Comment Spam-o-rama

This will probably get me spammed, but I’ve been reading a lot the past few days (here, here and here, and the MT Pro list) about the horrors of comment spam, and how evil comment spam spiders are crawling sites for the path to mt-comments.cgi and then spamming the crap out of it. Me? I don’t really have a problem with comment spam. How I’ve been able to avoid it up to this point, I’m not really sure. I have several blogs, and none of them have been hit by more than one or two comment spams in their long lives (three years now for Ultranormal, two for Geekout and almost two for the photo gallery).\
But, I’m getting serious with the preventative medicine. I haven’t implemented all of these things, but I have done some of them:

  • Don’t install Movable Type in the cgi-bin if your host allows it.
  • Rename mt-comments.cgi (and update the CommentScript line in mt.cfg, removing the # in front of it).
  • Use javascript to write out the form action on your comments form. That way, they can’t spider for the location of your comments script (well, make sure the function to do this is in a linked javascript). All of these javascript options screw people who have javascript turned off, but there are sacrifices we have to make.
  • Use javascript to write out your comments. This way, they won’t be indexed by search engines, and you’re removing the benefit of spamming you.
  • Use javascript to open your comment popup window. The one I use uses the entry id, and has the comment script in the linked script – so, again, it’s not easily spiderable.
  • Use the Moderate plugin to close comments on old entries. This gives the spammers fewer available targets.\
    I wrote a tutorial for doing a few of those. I’ll update it to add the form action bit and probably post it to Geekout in the near future.\
    To me, the real problem here is that Movable Type’s default templates are vulnerable out of the box. Maybe if the default template set was a little more protected, comment spam wouldn’t be such a problem. I know the train has kind of left the station on this, since there’s already a huge installed base of people probably using slightly modified versions of the default templates. But, for future versions, a lot of these changes could be included in the default, protecting the vulnerable “newbie” from themselves.
Categorized as computing

By Kevin Lawver

Web developer, Software Engineer @ Gusto, Co-founder @ TechSAV, husband, father, aspiring social capitalist and troublemaker.


  1. Simon Cox says:

    Oh drat! I am immediatly demoted to being a noob! – I was under the impression that installing MT in the cgi-bin was the safest thing to do… Can you explain the pro’s and con’s please.

  2. Kevin says:

    Nope, no noobdom for you. There shouldn’t be any security problems with installing it outside the cgi-bin, and it makes it a teensy bit harder for the spammers to find your comment script.

  3. Sounds like sound advice…if only any of it made sense to me. Thank goodness I have you as my tech support!

  4. Steve says:

    ok…reloading fixed what i was talking about. guess I’m the n00b.
    (is ur pen1s 2 sm.a.1l?)

  5. Scott Bilik says:

    The writeup you mention is very similar to a tact I’ve been sketching out as a preemptive measure. I was going to add a simple little decrypt (encoded entities or rot13) on the key URL’s so that even if you source the external javascript, it’s not obvious to the viewer who could simply copy/paste.
    Did you ever do a writeup on the Javascript side of your efforts? I’ve done #1 and #2 for a while and it’s helped, but I want to move into the Javascript side. I probably won’t use Moderate because I close old entries.

Comments are closed.

%d bloggers like this: