Overnight, I was hit with 108 comment spams for Xenical from 18.104.22.168. Very irritating, especially since MT doesn't have a good way to delete bulk spam. This spammer was kind of interesting--it looks like he was actually following the HTML from my archive pages, rather then blindly attacking /mt/mt-comments.cgi. That means that simply renaming the comment CGI probably wouldn't have stopped this attack.
Here's a chunk of the access log for those who are interested:
22.214.171.124 - - [23/Jan/2004:03:42:54 -0800] "GET /scott/archives/000001.html HTTP/1.0" 200 5368 "-" "http://@nonymouse.com/ (Unix)" 0 scottstuff.net 126.96.36.199 - - [23/Jan/2004:03:43:02 -0800] "POST /mt/mt-comments.cgi HTTP/1.0" 200 59 "-" "http://@nonymouse.com/ (Unix)" 3 scottstuff.net 188.8.131.52 - - [23/Jan/2004:03:43:05 -0800] "GET /scott/archives/000002.html HTTP/1.0" 404 220 "-" "http://@nonymouse.com/ (Unix)" 0 scottstuff.net 184.108.40.206 - - [23/Jan/2004:03:43:13 -0800] "GET /scott/archives/000003.html HTTP/1.0" 200 8678 "-" "http://@nonymouse.com/ (Unix)" 0 scottstuff.net 220.127.116.11 - - [23/Jan/2004:03:43:17 -0800] "POST /mt/mt-comments.cgi HTTP/1.0" 200 59 "-" "http://@nonymouse.com/ (Unix)" 0 scottstuff.net
Google suggests that '@nonymouse.com' is an anonymizer, so the spammer was actually abusing two services, not just mine. Which also means that the IP address given isn't very useful.
Longer-term, it'd be nice if MT added moderated comments, and a way to automatically change the open/moderated/closed status of entries after a set period of time. That way, new posts could have open comments, and then be auto-moderated after a week or two. That seems like a decent compromise to me, and it's orthogonal to most of the other anti-blog-spam suggestions that I've seen.
Comments closed: bizarrely enough, this post gets more comment spam then any other page on my blog (and nearly more then all other pages), so I've closed comments.