Blogging | General Interest | Spam

Unbound Spiral: MT Comment Spam Solution

October 12, 2003 03:08 PM

James Seng creates a brilliant MT hack that I hope STOPS COMMENT SPAM dead! I've just installed it and it works. Take a test drive with a comment to this post. I particularly want a few fellow sufferers to know....Cal, John Cole, Teresa, Sassy Lawyer, Liz Lawley, Ton Zijlstra, Joseph, Abe, Glen, Dean, and Jay Allen Can someone please compare what Jay is doing vs James Sengs solution?

James Seng's blog: Solution for comments spams

"Apparently, there are some automated bots which has been spamming comments on movabletype blogs. While it is easy to ban the IP and remove the posts, it takes a lot of time and effort to play the cat and mouse game.

To cut the story short, I wrote a plugin to MT that will verify if it is a human before it allows comments to be posted. The idea is pretty simple: Display an image with a Security Code and demand the user to enter a Security Code manually before allowing posting to go through.

To see how it works, try posting some comments on this site.

If you like it, you can download it here. (It is pretty rough since it skip my sleep to do this. But it should work. I hope I have covered most of edge cases...)"

Go now and get the code and instructions from James here. Then let him know with a trackback of thanks.

I'd note these additions to James' ReadMe instructions. You must CHMOD the cgi file and the new temp security directory to 755. If you need a text editor to open your MT/App?Comments.pm then go and get Boxer Otherwise it is a fairly simple install. If you installed MT you can do this. I'd also note it works with the Simple Comments plug-in working.

Gee now I can think about Skype and other things again! Not the preferred way to spend a Sunday I'd add! Good luck with your installs!



Comments (17)

You must insert the code manually for the post to be accepted. The Proof is here!

Posted by: Stuart at October 12, 2003 4:07 PM

I said all I need to say here. Bravo for James for his effort and ingenuity, but he just did the universal accessibility effort a huge disservice for making it so easy.

You are essentially saying that people who have sight problems (blind, color blind or any other number of ailments), or those who use non-graphical browsers (e.g. Lynx, JAWS) or those who simply surf with images off (e.g. people on a slow connection) can no longer participate on your site.

Of course, it's your site. You can do what you like with it. I simply feel that it should just be noted that you are excluding a group of people of unknown size who are NOT peddling kiddie porn and sex-enhancing drugs.

Posted by: Jay Allen at October 12, 2003 4:18 PM

Jay, Thanks for your comment. I didn't put your comment on James site together with your efforts to find a better solution. It's certainly not my policy to work on exclusion and you make a very valid point.

However this last week I've felt like my house has been painted nightly graphically and obscenely. I'd call the police if it was the "physical" world. I'm not one for fencing out those that have a different point of view. I've also not put ramps in and lighting may be bad at night.

I hope I've not excluded those that have legitimate reasons for visiting here. I have no idea how large or small the problem is.

So friends, if you have a problem, can't see it, etc. please contact me directly. I'll have to find something else. Similarly, if you prefer Jay's solution or another please share. Thanks.

Posted by: Stuart at October 12, 2003 4:45 PM

There is no 100% solution for a human problem. It is always a 80/20 rule.

I have fought email spams for many years any reactive solutions always suffer from this 80/20, be it blacklisting, whitelisting, bayesian, spamassassin, etc.

While you believe in blacklist (I know you working on your MT-blacklist and I believe many will also appreciate your effort), I, for one, do not believe in blacklist. I know how many machines spammers have under their control.

Blacklist in email solution is at best a political tool...the false positive is too high. It works as a political tool because when some large ISP block you, you better clean up your act.

This is dependent on the fact the other ISP is larger of course...Now would an ISP care because one of their user is unable to *post* comments on some guys blog? I don't know...

Posted by: James Seng at October 12, 2003 5:02 PM

Incidently, I dont mean blacklist is useless. In fact, I think blacklist as a political tool is extremely powerful. This is what makes Korean government buck up and started their anti-spam activities.

So, for those who wants to make a stand, I say go for it and install MT-blacklist :-)

Posted by: James Seng at October 12, 2003 5:12 PM

I just turned off the url field on my site and disabled any hyperlinks in the comments, not ideal, but I just can't get excited methods like this, feels too awkward. I'd rather have a low post threshold and no links.

Posted by: Abe at October 12, 2003 6:10 PM

in a comment i made on james seng's site, i offered a solution to the accessibility problems image recognition poses: offer an alternative for sending in comments. email is probably the easiest. a commenter can just email his comment, specifying the entry he's commenting on, to the blogger. then the blogger can enter the comment into mt himself on behalf of the commenter.

Posted by: charles at October 12, 2003 6:52 PM

>Blacklist in email solution is at best a political tool...
>the false positive is too high. It works as a political
>tool because when some large ISP block you, you
>better clean up your act.
>
>This is dependent on the fact the other ISP is larger
>of course...Now would an ISP care because one of
>their user is unable to *post* comments on some
>guys blog? I don't know...

