I thought I was safe. I had done most of the smart things to avoid comment-spam: renamed the link to comments, renamed the comment script, and installed the excellent MT-Blacklist
Then today, I was barraged with about 100 comments in a short period of time (I didn’t check how long it took). This was clearly being run by a script. The suppurating sore of a wretch who attacked my site (in violation of terms clearly posted in the comments pages) lives at IP number 62.213.67.122; this traces back to a machine behind the rusonyx.ru domain.
Hmmm.
Time to roll out some new countermeasures?
Some good forensics on this attack might be helpful.
P.S.: a small niggle, but it’s a bit unfriendly to make the comment-entry box wider than the popup window and then make the window non-resizable.
Never mind. No forensics necessary. Your (“new”) comment form is indexed by google.
It was only a matter of time…
Jacques–
I suppose I could exclude the comments cgi through robots.txt, although I’m actually a bit surprised that Google follows that link–i thought it ignored CGIs.
Also, fwiw, the window pops up as big enough in both Safari and Mozilla. It’s resizable in Safari but not Mozilla. I should fix that. What I should really do is turn on individual archiving and put my comments there. I’ve been meaning to do a redesign and make this code valid xhtml, but I haven’t gotten around to it.
As I tried to enphasize in my blog posts on the subject, the whole problem started because Google does index these pages, giving spammers millions of targets, in response to an astutely-chosen search string.
MovableType should have (and I placed) a
in the comment entry template.
I’m using Mozilla, and no it doesn’t. I suspect the difference has to do with the default font size you have set in your preferences being smaller than the “standard” 16 point.
Like maybe by putting a resizable=yes in the javascript?
Cursed UTF-8 encoding!
MovableType’s comment-preview function swallows (decodes, but does not re-encode) HTML entities. So the above comment had a piece of sample HTML code, with entities properly-encoded. I previewed it, and now you have gibberish.
For the record, it’s here:
Jacques–
Thanks for keeping me on my toes.
I’ve been trying to figure out why you get that window-size problem, but I haven’t been able to. I do, in fact, use 16 pt as my default size, and at any rate, I didn’t see anything in my stylesheet that would push the text wider than the window.
Perhaps you would prefer Shift-JIS?
Yuan-Chung Cheng figured out how make UTF-8 work with the Comment-Preview function in MovableType. It wasn’t pretty …
(In that post, he talks about serving XHTML with the proper MIME type, but the problem and his solution really have nothing to do with the MIME type; it’s all about how MT handles encoding and decoding of HTML entities.)