I’ve made another tweak to the comment form. Previously, my defense against comment spammers relied upon the Perl operator !. Although this stopped most spammers cold, over the last few weeks the spam has crept up from nonexistent to several a day. This is unacceptable. So after some arduous research, I have added another weapon to my arsenal: the Perl operator ne. Take that, evil spammers!
In all seriousness, adding the “Yes/No” radio button seemed the simplest-stupidest possible change I could make, right after the previous tweak (empty text field, type anything you like). I’m not sure if the radio button will work, but we’ll see over the next few days how well it holds up. According to my logs, the empty text field trick was blocking just about 98% of the comment spam. By that I mean, 98% of the requests that were actually trying to post to my real, active comment form. The standard MT comment script, mt-comments.cgi, is just getting hammered. Or it would be if it existed on this site.
So here’s hoping the radio button trick does a little better than 98%. At the very least, I like the humor value of asking the user explicitly whether he or she (or most likely, it) is a spammer. But if this doesn’t work, I’ll continue to morph the profile of my comment form until it eventually includes a CAPTCHA, a text-message challenge/response, and biometric identification submitted via snail mail. Remember to please seal those plastic bags before sending, people. Thanks.
(Or I could just use Akismet. But that’s kind of a last resort.)
I still think kittenauth is the Best. Spamblock. EVAR.
Or would be if they’d get it back into working condition. It used to work! But now the test version on the site is broken. Very strange.
Re: Akismet — there was, for a while, a spamblock service — I think it was called CloudNet? — that offered plugins/patches for some of the common mail readers (Netscape, Outlook Express, Eudora) which would basically pass all your email through an online tester… I think SpamAssassin and GMail (and the modern incarnations of other webmail services like Yahoo Mail, which presumably do similar spam filtering) put them out of business. SpamAssassin can run locally, rather than having everybody hammer remote servers, and if you’re online, you can use GMail, which can run its spam processing as the mail arrives (when you’re not necessarily logged in), rather than having you wait for processing when you’re trying to download your mail…
Heh, I remember kittenauth.
Regarding these centralized solutions for comment spam — I had tried MT-Blacklist, which filtered on URLs. Eventually it couldn’t keep up, because the spammers kept changing their URLs every week. The spammers basically figured out how to defeat MT-Blacklist.
I have no idea how well Akismet works. But before trying it, I would rather try to attack the fundamental weakness of comment spam. Which is: to send an email spam, you just need to know someone’s email address, and then you can spam them forever until they change their address. To send a comment spam, you need to be able to do an HTTP POST to a form with several fields — fields which I can change at will. 🙂 And fortunately for me, with so many blogs presenting the same comment interface (LiveJournal / Blogger / MT / whatever), it seems it is in the interests of the comment spammers to write scripts that are fast and dumb. (If anyone wants hard evidence for that assertion, I’d be happy to send them a gzipped version of my error logs.)
I guess my point is, security through obscurity is a good thing, if you’re obscure enough.
Great kid… don’t get cocky. 🙂
Security through obscurity works great until someone is specifically looking for you. Or wants to joe-job your domain out of existence. Or you want to snap-in some tools that need the defaults.
Why did you remove the empty field? I LIKED answering the favorite color question.
If you like, you can state your favorite color in every comment.
FAVORITE COLOR: purple
See? It’s fun *and* easy!
Dru — all points well-taken. Hey, if someone specifically came after me of all people, I’d be kind of flattered.
Anyway, speaking of, “[Got ‘im — I got ‘im!](http://www.imdb.com/title/tt0076759/quotes)” territory… I used to have two different spammers who were independently smart enough to see through the empty-field trick. The radio button trick *seems* to have knocked out one of those spammers. So we’re making a little progress. Hmmm.
Hey, why did my link in the first comment not work right? Have you disabled HTML?
Oh, I see from the stuff below (that I always ignored before) that you have. Waaaaa! I don’t want to learn yet another stupid markup language. I like HTML fine. (OK, HTML sucks, but at least I already know it.)
| Oh, I see from the stuff below (that I always
| ignored before) that you have. Waaaaa! I don’t
| want to learn yet another stupid markup language.
| I like HTML fine. (OK, HTML sucks, but at least I
| already know it.)
I hear you. However, the old system allowed a tiny subset of HTML inline elements. The new system allows real lists, real blockquotes, etc, while still making very hard for someone to completely fux0r the entire page by, say, forgetting to provide a close tag.
The only really hard one to remember is inline links (square brackets, parentheses, what the heck?) But plain URLs like http://auros.livejournal.com automatically get linked.
Since we’re on the subjects of security and filtering HTML, it seems appropriate to share a funny security story about LiveJournal. Once upon a time, LiveJournal profiles allowed you to enter a gender of:
– Male
– Female
– *arbitrary javascript*
And since LiveJournal URLs used to look like:
http://livejournal.com/auros
that JavaScript would be able to manipulate the DOM of *any* LJ user’s page, including changing that user’s gender from “Male” to “*arbitrary javascript*”. Eventually someone wrote a JavaScript worm that rapidly infected hundreds of thousands of LJ users. And that’s why LJ had to change all its URLs to the new scheme practically overnight.
When I heard that story, I thought to myself, “Someone needs to set up a dating site for persons with the gender *arbitrary javascript*.” But I guess the humor value of that site would be somewhat limited…
I believe it was actually “male, female, arbitrary unfiltered text”. That is, you could put script into the text because they failed to filter for that possibility, but it wasn’t intended for that…
Oh, of course. But I think “arbitrary javascript” is a little bit funnier.
Funny?
You have a [twisted](http://golem.ph.utexas.edu/~distler/blog/archives/001181.html“) sense of humour.
Pretty twisted, yes. Actually, it’s really terrifying what can happen to someone if they accidentally happen to visit an “evil” page, or visit a “good” page corrupted through XSS. It’s to the point where I’m starting to believe that nobody should use the Internet for anything, ever.
Perhaps the only reason these problems aren’t worse is that the bad guys are spending too much time managing their hundreds-of-thousands strong Windows zombie farms to spend time crafting and polishing browser-based attacks.