How open?

This really shouldn’t be news to anyone, since Shelley‘s been saying it for as long as I can remember (well, I don’t really remember much before October of 2002), but one thing that handicaps us in dealing with comment spammers and crapflooders is our openness. Especially for the MT developers, who have to ship their source code, but also for all the rest of us hackers, who figure out something that seems like a cool idea, so we post it in our blogs, with a nice long explanation, and a link to the source. Surprise, surprise, some of those people who are downloading it aren’t planning on putting in their blog, they’re planning on putting countermeasures in their crapflood script.

But, openness is a double-edged sword. If you’re so proud of your crapflooder, and so eager to have other people use it, well, you’re likely to give them a starter list of anonymous proxy servers. You know that page in the MT interface for banning IP addresses? The one that stopped doing you any good, once you realized that your spam comments were coming from IP addresses all over the map? Well, it won’t solve your every problem (there’s a billion anonymous proxy servers out there), but it seems foolish to me not to block (through MT or .htaccess, whichever way suits you and your conscience about blocking anonymous access to your blog):

(moved to the extended entry, since they’re actually working off a list of 9800, so only the truly lame will use the builtin list)

Hi, GNAA! Those weren’t your best proxies, were they? Plenty more where those came from, anyway. And I still say you need to spend less time on your crapflooder code, and more on some imaginative shock pages. goatse, Tubgirl or her cousin, “I’m looking at gay porn”, they just don’t do it anymore.

But, while I’m telling you to just blindly add stuff to a ban list that you’ll never look at again, could you please at least think about it, and maybe think about taking it back out at some time in the future? What with everyone passing around their MT-Blacklist lists, I’m seeing over and over poison pills (an address that shouldn’t be banned, intentionally slipped into your ban list – like that that you were going to take right back out in a couple of days, remember that? it’s still there) and things that you might have decided to ban, but that shouldn’t be blindly passed around, like some poor guy who didn’t have the same conception of Trackback as some of the people he pinged, once or twice. A carefully maintained blacklist, thoughtfully added to, can be a useful way to give you more time to worry about other things, but please, don’t just indiscriminately keep adding hundreds of entries without even looking at them. Even if you don’t end up blocking me, at some point it’s going to take so long to check them all that people will start getting browser timeouts just trying to post a comment.

No real point in it, other than blocking really dumb me-too crapflooders, but, here’s the default list of proxies as of today:


Comment by Phil Ringnalda #
2004-01-17 22:45:57

Silly of me, linking to the 1.0 branch when I know that all the action’s on the trunk.

Comment by Dv #
2004-01-17 23:13:26

Hi, I’d just like to point out I only host it and maintain the Perl version, I don’t flood blogs, so don’t bother sending angry flames to my ISPs abuse address.


Comment by Phil Ringnalda #
2004-01-17 23:20:56

Heh. While I love to rush straight to Godwin’s Law whenever possible, and there really aren’t very many good defenses for Hitler’s bankers, I’m a little distracted right now, wondering whether I’m quick enough to block all of the mtproxies list, or if I’m better off thinking in other directions than IPs. Don’t suppose someone’s going to run 1.1.5, clean up the proxy list, and then reupload it? No sense in my blocking the dead ones, is there?

Comment by Phil Ringnalda #
2004-01-17 23:35:37

Eh. Massive dups, really dirty list, but 9800? Don’t think I’ll be bothering to block, after all. Onward!

Comment by Mark #
2004-01-22 07:19:08

”Guns don’t kill people, it’s these little hard things.”

Comment by ROFL #
2004-01-19 07:50:35

Do you know how many millions of anonymous proxies there are out there?


Comment by Phil Ringnalda #
2004-01-19 09:58:50

Yep, or at least I’m starting to realize. Something I never actually needed to know before. But, still, suppose you say to yourself ”oh, there’s millions out there, no sense blocking those 35” and the next day you wake up to several thousand comments all from the ones that ship with FloodMT. A couple of minutes work for a little bit of protection from feeling really stupid? I’ll take that deal.

Comment by Anonymous #
2004-01-21 18:19:49

Eventually, we’re probably going to need to do some kind of web-of-trust thing. Any chance anyone could write a plug-in that integrates with GNUPG and signs the comment?

Comment by Phil Ringnalda #
2004-01-21 18:28:31

That’s sort of along the lines of what I’ve been thinking this afternoon: signed and known, your comment is immediately visible, and triggers a rebuild in MT, unsigned or unknown, you go into the moderation queue and are only visible through a fried cgi version of the comments (for those people who read /. at -1 ;)) until you get approved or dumped. Beats hell out of the awful idea of registration, anyway.

Comment by Eric Heupel #
2004-01-22 21:46:52

Hopefully this will generally blow over and we will be back to the more mundane commercial comment spam when (if?) the return on their work becomes minimal as better protections such as Six-Apart’s 2.661 update and Jacques Distler’s patches among others become more widely used. Script kiddies and /. trolls are generally thick headed, slow and generally they are incredibly lazy — minimal brain and finger ouptut to maximize the attention (good or bad) they feel their parents or society has not dutifully paid them.

I think the web of trust is basically a good idea, but I really hope it doesn’t come to that. I have had great ”conversations” on websites I infrequently — or have never before — visited, not always with the web site author either. The potential lag time on some sites for approval could be a serious impediment to those dialogues and on rather busy or popular sites a serious headache for the site author/maintainer. It is considerably better than the alternative of registration though, and could be used for other purposes as well.

Comment by Phil Ringnalda #
2004-01-22 22:25:09

Lazy, certainly. It would take me two or three hours to overcome everything I’ve thought of to date other than an inaccessible CAPTCHA or moderation for anyone not whitelisted in one way or another, but then I don’t really know Python.

But they have no need to bother. There must be tens of thousands of people running versions of MT from before 2.6 (I saw someone quite technically adept updating from 2.2 the other week). Even if 3.0 does something useful, which doesn’t strike me as very likely right now, given how naive the 2.66 throttle and the idea of registration (”stop people who crapflood /. with a simple registration scheme! they’ll never think to register 20 accounts!”) are, there will still be plenty of people to terrorize for months or years to come. Good for me, if they can’t be bothered to do the work to flood me as much as my throttle allows, bad for everyone else.

WOT and slow moderation, yeah, it’ll mean some changes. I’ve both had and hosted those conversations on a third party’s site, and although I enjoy it, I’m not sure that it’s an integral part of weblogging that every post have a real-time chat attached to it, in full view of every passing spider. Given the choice between waking up every morning and needing to moderate two or three comments from new acquaintences, or waking up every morning not knowing if I’ll need to delete two or three spams, or two or three hundred, as I’ve been doing for several weeks now until my recent site hardening, I’ll take a slightly slower pace to the comments. Maybe it’s just the circles I travel in, but most of the threads I’ve seen and been involved in that would require quick moderation to keep the flow going are just new instances of the same semi-permanent floating arguments that we’ve been having on mailing lists and various comment threads for years, and I wouldn’t miss them in the least. Odds are, elsewhere there are other people talking quickly about new and interesting things, and I just don’t see them.

Dunno. Usually if I leave a comment somewhere, it’s a day at least before I can get back to look for a reply, and if I get a comment, unless I’m asleep or at work, I try to reply (and thus would moderate) pretty quickly. It feels to me like something that would work for me, and for my impression about lots of other people. Right or wrong, I don’t know, and I don’t know any way to find out short of trying.

It’s just… I’ve been thinking seriously about weblog comment spam since October of 2002, when I got my first comment crapflood, and in that time the only really workable thing I’ve either thought of or heard of is moderation, made clear and strong enough that it’s obvious to both spammers and crapflooders that nothing they do will ever see the light of day, coupled with enough anti-bot features to keep most of them from posting. If you believe, as it sounds like Ben does, that installing a simple program, then clicking a button and typing a password, will be too high a barrier, then signing’s out, and all you have left is registration, and I sure hope he’s at least building in moderation, so that non-registered comments can still be left, and put in the queue.

Comment by Eric Heupel #
2004-01-22 23:44:30

No arguments with anything you’re saying. For most sites (almost all), the comments are not fast enough to suffer from using the moderation. I see where culling the comment spam and crapflooding is worse than the time spent to moderate and establish trust relationships.

I have had some quick turn conversations mostly on 2 specific highly focused sites running MT for a very tightly focused but largish talkative community, in those 2 cases moderation would be pain, but registration would be even more of one in many ways. As you point out general open registration just doesn’t work case in point = /. Used to have a significantly higher signal to noise ratio — even now half of the ”signal” is nothing more than noise that’s been moderated up by trolls, uninformed or what-have-you. Of course registration does work if it’s conditioned on some form of trust-web anyways.

I’m not thinking and do not believe that it’s going to be any one click button solutions, nor do I believe that registration is the solution. Although I can see situations where registration can be used effectively. I know of 3 sites (one a church site and two used for family information) where the registration itself would be based on existing trust relationships. As with the idea for GNUPG type system, comments from those registered (with a closed registration system) would be instant all others would enter a moderation queue. For these sites and (I’m guessing) many others like them, few (none?) of the audience/users/commenters run their own web sites and virtually none have heard of GNUPG or PGP any other privacy/signature system.

Personally looking at it and thinking about it, give me both systems. With the option to use either, neither or both – with and without moderation queue’s. As it is now, we have only one choice — neither with no queue. So assuming Ben is going with a registration only option then I would like to see a general patch/plugin using GNUPG, maybe tying into FOAF etc, but that also allowed the site author/maintainer to pre-register/register trust for certain email addresses for instant posting.

Not being a coder, how hard would it be for him to make a secure, plugable authentication system?

Comment by Mark #
2004-01-21 21:54:39

They’re branching out. Version 1.1.6 can flood LiveJournal too. These bastards are going to have a universal comment posting API before you know it.

Comment by Phil Ringnalda #
2004-01-21 22:06:17

I think Jacques said all that can be said about flooding an LJ:

Yep, crapping on her LiveJournal is surely the way to attract the attention of that girl you’ve been itching to talk to…


Trackback by Neil's World #
2004-01-21 03:52:12

Filtering out proxies to stop comment spam

Phil Ringnalda, who has finally returned to the blogosphere, has posted a list of open proxy servers which are often used by comment spammers.

Trackback by Burningbird #
2004-01-29 03:01:54

Stepping Stones to a Safer Blog

edited In the last few weeks, I’ve been hit not only by comment spammers but a new player who doesn’t seem to like our party: the crapflooders, people who use automated applications (you may have heard of the program called ”MTFlood” or some variation)…

Trackback by Electric Venom #
2004-01-30 14:52:08

A Long Blog Journey Into Goodbye

Between the tweaks of the past two weeks, the implementation of a couple new skins, two MoveableType upgrades and now my server being flooded with what appears to be a DDoS aimed at my site, I’m starting to feel like all I do – when I’m not doing the a…

Name (required)
E-mail (required - never shown publicly)
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.