

But I tend to like puzzles. And this one is a doozy! :thumbup:

#32 LisaJill

LisaJill

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,660 posts

Posted 16 December 2004 - 01:08 PM

It takes their scripts about 15 seconds (depending on load time of your site) to find that a script has been renamed and what the new name is. =)

#33 HCSuperStores

HCSuperStores

    Immediate Family

  • Banned
  • PipPipPipPip
  • 359 posts

Posted 16 December 2004 - 01:10 PM

It takes their scripts about 15 seconds (depending on load time of your site) to find that a script has been renamed and what the new name is. =)

<{POST_SNAPBACK}>


So, Lisa ... what you ar e saying is that even if the name WAS changed, that the spammers could easily write something more in their scirpts to find the new name?

#34 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 16 December 2004 - 01:13 PM

Yep ! Like I said before, the stuff Elise outlines is the best we can do at this point but none of it is really any use now.

#35 LisaJill

LisaJill

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,660 posts

Posted 16 December 2004 - 01:14 PM

I'm saying they already have. That method of combating spam has been around for at least a year, they've had plenty of time to work out how to get around it. Indeed, if I remember correctly, some malicious guys worked out a way around it to perform DDOS attacks about 11 months ago. =)

#36 annie

annie

    Immediate Family

  • Members
  • PipPipPipPip
  • 490 posts

Posted 16 December 2004 - 02:00 PM

I did a 404 sweep of this month's log on the host with the MT installation. I found LOADS of 404's for spam attempts to nonfunctioning comment and trackbacks for my old B2 installation.

So although some very advanced spammers have systems in place to detect changes, a lot of them are still blithely spamming away to dead installations!

#37 TCH-Dick

TCH-Dick

    General Manager

  • Admins
  • PipPipPipPip
  • 5,786 posts

Posted 16 December 2004 - 02:13 PM

I just wanted to toss the fact on the table that this is not only affecting MT but all blogs. Those damn free poker comments seem to be the most prevelant lately. One of the issues that alot of users are having is that as soon as they make a new post it has comment spam. I'm not sure about MT but with WP they are making comments to Post IDs that don't exist, so when you creat a post with that ID it already has a comment. Hopefully everyone can come up with a workable solution.

Dick DeVance
General Manager
TotalChoice Hosting, Inc
dick@totalchoicehosting.com


Posted Image


#38 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 16 December 2004 - 02:21 PM

Yep with MT, spammers are directly hitting mt-comments.cgi and cycling through post ids in the exact same way. The only reason why MT is going down and causing problems is because of the bug in MT that is causing *everything* to be rebuilt every time a comment is posted!

#39 charle97

charle97

    Family Friend

  • Members
  • PipPip
  • 95 posts

Posted 16 December 2004 - 03:43 PM

I just wanted to toss the fact on the table that this is not only affecting MT but all blogs. Those damn free poker comments seem to be the most prevelant lately. One of the issues that alot of users are having is that as soon as they make a new post it has comment spam. I'm not sure about MT but with WP they are making comments to Post IDs that don't exist, so when you creat a post with that ID it already has a comment. Hopefully everyone can come up with a workable solution.

<{POST_SNAPBACK}>


use matt's spam stopgap plugin.

#40 annie

annie

    Immediate Family

  • Members
  • PipPipPipPip
  • 490 posts

Posted 16 December 2004 - 05:40 PM

I just had a bunch of curious accesses. Referer is http://www.google.com and the user agen is: MSIE 5.0.
IP number is: 82.103.65.225, which is somewhere in Bulgaria.

Going through all of my individual archive MT blog posts in haphazard sequence.

I guess I'm just wondering when I'll see comment spam to my newly renamed comments script...

#41 TCH-Alan

TCH-Alan

    Immediate Family

  • Members
  • PipPipPipPip
  • 234 posts

Posted 16 December 2004 - 06:45 PM

Since I started this thread I should really reply. I do aplogize for the lack of a reply to all the suggestions and views that people have made about ways that users of MT or TCH can use to block these comment spammers. Obviously I was occupied with all the MT comment spamming that was happening during the past 48 hours. Right now I can see that it's going pretty strong, but the new filters that we've put in place are working and we'll continue to fine tune those filters as new spammers come known to us.

HCSuperStores, I do have to apologize to you and any other user who was affected by the initial filters that I set. I did eventually realize that the filters were too broad. As you've mentioned, this has now been corrected and things should look much better. But to all users that do see a 406 error and you know you haven't done anything wrong... please do send a ticket into us so that we can investigate it and again fine tune the filters.

