There's a thread over at Making Light about a specific comment spammer who has been posting ads for what is allegedly child pornography. This guy is really obnoxious - one blogger reports having it show up on 89 posts so far (I've only had to delete him 4 times - and I was getting frustrated with that!) Apparently, he has a large block of IP addresses that he uses (MT can block comments by IP address). Unfortunately, he was able to get through my setup of the "Kill Comment Spam Dead" hack even after I had added at least one of his URLs to the list, so I am going to be using IP banning also to try and keep him off.
As a result, I am banning all IPs in the "209.210.176." range. It's known that he holds at least 63 of those IPs, but I'm going ahead and blocking the entire IP range. For anyone else using MT who wants to do likewise, just ad the above string (including the final dot) to your "IP Banning" section under "Weblog Configuration". In addition, he also apparently is using 62.42.228.6 and 199.20.16.200
In the comments section of the same thread, Charlie Stross offers another list of IP numbers to block, which have been sending out large numbers of spam messages:
38.144.36.13
65.214.36.118
203.54.241.113
4.63.166.229
12.148.209.198
66.196.90.39
62.42.228.6
82.41.201.108
12.148.209.198
68.194.33.229
81.131.176.87
Also, Jay Allen will be releasing a plug-in version of his "Kill Comment Spam Dead Blacklist" tomorrow - he gave his URL in comments to check for more information: http://www.jayallen.org/journey/2003/10/mtblacklist_monday_hell_or_high_water
Eric Olsen offers a couple of different ideas on dealing with the situation. First is to modify the .htaccess file (if your host allows you to). He gives the following instructions on doing so, if you want to go that route:
.htaccess is the way to go, simply because you can use netmasks or CIDR to limit what you cut, and you don't have to type in a few dozen IPs.I'm not sure if I'm up to messing around with .htaccess yet, but I thought I'd at least post it here for anyone else who's interested :)It's dependent on htaccess configuation being turned on. Contact your sysadmin if this doesn't work. Otherwise, create the following file in the root of your webserver, named ".htaccess". The leading dot is important.
Order Allow, deny
deny from 209.210.176.0/26
Or, if you prefer netmasks to CIDR
deny from 209.210.176.0/255.255.255.178Kip's spammer is a 16 bit netblock (an old Class B) issued to Telecom Malaysia. If they are using DCHP, and this spammer's dialing up, the only way is to kill the whole Class B -- over 16,000 addresses. You can do that in one line
deny from 219.95.0.0/16
or
deny from 219.95.0.0/255.255.0.0How much extra damage this will do, I don't know. You may want to try just the one ip first, if you keep getting hit from the 219.95.14.0 block, expanded it to the /24, if that doesn't work, go for the whole /16
And, just so you know, one way to give up is.
deny from 0.0.0.0/0
Though, tecnically, the trailing /0 is redundant.
Another of his suggestions (apparently inspired by Charlie Stross's attempts at solving the comment spam) is to try and defeat the bots that do all of the postings. Apparently there is a spider bot that is out searching for "mt-comments.cgi" across the web and using that to post the spams, so a potential dodge is to re-name "mt-comments.cgi". This is a bit riskier, though, because you also have to modify your templates to make sure they know where to look. Here are the instructions for this particular method:
One defense is to rename mt-comments.cgi, call only it, and install a trap cgi that automatically blocks anyone calling mt-comments.cgi.Again, I'm not sure I'm confident enough of my own skills to try doing this, but there it is if you want to try it :)Problem: Anybody who follows an old link to your comments will get blocked.
Renaming the mt-comments.cgi alone may be enough to stop this spammer's bot -- but it may not last long.
To rename it, you'll need to rename the mt-comments.cgi file, then you'll need to edit your template to change the call. Look for the OpenComments javascript, in it, there will be a "window.open" call that should have, as a first parameter, a URL ending in mt-comments.cgi. Change that to match what you've renamed the comments cgi.
Easiest way to not lose.
1) Copy mt-comments.cgi to something else. Make up a name. I'm deliberatly *not* giving a name here, I want all of you to have different ones. (If the spider is looking for names, and you all change to the same name, he'll change the spider.) Make certain it ends in .cgi, though.
2) Edit your template, change the "window.open" call to the new name. On this blog, the function is right at the top, I don't know if that's universally true. Save it off.
Reload the page. Make sure comments still work. Now.
