« "Am I going mad?" | Main | "In the Quake Zone" »

No more comments from mail.com

| 5 Comments

Today, over the course of about 7 hours, my journal received over 500 pieces of comment spam that got through my spam filters. All of them had the same form: posted to an apparently randomly chosen entry, with a name consisting of two strings of random letters, and a comment body consisting of half a dozen nonsense "words" (strings of random letters). There was no pattern to the IP addresses, and all of the usernames were random strings of letters. They all pointed to URLs that also consisted of random strings of letters.

The only string that obviously repeated was the domain name of the email address: they all claimed to be from [random string of letters]@mail.com.

None of these spam comments actually appeared in my journal, because (a) they were all on old entries where comments are screened (unless you sign in), and (b) I've been screening all comments from @mail.com addresses for a long time now.

But still, I received over 500 pieces of comment-notification email, and then I had to go in and mass-delete all the comments using the Movable Type interface. It wasn't awful, but it was sufficiently annoying that I finally made a decision:

From now on, I'm going to consider all comments from @mail.com email addresses to be spam, automatically junked without notifying me.

This is unfortunate; it's the first time that I've installed a spam rule that has a reasonable chance of automatically junking a legitimate comment. On the other hand, in the years that I've allowed comments in this journal, I haven't yet received a legitimate comment from a mail.com address, and I've received thousands of spam comments from such addresses.

This is obviously not a scalable solution to the comment-spam problem. If the spammers do the same thing tomorrow using addresses at a domain that I do receive legitimate comments from, I'm not sure what I'll do. I might have to disable comments on all old entries, which would be a shame, or I might have to start requiring sign-in for all comments, which would also be a shame (and I know a couple of you would just stop commenting). But I'll cross that bridge when I come to it; for now, disallowing comments from @mail.com addresses solves the immediate problem, probably without losing me too many legitimate comments.

5 Comments

I can well imagine the frustration and hassle of those 500 spam notifications to clean up! If you're looking for solutions, I'd seriously recommend checking out the CommentChallenge plugin written by Jay Allen (the guy who originally wrote MT-Blacklist). This plugin catches spam based on behaviour, rather than strictly content, and can be configured to junk comments, or stop them from even hitting the comment script, which can be a real server-saver in a flood.

As for your server error during comment posting, if this is a relatively recent experience, you need to know about a recent problem with one of the blacklists that the built-in SpamLookup plugin uses - if it's still enabled, it'll cause the comment submission to bork as the blacklist lookup times out. Full details about the issue at Light & Dark.

Good luck!

Paul


Thanks, Paul! I've considered approaches like Comment Challenge in the past, but always decided against them because they present a (minor) barrier to legitimate commenters; I worried that people would easily miss the fact that they had to type something extra, and too many legitimate comments would get junked. But the fact that Comment Challenge was written by the MT-Blacklist guy, and appears to be nicely written and nicely integrated with MT (unlike my own comment-system hacks, which I'm going to have to redo by hand when I upgrade MT), makes me more interested in giving it a try. So I'll think about it.

I had no idea about opm.blitzed.org being taken down; thanks very much for letting me know! I've now removed it from my SpamLookup plugin settings, so comment-posting should now be faster.

Sadly, the server-error-during-comment-posting is something that's been a problem since I first switched to MT, so it's unrelated to the opm.blitzed.org issue. But come to think of it, I haven't heard about anyone running into the server-error issue in months; maybe it's time I removed that warning, to see if the problem's gone away on its own.


Jed, the great thing about CommentChallenge is that it can be run with just an auto-generated beacon - you do not have to use the "Captcha" feature to get the needed protection. It's an extra feature that I don't use at all (I'm death on captchas - hate 'em, hate 'em hate 'em, like you.)

I run the 'basic' config on a number of client sites and find the protection to be excellent - essentially no automated spam. As a backup, I added some Spamlookup customisations that make the plugin work the way it's supposed to. It is a hack that has to be re-added after each upgrade, but it provides the granularity of word/regex blocking that makes the plugin really work as it should.

As for the opm.blitzed.org problem, SixApart totally screwed up in their (lack of) notification of the problem. They didn't create the issue, but they've done a terrible job getting the word out about it, unfortunately - hence the reason for me putting up the post.

Paul


I've been getting the same! I ended the need to delete them by having all comments that utilized the .b i z domain filtered. It's weird, they keep trying. I'm annoyed that askimet can't tell that it's spam.


Paul: Thanks for the further info! I implemented a primitive sort of auto-generated beacon in my home-grown journaling system (still in use by Mary Anne, Vardibidian, and Dan P); I think it helped cut down on spam some, but not as much as turning off comments on old entries did. (There are spambots that are smart enough to use the fields and defaults given in the comment-entry form.) I hadn't gotten around to implementing something similar in MT, but it seems like a good idea. So, yeah, I'll give Comment Challenge a try soon as I get a chance. Thanks again!

Re your SpamLookup customizations: I'm a little confused--can't SpamLookup already do a lot of that? For example, if you want to auto-junk everything where the body starts with "Hello, Admin", you can do this:

/text:Hello, Admin/

Your version of that is:

/^Hello, Admin!/ (text)

It looks like your system's a bit more powerful and flexible in some ways, though; for example, it looks like you make it easier than SpamLookup does to junk on a string contained anywhere within a given field. I end up having to do things like:

/email:[a-z]+@mail\.com/

where it looks like you could say

@mail.com (email)

So I can certainly see value in your version.

Tempest: I'm surprised you get .biz URLs--I don't think I ever see those. Though maybe they get filtered out by SpamLookup's IP-filtering system before they get to the keyword-filtering system. Re "It's weird, they keep trying": I assume these systems are completely automated, and the people who wrote the spambots didn't bother including checks to see whether the spam comments actually get posted. Re Akismet: Other than that, how do you like Akismet? I'm deeply dubious about having a third party handle my spam, but that's basically a gut feeling and because I'm a control freak, not for any actual logical reason. I suspect that over time as I hear more good things about such systems I'll relax about them. (And it's funny, 'cause I already do entrust a fair bit of my spam handling to systems that are beyond my control.)