The suggestion of a TCH script that changes the name of mt-comments.cgi and the other methods of combating the comment spamming is something that we simply can't do. The renaming of the files will get very confusing, if our script renamed all the mt-comments.cgi script, then it renames it again the next, it's possible that some users decide that they change it themselves for some reason. There's also many users that have already changed their script name from the standard mt-comments.cgi filename.

We also don't feel comfortable being "Big Brother" and changing files in users' accounts. Of course we will do the "Big Brother" thing in terms of securing the server and making sure everything is running and secure at all times. We want customers to be able to purchase hosting at TCH and use it normally as they wish (following our AUP of course), without too many restrictions.

We look after our customers and I can assure you that we are working on the MT comment spamming that is affecting other users that are on the same servers as MT users. We won't let our service degrade, that I can guarantee.

#42 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 17 December 2004 - 07:20 AM

There's an excellent plugin that will be released later today that will help combat spambots directly hitting mt-comments.cgi (the comment script), keep an eye on Planet Movable Type http://planet.movalog.com/

#43 HCSuperStores

HCSuperStores

    Immediate Family

  • Banned
  • PipPipPipPip
  • 359 posts

Posted 17 December 2004 - 07:43 AM

TCH has treated me very well and I really have no complaints about that momentary blip. I have a high appreciation for the staff at TCH and the job that you guys do. :notworthy:

I will say that, so far, the "fine tuning" has seemed to keep any issues at bay. No 406 errors. :)

Keep up the good work guys. It's a complicated problem for sure and I know you'll "get those guys"!

Go get'm! :)

#44 annie

annie

    Immediate Family

  • Members
  • PipPipPipPip
  • 490 posts

Posted 17 December 2004 - 09:54 AM

Is this javascript version it?

http://mt-hacks.com/

#45 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 17 December 2004 - 11:31 AM

nope Mark's plugins are not it, I've been talking with him about his plugins and hacks. They are apparently do work but like he says himself if mass implemented they are useless because its just a few simple tricks and a spider can easily parse through them....

The plugin I'm talking about is far more interesting and may make it near to impossible for a spambot to automatically hit commentscripts.

#46 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 17 December 2004 - 01:02 PM

OK we have the plugin. MT Approval as its called. We have as yet just sparse installation instructions but I say this is an important install. I have installed it and have yet to be spammed today

MT 3.1 is required!

Put this into your plugins directory. Once you do, you will have a
template tag available to you. That tag is <$MTApprovalHash$>. Put
this tag into your Comment Preview Templates - Comment Preview and
Comment Error.

For those of you with newer templates who use <$MTCommentFields$> integrate MT Approval via the interface provided

You will need to remove the post button from your Individual Entry Archives and/or your comment listing template.

This is very much an emergency release to help people cope with the comment spam so more updates to follow. Keep an eye on Planet MT as Chad will announce it soon perhaps with more information!

#47 annie

annie

    Immediate Family

  • Members
  • PipPipPipPip
  • 490 posts

Posted 18 December 2004 - 11:05 AM

That post ate itself after a trackback with an & in the name of site field. So maybe you'd better check this address instead for now:
http://jayseae.cxliv.org/
Also, he's in the process of fine tuning it. Some changes to what you wrote here.

EDIT: the post is fine with IE, but I was using Firefox...

#48 lilirose

lilirose

    Family Friend

  • Members
  • PipPip
  • 40 posts

Posted 18 December 2004 - 06:43 PM

I'm an MT user who was one of the first to be hit by the new wave of server-crashing spammers. I signed up with TCH in November after my old host told me I was no longer allowed to use MT because it was crashing their server.

We have taken several steps since moving to TCH to prevent further crashes. At this point I am running a total of five blogs. All are protected by the MT Blacklist plugin. Beyond that, two my blogs have moderated comments only, two have comments closed on all entries (allowing no new comments at all), and one has open comments but is completely hidden from search engines by its meta tags. To date that blog has not been spammed.

Basically, I need to know if I am doing enough to protect my installtion from causing a server crash. Since I've already left one host because of this issue, I am very concerned about preventing it from happening again.

Thanks in advance for any advice...

Lili

#49 AlanV

AlanV

    Distant Family

  • Members
  • PipPipPip
  • 156 posts

Posted 18 December 2004 - 07:02 PM

I'm still running MT 2.63, and I'm afraid to upgrade to 3.x...
Any suggestions? I don't want to be the one to take down a TCH server...

I have mt-blacklist installed, and no spam comments are getting through, as far as I can tell.... but could the server still be affected?

