Jeremy Smith's blog

Entry Is Labelled

Fighting Blog Spam

There's been some brouhaha over comment spam especially related to Movable Type, which is the publishing platform Blog@Case is based upon. The first person to really bring it to light was PhotoDude in MT Plus Comment Spam Equals Dead Site. From there, it went crazy getting a Netcraft post, a Slashdot post, and comments from Six Apart, the makers of MT. And, of course, someone around here made the connection.

A lot of people have been harping on Movable Type, but what seems to go unnoticed is, the flavor of blogging system that is used is orthogonal to combating comment spam. Comment spam affects all blog users and all blog systems. Switching blog software because you are afraid of blog spam would be like switching email servers because you are afraid of email spam. Basically, it means you do not understand the problem.

So, what does Blog@Case do to combat comment/trackback spam?

First, the comment script has been renamed. This prevents the more stupid bots from being able to just stumble across a blog, assume the location of the "post comment" CGI is mt-comments.cgi, and execute an arbitrary POST of their icky payload.

The second counter-measure is Jay Allen's excellent MT-Blacklist plugin. MT-Blacklist has a lot of features including content based comment/trackback spam blocking, blacklist URLs, blacklist regexes, forced moderation of comments on older entries, automatic blacklist updates from the master blacklist, etc. And, my favorite is that the plugin learns from the entire system, so if user A gets spammed, users B, C, D, E... will not.

Additionally, there are countermeasures I have specifically not taken. Like using captchas, the little graphics that appear and require you to type the letters you see. These can be used to verify the commenter is, indeed, human. They, also, make your site inaccessible. And, they're a pain. Commenting on another person's blog should be easy — minimization of hoops to jump through. There's some hacks that let you obfuscate the comment posting URL, but at the cost of breaking browsers. There's even a hack that uses Javascript to disguise the comment URL, but I wince at the idea that Javascript should be required on any web page.

Yoda says: Ugly hacks that reduce accessibility and create cross-browser compliance problems, an effective way to combat spam is not.


  1. gravatar

    I like what yoda has to say. If i can't access the blog via command line web browsers, it's no good :)

    That plugin sounds like it will do the trick.