3) Rename mt-comments.cgi to mt-comments.off.
Reload page, make sure comments still work. If they do, then you're done. If they don't, rename mt-comments.off back to mt-comments.cgi, and check your templates to make sure you've changed the OpenComments function.
I wish I could test this, but I don't run MT or have a blog, I'm just a sysadmin. As Knuth famously wrote, "Beware of bugs in the above code; I have only proved it correct, not tried it."
The truly paranoid would back everything up first. The properly paranoid would make sure that the restore worked, as well.
I'll try to update this thread as I learn more - and be sure to check the comments at the original post over at Making Light, as that's where the actual discussion is happening.
UPDATE: Oh, yeah! I meant to mention - if, in my efforts to block comment spam, I've gotten a bit over-zealous and knocked out a few legit IPs - and if you have comments you want to post, but can't because your's is one I killed, just e-mail me with your comment and let me know what happened.
2nd UPDATE: Yoz Grahame offers 7 tips on defeating comment spam, including changing your comment script, not linking to your comment script from your front page, including several decoy forms in the Individual Entry template, requiring a hidden variable for the comment script, separating "Preview" and "Post" into two separate scripts, or including a "Delete this post" link in notification mail. He gives good instructions for each option and explains the reasoning behind each of the tips he's offering.
Kelsey Consulting is also looking into the problem and has a few threads on the issue, as well as links to others who are working on it as well.
And last (at least for this update), but certainly not least is the Moveable Type support forum's thread on the subject.
Posted by thorswitch at October 12, 2003 08:38 PM | TrackBackyeah!!! Good Idea!!!
What's a pretty blog!!!
What's a pretty blog!!!
What's a pretty blog!!!
What's a pretty blog!!!
What's a pretty blog!!!
What's a pretty blog!!!
Cool blog!
Happy christmas!!!
Yeeeahd, it's csool
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 |
| E-mail: |  |
AKA: | ThorsWitch |
 | INTP |
 | B7 d++ t+ k++ s+ u- f+ i++ o+ x- e l c- |
 |
|
The Homeland Security Department Quiz (from truthout.com) 1 of 1 jeff jarvis said: do you think that the citizen awarn... Gay marriage and states' rights 1 of 8 Do,a said: Gay marriage should be the decision... My original comments on 9/11 as it happened 1 of 1 Defending Equality 1 of 1 stageleft said: Great idea, if sent off my letter -... Why I became a Democrat 1 of 1 Michael Arnold said: i was a secy for 'young republicans... |
    
|
||||||||||
|
||||||||||
| « ? ProChoice Is Not AntiLife # » | ||||||||||
| << | domain-ated | >> | ||||||||||
| << ? domain girls # >> | ||||||||||
| <·· PWA ··> | ||||||||||
| < ? blogs by women # > | ||||||||||
|
|
||||||||||
| ‹ # Circle of Shadows ? › | ||||||||||
| <-- ? In MY Opinion # --> | ||||||||||
| « # blogshares ? » | ||||||||||
| « # Scorpio ? » | ||||||||||
| < # Blogrollers ? > | ||||||||||
| < ? six degrees # > | ||||||||||
|
[ <<
?
Verbosity
#
>>
] |
||||||||||
| domain whore | ||||||||||
|
Are you a  ? Domain . Addict # |
||||||||||
|
||||||||||
)O(
 |
||||||||||
|
||||||||||
Rate Me on BlogHop.com!
|
Rate me at Eatonweb
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
 |
|
|
 |
|
|
 |
 |
|
 |
 |
|
 |
 |
|
 |
 |
|
 |
 |
|
 |
![[ Registered ]](http://www.differentstrings.info/images/diarist.gif){kind=small}
|
|
 |
 |
|
|
 |
|
 |
 |
|
|
|
|
Recommended sites |
Please note: The Salon Blog mailing list and web rings are not managed by Salon Magazine, but are specifically for the owners/authors/editors of Salon Blogs. The Salon name is used with permission.
| < £ Salon Bloggers & > |
| Do you own/edit/write a Salon Blog? Join the Salon Bloggers Webring! |
|
|
![[Valid RSS]](http://www.differentstrings.info/images/valid-rss-dylan2.gif "Validate my RSS feed"){kind=small}
|
|
|
![[Blue Ribbon Campaign icon]](http://br.eff.org/br.gif)
What's a pretty blog!!!