#50 AlanV

AlanV

    Distant Family

  • Members
  • PipPipPip
  • 156 posts

Posted 18 December 2004 - 07:07 PM

Another thing:
3.x requires a licence for multiple blog/author support, and I'm running 5 blogs with 8 authors off one installation... so would I need to pay for the upgrade?

#51 LisaJill

LisaJill

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,660 posts

Posted 18 December 2004 - 07:21 PM

yes, you would need to pay if you upgraded. At that setup you'd need the 100$ setup. For that price you could get a much better system. *winks*

#52 TCH-Alan

TCH-Alan

    Immediate Family

  • Members
  • PipPipPipPip
  • 234 posts

Posted 19 December 2004 - 05:03 AM

Yep, that should be fine. We're still working on a long term solution to ensure the stability of our servers.

I'm an MT user who was one of the first to be hit by the new wave of server-crashing spammers. I signed up with TCH in November after my old host told me I was no longer allowed to use MT because it was crashing their server.

We have taken several steps since moving to TCH to prevent further crashes. At this point I am running a total of five blogs. All are protected by the MT Blacklist plugin. Beyond that, two my blogs have moderated comments only, two have comments closed on all entries (allowing no new comments at all), and one has open comments but is completely hidden from search engines by its meta tags. To date that blog has not been spammed.

Basically, I need to know if I am doing enough to protect my installtion from causing a server crash. Since I've already left one host because of this issue, I am very concerned about preventing it from happening again.

Thanks in advance for any advice...

Lili

<{POST_SNAPBACK}>



#53 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 19 December 2004 - 05:06 AM

I'm still running MT 2.63, and I'm afraid to upgrade to 3.x...
Any suggestions? I don't want to be the one to take down a TCH server...

I have mt-blacklist installed, and no spam comments are getting through, as far as I can tell.... but could the server still be affected?

<{POST_SNAPBACK}>


If you do not wish to purchase a license to run MT 3.x I would recommend you upgrade to MT 2.661.

#54 AlanV

AlanV

    Distant Family

  • Members
  • PipPipPip
  • 156 posts

Posted 19 December 2004 - 08:26 AM

I'm still running MT 2.63, and I'm afraid to upgrade to 3.x...
Any suggestions? I don't want to be the one to take down a TCH server...

I have mt-blacklist installed, and no spam comments are getting through, as far as I can tell.... but could the server still be affected?

<{POST_SNAPBACK}>


If you do not wish to purchase a license to run MT 3.x I would recommend you upgrade to MT 2.661.

<{POST_SNAPBACK}>

Where can I get that?
I don't see anything except the newest one on the official site...

#55 LisaJill

LisaJill

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,660 posts

Posted 19 December 2004 - 02:09 PM

You have to register for typekey then login, and apparently (I've not done this) it'll show up as one of the listed piecces of software you can use.

Apparently that's not going to last (at least, from what I saw of one of shelley's posts on the MT forum) so make sure you keep a tar'd copy of that around in case you need it in the future.

Also, note - I haven't read it, nor downloaded it - but apparently the license in 2.661 also reflects the NEW licensing scheme, not the old; unlike the old copies of 2.661. So a newly downloaded copy would adhere to the new pricing format. Again, I haven't checked this but that seems to be the consesus on the MT forums.

If that is the case, you're in trouble. =)

#56 MikeJ

MikeJ

    Big Gorilla

  • Members
  • PipPipPipPip
  • 2,369 posts

Posted 20 December 2004 - 12:25 PM

Also, note - I haven't read it, nor downloaded it - but apparently the license in 2.661 also reflects the NEW licensing scheme, not the old; unlike the old copies of 2.661.  So a newly downloaded copy would adhere to the new pricing format.  Again, I haven't checked this but that seems to be the consesus on the MT forums.

<{POST_SNAPBACK}>


In general, 2.661 is just a temporary solution anyway. Most of the plugins (like the one above) for MT these days I don't believe are supporting 2.661. You're better off evaluating your future direction, then based on that upgrade to 3.x, or switch to another system.
<a href="http://twitter.com/skraggy" target="_blank">Twitter</a> | <a href="http://plurk.com/skraggy" target="_blank">Plurk</a>

#57 arvind

arvind

    Immediate Family

  • Members
  • PipPipPipPip
  • 481 posts

Posted 20 December 2004 - 11:51 PM

Movable Type 3.14 Released Upgrade strongly recommended

#58 a__kc

a__kc

    Family Friend

  • Members
  • PipPip
  • 30 posts

Posted 28 January 2005 - 03:09 PM

HCSuperStores, I do have to apologize to you and any other user who was affected by the initial filters that I set. I did eventually realize that the filters were too broad. As you've mentioned, this has now been corrected and things should look much better. But to all users that do see a 406 error and you know you haven't done anything wrong... please do send a ticket into us so that we can investigate it and again fine tune the filters.