James, you are aware that we are not talking about an IP address blacklist a la ORBS, right? It is a content-based blacklist. A simple word censor, if you prefer, in it's simplest form and a very powerful regular expressions matching engine deeper down.

I too was active for many years fighting spam back in the CAUCE days. Email spam is very different from website spam. This is infinitely more controllable, especially considering the connectivity of the victims and their control over the canvas.

Please understand, I am not against Turing tests, but a true Turing test discriminates between a computer and a human. Image recognition tests provide many false positives (as I outline above) and furthermore they are false positives which discriminate against a group of people who already have a hard enough time outside in the real world. There is a human element that really should be considered here.

If you are dying for a Turing test, here's one. Sit down and come up with 500 questions. They can be as easy as "What color is an orange?" or "What is the opposite of low?" Provide a field in the comment form for the answer. Even the blind can deal with those....

Posted by: Jay Allen at October 12, 2003 8:11 PM

Sheesh... all the tech talk is scaring the shit out of me. Not all bloggers are programmers or can understand programming. I don't. I'm only too happy that I can install scripts (like MT) by myself. But controlling a spam bot in MT comment boxes is beyond me--the only real solution I have is to turn comments off.

So I try to find solutions I can implement. I just really need to get something working. True, I don't want to exclude some unknown number of people, but right now I'm thinking of least damage overall. I never thought this thing would become a political/semantic discussion.

Anyways, thank you James and Jay for trying to find a solution.

Posted by: Perfectly Sassy at October 12, 2003 9:51 PM

Thanks for pointing it out, Stuart. I stumbled across it earlier today, too.

Both solutions work, but as has been mentioned, there are drawbacks to both. Each will work better for various people. On my blog, James's solution would work because no blind people access it. On the other hand, I don't want to discourage the few friends who stop by my site from posting by making it one step more difficult for them.

James and Jay, keep up the good work. I appreciate your efforts and both solutions will solve the problem for a lot of people.

Posted by: Cal at October 12, 2003 10:23 PM

Hmmm....

This approach will work very well for some people. Very nicely done! However, I think I'd rather have one where a moderator previews all comments before they're accepted. That'll let me filter out jackasses and trolls, too.

Anyone know of a solution like I describe?

Posted by: Dean Esmay at October 13, 2003 12:24 AM

Dean - Scriptygoddess has a MT hack that puts all comments in a queue with pending status. It's at http://www.scriptygoddess.com/archives/003944.php - hopes this helps.

Posted by: Cal at October 13, 2003 11:34 AM

Dean - Scriptygoddess has a MT hack that puts all comments in a queue with pending status. It's at http://www.scriptygoddess.com/archives/003944.php - hopes this helps.

Posted by: Cal at October 13, 2003 11:36 AM

Ross Mayfield and I started a company a few years back on this:

http://www.corante.com/brainwaves/archives/000308.html

The ONLY SPAM solution: MONEY

Only money can eradicate spam. The Internet is a globally distributed ecosystem complete with evolving organism/organizations that continuously adapt to change. The current spam epidemic is proof. Moreover, no legislative or technical solution (i.e. filters) will be able to stop it. Why? Because spam is fundamentally an economic problem.

Ross Mayfield and I attempted to get an anti-spam company off the ground two years ago based on this fact. Yet the noise of emerging technical solutions and lack of insight by "leading" venture capitalists reminded us that it takes more than being right to build a company. The current spam explosion is proof that technical solutions are only making the problem worse.

So here I go, I'm giving the world the answer. It's simple in theory, but incredibly complex to pull off in reality.

Put a price on your inbox. No email gets into your email inbox unless it has a dime attached. I pay you a dime the first time I want to communicate with you, and from there until infinity you and I can share that same dime back and forth. No money, no entry. This fundamentally shifts the economic cost of sending email back to original senders. Think a spammer would spend $100,000 to reach 1 million people now?

So there it is. Go build it, so we can all get on with our lives...oh and by the way, you need to be able to scale globally and have multi-currency functionality in 90 days or the system won't get adopted. Want more? The business plan is done. Just need $5m. Any takers?

Posted by: Zack Lynch at October 13, 2003 11:38 AM

Hmm, I forgot about this thread here until Jay points me back here. Thanks =)

A blacklist is a blacklist. A regexp blacklist is only slightly better then an IP blacklist of cos.

Posted by: James Seng at October 18, 2003 10:56 AM

Wow,
I like your "magic-number"-solution... how do you do this?
I use MT-Blacklist and am very satisfied, but the magic-number thing rocks aswell!

regards,christoph

Posted by: Christoph C. Cemper at December 25, 2003 5:02 PM

thought it was just me, but the embedded image hack isn't working here either. i just leave the field blank, and the comment still goes through.

Posted by: jasonheyd at February 17, 2004 7:22 PM