April 18, 2004
Comment spam hack

Comment spam is annoying. An assortment of italian and russian spam has been hitting classy every weekend recently. The long term plan for me is to make an MT plugin that does comment auditing, so I get to preapprove all comments before they're accepted to the site but pending that I just made a little hack to make spamdeletion acceptable with my current spam volume. What I did was add a comment deletion URL to the notification email I get when comments are posted. Simply clicking the URL deletes the comment.
Here's how:
Modify MT/App/Comments.pm to include a line in the notification email. You can look for the text 'has been posted' to find the email generationstep and then you can add
$body .= "\nTo delete this comment, visit the following URL\n" .
"YOURURLLOCATIONHERE/mt-comment-delete.cgi?blog_id=YOURBLOGID&_type=comment&__mode=delete&id=" . $comment->id;

the URLLOCATION and BLOGID are actually obtainable from the MT App context but I didn't bother to locate that. I only host one blog.
The mt-comment-delete.cgi is a simple script that integrates inte MT's comment deletion. You can download a copy here. Modify perl location to taste.
Adding this script to your mt script directory and making sure it is executable completes the job.

Loading the URLreturned in the email will lead to deletion of the comment and will load the entry edit page for the commented entry. You can then save the entry to rebuild without the spamcomment.

The hack highlights one of the annoyances of MT, namely that the CMS is not an MT application. It is not straightforward to modify the notification email nor is it straightforward to access author authentication or modify entry edit pages with extra functionality.

[UPDATE] Ironically, I had to close down comments on this post, because if consistent spamming against it....

Posted by Claus at April 18, 2004 07:06 PM | TrackBack (1)
Comments (post your own)

I like this idea a lot :-)
But when I tried to run it, the url didn't get displayed correctly, because it didn't fit on one line.
This may be specific to the mail client I'm using (Outlook), and its parsing of urls... but unfortunately makes this really un-usable for me :-(

Did you see similar problems? Are you using html formatted emails?
I'll try to tweak it a bit more, to work-around this...

Posted by: Julien Couvreur (Dumky) on April 19, 2004 9:15 PM

I don't have this problem no.

URL breakage is obviously a problem, you might try to make sure that your mail client is not set up to insert "hard" line breaks, i.e. actually adding newliens to the message, instead of just wrapping the message.
I seem to recall that you can set this in Outlook.
In Tools|Options|Email Options there's a property "Remove extra line breaks in plain text messages" that you can check - maybe that helps.

Posted by: dee on April 20, 2004 12:15 AM

Experimentation shows that you actually need to switch this option OFF to avoid the breaking of the URL.
I should have known. MS Office application defaultsd are NEVER the sane choice (autocompletion, partial menus, msn as home page - there are so many examples)

Posted by: dee on April 20, 2004 12:24 AM

Thanks for your answer.
I tried tweaking the options in Outlook, with no success :-(
The link gets cut at 76 chars for me, when I use something like:
$body .= "http:/blog.monstuff.com/testtestetsetsetestestset/testestset/estse/tsetsetsetsetsetset/setsetsetsetesetset/ \n";

I'm not sure at what point in the transmition the link is truncated, maybe it's not Outlook's fault?

I double checked my Comments.pm script and also tried having it output an html link tag...
I'll try to switch the whole email to be html...

Posted by: Julien Couvreur (Dumky) on April 22, 2004 2:32 AM

Here's another suggestion: Use http://tinyurl.com/ to refer to your script.
The YOURURLLOCATIONHERE/mt-comment-delete.cgi part can be significantly shortened.
You can also modify the CGI script to use shorter versions of the parameter names and that should cut the URL length even more.
If you find this difficult drop a comment - and then I'll make a version with shortened parameters over the weekend

Posted by: dee on April 22, 2004 3:43 PM

You can always install the existing MT-Blacklist plugin to handle the spam. (http://www.jayallen.org/projects/mt-blacklist/) With that and a regular, automatic updating tool to keep the blacklist up to date, it makes for a nice solution. (Upgrading to MT 2.661 adds in some more anti-spam tools, and just renaming your comment script also helps)

Posted by: Dan on April 23, 2004 11:49 PM

As a general observation I dislike blacklists, in email filtering as well as in comments. It very easily ends up looking like some kind of censorship. Or if you do very specific blacklists, you have a lot of maintenance to do. (http://www.classy.dk/log/archive/000675.html)

I am going to institute a "non standard commenting signature" so that I only get manually produced spam. A renamed comment script + a "turing test" element - a checkbox you need to check to post or something.

Posted by: Dee on April 24, 2004 12:10 PM
Help the campaign to stomp out Warnock's Dilemma. Post a comment.
Name:


Email Address:


URL:


(note to spammers: Comments are audited as well. Your spam will never make it onto my weblog, no need to automate against this form)

Comments:


Remember info?