Today I saw 406 errors for the first time, quite surprising. The messages claim that one or another "resource" (name of script indicated) could not be found on the server. This seems to occur only when posting forms but only with some contents and not others.

I've been able to use a set of anti-spam tools quite effectively, including one I coded.

I also upgraded to MT 3.15 yesterday, though it sounds like it's a server-side thing. I might re-install but doubt that would help.

Edited: I've opened a ticket. Please regard this post as "experience-sharing". :shocking:

Edited by a__kc, 28 January 2005 - 03:33 PM.


#59 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 28 January 2005 - 03:16 PM

If you think there is an issue with the server, please open a help desk ticket (link at top of page) and report it. The mods do not have access to the servers or your account.

Thanks

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#60 daregal13

daregal13

    New To The Neighborhood

  • Members
  • Pip
  • 7 posts

Posted 18 February 2005 - 03:33 AM

We have seen an increase in comment spamming on Movable Type blogs. This is now happening more often since spammers have discovered this as a new way of spamming.

TotalChoice Hosting would like to strongly suggest all Movable Type users to take some simple actions to prevent your blog from being spammed. There is a very useful article at:

http://www.elise.com...erning_spam.php

<{POST_SNAPBACK}>

I was wondering what are these blogs and MT's are when I got the e-mail from TCH. After reading all the posts here, I still don't have an idea :clapping: I guess that is good, that means I don't have that in my site then I don't have to worry about getting in trouble with TCH, right?? :)

#61 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 18 February 2005 - 08:19 AM

I was wondering what are these blogs and MT's are when I got the e-mail from TCH. After reading all the posts here, I still don't have an idea :thumbup1:  I guess that is good, that means I don't have that in my site then I don't have to worry about getting in trouble with TCH, right?? :eek:

If you did not install Movable Type then yes, you are safe. Movable Type is a blogging software. In it's simplest terms a blog is a web journal you create and can allow people to comment on what you write.

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#62 annie

annie

    Immediate Family

  • Members
  • PipPipPipPip
  • 490 posts

Posted 18 February 2005 - 08:32 AM

The advice about renaming the comment script doesn't help much. One of the most prolific comment spammers, the Bulgarians, adapt quickly. Last time I changed mine, they didn't even try the old one, just went straight for the new one.

What does help, is a few .htaccess tricks.

# This seems to stop the Bulgarians:
RewriteCond %{HTTP:VIA} ^.+pinappleproxy
RewriteRule .* - [L,F]

This one seems to stop Alexander Morozov:

SetEnvIf User-Agent "compatible; MSIE 5.5; Windows 98; Win 9x 4.90" spammer

<Limit POST>
Order Allow,Deny
Allow from all
Deny from env=spammer
</Limit>

And this one seems to stop him from actually browsing:

SetEnvIfNoCase X-AAAAAAAAAAAA 1 spammer=yes

There are more tricks, of course.

I keep a running commentary on the tactics of these spammers on my blog (click the smiley):

:thumbup1:

#63 OrangeHairedBoy

OrangeHairedBoy

    New To The Neighborhood

  • Members
  • Pip
  • 13 posts

Posted 03 July 2005 - 11:17 PM

I installed MT-Keystrokes and eliminated 100% of my comment spam.

http://overstated.ne.../mt-keystrokes/
Read my blog: orange haired boy

#64 salguod

salguod

    Family Friend

  • Members
  • PipPip
  • 79 posts

Posted 24 June 2006 - 09:15 AM

I've heard good things about MT-Keystrokes as well.

I've had very good results with the Weblog Defense Grid from Solid Wall of Code. It's a comination of a SpamLookup extension with enhanced functionality, a comprehensive list of junk filters and a plugin that automaticly bans IP addresses based on junked items.
salguod
salguod.net

#65 salguod

salguod

    Family Friend

  • Members
  • PipPip
  • 79 posts

Posted 11 January 2007 - 04:09 PM

A recent addition to my anti-spam arsenal is Ccode and Tcode and they are awesome. 100% effective in my experience, not a single spam has gotten through since I installed them. In fact, I have no junk comments in my database either since it blocks them prior to getting in the system.

I don't entirely understand their operation, but I understand they add a hidden form field generated from the content of the post itself that operates like the CAPTCHA that Blogger uses. Comments cannot be submitted by hitting the comment script directly, they have to go through the comment button on the actual page. The nice thing is that, unlike Blogger's maddening CAPTCHA image, the user doesn't need to do anything special.
salguod
salguod.net




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users