Blogspammers, take that!

I was the victim of a significant blogspamming attack about a week ago, just after I upgraded the version of Moveable Type this blog runs on to the latest version, 3.121 (see related stories at Slashdot, Moveable Type, and Netcraft). A few days after the upgrade, my host had to chmod 000 my mt-comments.cgi after there were over 30 concurrent processes hitting the script and it was maxing out the co-hosted server I’m on. I’ve no idea whether I was the only victim of this attack, but given the nature of my host (Logjamming, who I recommend highly, BTW), I’d guess not.

Ever helpful, Josh at Logjamming emailed me to make sure I knew what had gone on and pointed me at some resources to help me out with increasing security on my blog.

So, now I’ve installed MT-Blacklist as a first measure. I’ve had no spam since, so it seems to be doing its job. I guess now it’s wait and see until the blogspammers write bots that can get around MT-Blacklist.

I’d like to implement some sort of captcha as well, but I haven’t found one which plays nice with MT-Blacklist yet.

Ideally, I’d switch the blog over to run on a CF-based blog such as Ray Camden’s Blog-CFC, but I don’t have access to a host charging a reasonable amount for the sort of CF-hosting I want. I wish I could remember who Sean Corfield was with so I could investigate them…

3 Replies to “Blogspammers, take that!”

  1. I’d suggest an email authentication/login system. Let them post a comment (such as this), but don’t make it live immediately, what you would do is store the comment with an active flag of false, then generate an email (which would be a required field during the post).

    The email would contain a link with a GUID that would only activate on the click of the link, from then on, you could provide a login since they’ve validated their email, perhaps store the guid in a cookie and check it on the next posting.

    Spammer’s thrive on the anonymous nature of their activity and are rather loath on providing some sort of trackback. Yes, they could probably create a spam email account rather easily, but it’s a chore for them to identify specific spams and authenticate the sending when they are sending out millions of emails at a shot.

    I’m with ya on the cost of hosting a blog. I ended up using Googles adSense , which for me provides just enough traffic to cover the monthly hosting price. It’s not a high volume site so a site such as yours that’s featured on fullasgoog. you might actually end up with a little extra. The ads are text only and not very obtrusive.

  2. I wrote a very simple fake Captcha for MT that still worked with MT-Blacklist: I just used a fixed six-digit number but displayed the number using multiple fonts and colors (so each digit was separated from the others by HTML). I just edited the Perl files to implement it. Stopped all my spam.

    Then I moved to where I switched to Ray’s Blog CFC and imported all the MT data (I submitted the script to Ray and he includes it in Blog CFC now). is a mere $15/month if you pay a year in advance.

Leave a Reply