Published January 29th, 2005 by Jim O'Halloran
The ongoing fight against comment spam
By and large my blog is pretty resistat to comment spam. I ran MT 2.51 and MT-Blacklist 1.62. I get a few comment spam slip through the blacklist each day, but the vast majority gets stopped by the blacklist.
Recently though, a new breed of spam started appearing that used a form of HTML character encoding to hide the URL (eg o instead of an o in the URL). This went clean through MT-Blacklist. Blacklisting the encoded version of the URL wouldn’t help because our friendly neighborhood spammers would just encode a different character in the same URL, and we’re back to square one.
This, I thought, shouldn’t be a difficult problem to fix, so I figured I’d grab the latest MT-Blacklist 1.65 and start hacking. Lo and behold, 1.65 already addresses thr problem!
At this point I figured I had a bit of time to spare, so what else can I do.to protect my site from spammers. It turns out that Six Apart have released a plugin that neatly implements the rel=”nofollow” attribute recently announced by Google, Yahoo and MSN.
Now, I don’t beleive nofollow will do an awful lot to reduce comment spam. Its a great idea in principle, by reducing the incentive for spammers to use comments (i.e. no boost to pagerank), hopefully we’ll see a reduction in comment spam. However the problem is that it requires the majority of bloggers to implement it on their own sites, and many just won’t bother. Having said that, at least its something, and the Movable Type ‘nofollow’ plugin made it so easy it was a no-brainer.
Six Apart also suggested that nofollow plugin users upgrade to 2.661, which I did at the same time. Its not easy to find a download link on 6A’s site anymore for 2.661, but this post from Jay Allen gave me the hint I was looking for. One day I’ll upgrade to MT 3, but that day isn’t just yet.
So now I have a nice, fresh, up to date MT install which has been hardened a little more against comment spam. Of course, there’s still more I could do. The MT-Blacklist Updater would probably be a good idea. But I suspect that the most effective solution would be a captcha test. I know there’s accessibility issues with captcha’s, but they do at least stop automated posting of comments, which is the main goal here. James Seng has written a MT plugin that generates captcha codes. I’d want to do a code review before instalaltion though to ensure that the relationship between the image generated (with a 6 digit code) and the hidden field (also a 6 digit code) is cryptographically secure.