Resolving comment spam with MovableType
Over the last several months, Ive had an increasingly challenging battle against comment spam. I’ve been getting all sorts of undesirable comments/trackbacks.
One of my main objectives was that I did not want to shut off the comments, because I like the idea of people being able to leave feedback about a certain topic when they read it. I also didnt want to expire comments after a set time, because again, I want people to be able to leave feedback for me and others, even if they read the post two years from when it was authored.
MovableType (the blog engine that I use) has been around for quite some time and has matured quite nicely over the years. There have also been some wonderful plugins authored for it. One of the most notable is MT-BlackList by Jay Allen. Using MT-BlackList, I’ve been able to stop an incredible amount of undesirable content from reaching my readers. However, MT-BlackList only solves part of the problem (blocking known comment spam urls).
I’ve recently discovered another, very effective, way of stopping comment spam for MovableType weblogs. This technique involves modifying the mt.cfg file and changing the name of the comments cgi script. The only drawback to MovableType being around as long as it has is that people have become very familiar with it. Knowing the name of the cgi script and the parameters to pass, they can set up bots to hit it with a list of data (ie: blog 1, entry 1; blog 1, entry 2) in sort of a war-dialer fashion.
So, if you can remove the attack surface (by changing the name of the well-known MT comment script), you should be able to significantly reduce the amount of comment spam received. To do this, follow these steps:
- Locate the mt.cfg file (in your MT root)
- Search the file for the line that says # CommentScript mt-comments.cgi (in my file, it was line 333)
- Uncomment this line by removing the # character
- Change mt-comments.cgi to a different name (making note of what you changed it to)
- Using your FTP program, rename mt-comments.cgi (in your MT root) to the name used above
- Upload the modified mt.cfg file to your host
- Log in to the MT control panel and rebuild all your files
When this is completed, you should be able to view source on your pages and notice that your comment forms have a different action. The action should now be the name that you gave the CommentScript configuration item in the mt.cfg file.
Now, since you’ve reduced the attack surface against your blog, comment spammers in likelihood move on to an easier target. If, for some reason, you find automated attacks are back, simply follow the above procedures again.
I’ve noticed a very steep decline in comment spam since making these changes. We’re talking from 30 or 40 per day to 0 for the last 5 days. I really hope that this can help someone else as well, since comment spam is something we are all battling together.
I am using James Seng’s CAPTCHA plugin which is available at http://james.seng.cc/archives/000145.html
There was not much to getting this installed. I followed the directions in the README step by step and then just adjusted the presentation of the comments form slightly to make it fit in with the rest of the page.
This is cool, you have to try it. I guessed 44814, and this game guessed it! See it here - http://www.funbrain.com/guess/
Thanks for this Matt. I’m running Moveable type on my Windows 2003 server and have had no joy getting MT-Blacklist to work. I was wondering what plugin you are using for your security code box and if you have found this useful? I’ve tried modifing the mt-comment script but my perl just ain’t up to it…