A quick note: of Yoz Grahame's seven tips against comment spam, two can be combined, though it's partly out of laziness. Tip 4 is "Require a hidden variable for the comment script," as described by Shelley Powers. Meanwhile #5 is "Separate 'Preview' and 'Post' into two separate scripts," which includes a change to MT code that sounds like a maintenance pain.
However, you can get something like #5 by implementing #4, but not putting the hidden value in the initial commenting form. (Remember to remove the "Post" button, still.) If the hidden value is only in the Comment Preview Template, posting robots that immediately find the form target and post a comment won't find the hidden variable. That does indicate it's only another Club solution, easily evaded by programmatically previewing first, but most of these are, and they're still invisible to the visitor. (Well, to my visitors: I had already required at least one "Preview" to post.)
Also, I prefer the below change in MT/App/Comments.pm, in post after the existing require MT::IPBanList;, to Burningbird's to mt-comments.cgi. With references to MT::IPBanList right there, I couldn't help but make it ban you instead of simply not posting. You can modify the condition to make any conditional post automatically ban.
If you want to combine #4 and #5 as above, you have to modify Comments.pm instead of the comments CGI. Shelley's code works before you see if you're previewing or posting, so users wouldn't be able to preview without the hidden variable either, which is bad.
if(
($q->param('fecund_folding_malaysian') ne 'silky_avernus_haddock') ||
$q->param('old_comments_script') # see below
) {
my $ban = MT::IPBanList->new;
$ban->blog_id($entry->blog_id);
$ban->ip($app->remote_ip);
$ban->save() or return $app->error($ban->errstr);
};
The old_comments_script comes in where, instead of removing or 410ing mt-comments.cgi, I have it still installed with the additional line:
$app->{query}->param('old_comments_script', 'yes');
before the $app->run;. Using mt-comments.cgi in spite of no such form pointing there also trips the banner. If I had implemented (or do implement) tip #3, decoy forms, I'd probably set them up to post to mt-comments.cgi so they trip the trap. The poster gets banned before trying to post to the real, safe CGI.
As I said, these are still evadible tricks. They aren't solutions. The best thing I can think of doing is still allowing visitors you know and trust to post whatever they like, while unknown visitors are allowed some functionality: they can post comments, but not links, say.
Comments
comment
GR8 SITE D00D
comment
Hi,
have you ever heard of mt-blacklist? It’s a great comment-spam-filter? I use it for weeks and am perfectly happy with it. Just found a new update - check my post at my own blog
merry xmas,christoph
comment
Hi, I had also SPAM problem and I installed mt-blacklist! It’s a great comment-spam-filter! I use it for weeks and am perfectly happy with it.