Applying the MovableType 3.14 upgrade made a huge difference in server CPU usage when undergoing comment spam blitzkriegs, which now amount to barely a blip on the resource usage radar. Peace at last. Until…
A few days later we face a new anomaly: Someone out there has created a script that submits fake comments containing randomly generated URLs (all non-active and non-registered), randomly generated fake IPs, and randomly generated fake email addresses — they’re coming in locust clouds of one or two hundred at a time.
Because there are no recurring strings in these comment spams, blackisting them is pointless, and would only fill a blacklist database with garbage. Because the domains advertised are non-existent, I can’t correctly classify them as spam – they don’t advertise anything. Their purpose is purely vandalistic; to annoy blog owners and admins.
Even though Blacklist doesn’t catch them, they’re still held for moderation (so resource usage is nill), but you do have to take the time to batch-delete the suckers.
Posted a query to see if anyone had advice on battling this form of nihilism, but nothing useful so far. I’m quickly coming closer to the last resort: Forced registration for untrusted commenters.
I’m seeing the same thing on my MT blog. I don’t have a lot of commenters, so I’ve turned off unregistered commenting (for the second time since moving to MT 3.x).
I’m a paying MT user, so I will probably put in a feature request for the Comment Filter bar – select where “Status” equals “Pending”. That’ll make it easier to batch-delete this junk. I’ve never seen the MT3/Blacklist combo make a legit comment pending (I’ve always had MT automatically approve new commenters).
you can easily stop most comment spam and flooding with captchas. search google for MT and captcha’s. you’ll find some plugins.
mintaboo, do you think captchas are a better solution than commenter registration? I go both ways on this one. The biggest problem is that they’re not usable by the disabled. And once users registered, they can be permanently approved, which is a big bonus for regular readers.
The biggest problem is that they’re not usable by the disabled.
Plus, as has been speculated, comment spammers will pass them to porn sites and let those visitors do the Turing test, then just pass those results back to the target site.
As a lurker for some months on n.a.n-a.e., I favor the block-on-IP-address idea; probably computationally-expensive though.
What’s the deal with susceptibility to external scripts? Why wouldn’t requiring a commenter to receive one-and-only-one form page, then submit a comment manually through that same form page, as suggested here at #71, in conjunction with throttling, be a good idea?
It ought to be possible to distinguish better between automated comments from scripts and manual comments, somehow.
Mark, I like that suggestion – very simple/elegant. Although probably about equally as effective as requiring that users Preview before submitting, which is another very simple technique I’d like to try before requiring registration.
Al-Muhjabah also suggests changing the name of your comments script.
Matthias – That’s a very effective technique, but only for a few weeks. They find you again, seemingly advertise the new script location amongst themselves, and it starts all over. That method is really just a quick band-aid.