This will probably get me spammed, but I’ve been reading a lot the past few days (here, here and here, and the MT Pro list) about the horrors of comment spam, and how evil comment spam spiders are crawling sites for the path to mt-comments.cgi and then spamming the crap out of it. Me? I don’t really have a problem with comment spam. How I’ve been able to avoid it up to this point, I’m not really sure. I have several blogs, and none of them have been hit by more than one or two comment spams in their long lives (three years now for Ultranormal, two for Geekout and almost two for the photo gallery).\
But, I’m getting serious with the preventative medicine. I haven’t implemented all of these things, but I have done some of them:
- Don’t install Movable Type in the cgi-bin if your host allows it.
- Rename mt-comments.cgi (and update the CommentScript line in mt.cfg, removing the # in front of it).
- Use the Moderate plugin to close comments on old entries. This gives the spammers fewer available targets.\
I wrote a tutorial for doing a few of those. I’ll update it to add the form action bit and probably post it to Geekout in the near future.\
To me, the real problem here is that Movable Type’s default templates are vulnerable out of the box. Maybe if the default template set was a little more protected, comment spam wouldn’t be such a problem. I know the train has kind of left the station on this, since there’s already a huge installed base of people probably using slightly modified versions of the default templates. But, for future versions, a lot of these changes could be included in the default, protecting the vulnerable “newbie” from themselves.