Overnight, I was hit with 108 comment spams for Xenical from Very irritating, especially since MT doesn't have a good way to delete bulk spam. This spammer was kind of interesting--it looks like he was actually following the HTML from my archive pages, rather then blindly attacking /mt/mt-comments.cgi. That means that simply renaming the comment CGI probably wouldn't have stopped this attack.

Here's a chunk of the access log for those who are interested: - - [23/Jan/2004:03:42:54 -0800] "GET /scott/archives/000001.html HTTP/1.0" 200 5368 "-" "http://@nonymouse.com/ (Unix)" 0 scottstuff.net - - [23/Jan/2004:03:43:02 -0800] "POST /mt/mt-comments.cgi HTTP/1.0" 200 59 "-" "http://@nonymouse.com/ (Unix)" 3 scottstuff.net - - [23/Jan/2004:03:43:05 -0800] "GET /scott/archives/000002.html HTTP/1.0" 404 220 "-" "http://@nonymouse.com/ (Unix)" 0 scottstuff.net - - [23/Jan/2004:03:43:13 -0800] "GET /scott/archives/000003.html HTTP/1.0" 200 8678 "-" "http://@nonymouse.com/ (Unix)" 0 scottstuff.net - - [23/Jan/2004:03:43:17 -0800] "POST /mt/mt-comments.cgi HTTP/1.0" 200 59 "-" "http://@nonymouse.com/ (Unix)" 0 scottstuff.net

Google suggests that '@nonymouse.com' is an anonymizer, so the spammer was actually abusing two services, not just mine. Which also means that the IP address given isn't very useful.

I'm not sure how best to handle this sort of thing in the future--I'll try renaming mt-comments.cgi to something less obvious, and probably javascript-ify the comment link on my pages. That's rude to the poor users without javascript enabled in their browser, but I don't want to spend hours deleting spam again.

Longer-term, it'd be nice if MT added moderated comments, and a way to automatically change the open/moderated/closed status of entries after a set period of time. That way, new posts could have open comments, and then be auto-moderated after a week or two. That seems like a decent compromise to me, and it's orthogonal to most of the other anti-blog-spam suggestions that I've seen.


Comments closed: bizarrely enough, this post gets more comment spam then any other page on my blog (and nearly more then all other pages), so I've closed comments.