This is how I tested the hidden token code. This is also a good example of how easy it is to post comment spam. You'd still have to finding comments pages to post at, though that wouldn't be too hard...
Python 2.3.2 (#2, Oct 6 2003, 08:02:06)
[GCC 3.3.2 20030908 (Debian prerelease)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import httplib
>>> h = httplib.HTTPConnection('markpasc.org')
>>> import urllib
>>> f = urllib.urlencode({'static':'1', 'entry_id':'5064', 'author':'spamtest', 'email':'', 'url':'http://neologasm.org/spam/spam/spam/', 'text':'GR8 SITE D00D', 'post':'Post'})
>>> h.request('POST', '/mtx/calmmints.cgi', f, {'Content-type':'application/x-www-form-urlencoded'})
>>> resp = h.getresponse()
>>> text = resp.read()
>>> print text
...
You are not allowed to post comments.
...
>>>
This is where you check the IP you used was added to the list. Note you should run this from a shell or something, probably; if you're using your real IP, well, let's say I'm not sure you'll be able to check. Getting the "You are not allowed" message requires being actually banned, so I'm not sure how to cripple it temporarily for testing.
To post with the correct token but to the wrong CGI, use instead:
>>> f = urllib.urlencode({'shave_maurine_dependently':'cecil_balls_empiricists', 'static':'1', 'entry_id':'5064', 'author':'spamtest', 'email':'', 'url':'http://neologasm.org/spam/spam/spam/', 'text':'GR8 SITE D00D', 'post':'Post'})
>>> h.request('POST', '/mtx/mt-comments.cgi', f, {'Content-type':'application/x-www-form-urlencoded'})
And then do one with the hidden value and right URL to make sure it works when it should.
