Throttling down

You’ve probably heard that MT 2.661 is out now, and that it includes a spam throttle. I think that’s a very good thing, though only in my own twisted way.

What the stock spam throttle does is look for a comment in the last ThrottleSeconds (either in your mt.cfg file, or the default 20 seconds) coming from the same IP address, and if there was one, returns your comment error template, with the message that they need to slow down. If the they isn’t actually a human, looking at what comes back, then 8 attempts in ten times ThrottleSeconds earns them a place in your Banned IP list.

That may actually be effective, once. I presume that somewhere in the world, there is someone who wants to spam comments (more likely a troll than a real spammer), who actually hasn’t ever heard of anonymous proxies, or doesn’t know how to use them. Note that “someone” is singular. Lord knows I haven’t had much luck with banned IPs lately.

Still, I think it’s a good thing, since I do my best (okay, my only) Perl coding when I’m just altering what someone else did, rather than having to start from scratch. The code for the stock throttle saved me who knows how long trying to figure out how to put in a real throttle. A little copy, and little paste, a few minor changes, and now I only accept one comment every six times ThrottleSeconds, no matter what the IP address. I doubt that there’s anyone likely to be leaving a legitimate comment here who won’t understand when they get a message saying “Hang on for a few, and try again, I’m throttling right now.”

Of course, there’s a downside to that sort of throttle: anyone who wants to DoS my comments can: a crapflood is likely to be the one that gets in, once every six times ThrottleSeconds, so everyone else will be shut out until it stops. As Shelley said, that’s part of the new reality. We no longer live in that pretty world where we could always expect every part of everyone’s site to be working and available every second. Worst comes to worst, you can always put what you want to say on your site, and just count on Trackback, referers, and an eventual comment, to make it over to my site. Or, leave the window/tab open, and keep trying to post when you think of it: who knows, you might slip it in, and cost the crapflooder one opening :)

This isn’t as exact as most of my hack instructions, since things are a bit in flux, and I’m a bit out of practice. You want this wherever your working throttle code is, either in {mt}/lib/MT/App/Comments.pm or in {mt}/extlib/jayallen/MTBlPost.pm if that’s where you’ve copied it out to have them work together. The magic number 6, which may not be the right number, should be pretty easy to spot, and change. Note that this code bit needs to come after the first, “throttle them but don’t ban them yet” by IP bit, since it expects the variables to have already been declared. You’ll probably want to change “Put your funny wait a bit message here” to an actual message, too.


    @ts = MT::Util::offset_time_list(time - $app->{cfg}->ThrottleSeconds*6-1,
                                                 $entry->blog_id);
    $from = sprintf("%04d%02d%02d%02d%02d%02d",
                           $ts[5]+1900, $ts[4]+1, @ts[3,2,1,0]);
    if (MT::Comment->count({ created_on => [$from] },
                                         { range => {created_on => 1}}))
    {
      	 $app->log("Throttled comment, had one in the last ". 6 * $app->{cfg}->ThrottleSeconds ." seconds.");
      	 return $app->handle_error($app->translate("Put your funny wait a bit message here"), "403 Throttled");
    }

Simple as that, if nothing else you either cut down the number of posts you get before you notice what’s happening and take direct action to stop them, or possibly cut the number that make it through from a crapflood while you sleep.

22 Comments

Comment by Shelley #
2004-01-17 19:17:58

I’m using this Phil — I was deliberately attacked tonight, and it wasn’t spammers. Manual and auto attacked.

P.S. Do you have a nonce to use with MT to go with the forced preview? If so, can you email me it?

Comment by Phil Ringnalda #
2004-01-17 19:28:30

Should already be there: I actually mailed it before I put it in here. Which is why you’ve got three emails, as I realized oops this oops that.

It’s not actually very good, since I haven’t quite figured out how to use MT::PluginData yet, but at least it ought to slow things down a tiny bit.

Comment by Shelley #
2004-01-17 19:37:09

Phil, I didn’t get the emails, but my email system got pretty hammered with the hits I got. Could you send them to my yahoo.com account, included in this comment.

Bless you Code Man!

I’ll name my first child after you…no wait a sec…I don’t want kids…well, I’ll name my next kitten after you.

Comment by Phil Ringnalda #
2004-01-17 19:56:20

Could also be the address: I sent it to what you posted, which I see lacks the initial that you usually use. Does ”a too familiar first name only” get routed elsewhere or filtered along the way?

Anyway, it’s on the way to Yahoo. Now why did I admit having to take three shots to get it sort-of right before?

Chin up. You’re the one who told me we can’t expect everything everywhere all the time. Whether they get bored, or we make it too much trouble for the amount of fun trolling you provides, it’ll all be the same in a hundred years.

 
 
 
 
Comment by Shelley #
2004-01-17 21:08:04

Did you get hit by our friend? How’d we do?

Comment by Phil Ringnalda #
2004-01-17 21:22:02

Had to look in my logs to see. Someone seems to have been sending a few hundred comments to my blog, minutes before the last email I sent you. Damnedest thing, not a single one of them showed up, though. Dunno what happened, since several other comments made it through, in the same period of time. Puzzling, but the way I hack around at stuff, well, things break, or don’t work the way someone might expect, all the time ;)

 
 
Comment by Jacques Distler #
2004-01-18 21:33:32

I assume you’ve fixed things so that comments posted by lame-ass robotic scripts are summarily rejected (hence not triggering your throttle).

At least that’s what I’d do … :-)

 
Comment by Phil Ringnalda #
2004-01-18 21:49:07

Comments posted by lame-ass robotic scripts? Oh, around here we call those Previews that never get Posted.

I’m actually a little worried about the next step. What I’ve got now can be defeated, and I’d like to have James Seng’s MT-Bayesian trained up and ready to tell wheat from chaff, so I could have a two-layer throttle, but if nothing actually makes it through, it’s hard to train. In the last couple of days, I’ve had exactly two hand-entered spams. Hard to build up a good corpus that way. It does its best, and calls them 50%, but then it quite often says that about anyone it hasn’t met yet.

Comment by Phil Ringnalda #
2004-01-18 21:54:40

Sheesh. One of these days I’ll remember what’s patched how, and can’t be overwritten. Threading, por favor.

 
Comment by Jacques Distler #
2004-01-18 22:08:58

Comments posted by lame-ass robotic scripts? Oh, around here we call those Previews that never get Posted.

Funny, I’ve been getting a lot of those too.

I’m actually a little worried about the next step. What I’ve got now can be defeated, and I’d like to have James Seng’s MT-Bayesian trained up and ready

Phil, Phil. You give up too easily. Why just tonight it occurred to me that every comment-entry form could be a honeypot too. (What’s adding another method to lib/MT/App/Comments.pm between friends?).

And then there’s the fun one can have with cookies and DOM-scripting …

Why we’ve barely scratched the surface of the games we can play with spambots.

Comment by Phil Ringnalda #
2004-01-18 22:21:48

I’ve been idly thinking along those lines, too. It can be hard to tell for sure sometimes, but whether it’s FloodMT calling, or a better-written spambot, when you’re sure… :)

 
Comment by Phil Ringnalda #
2004-01-18 22:29:30

I wonder if Microsoft objects to having people directly link to downloads through a redirect? I’d like to offer the suggestion that some of my ”visitors” download the .NET SDK. Sure, it’s 108757 KB, and especially if you start downloading it in twenty or a hundred different threads, it’ll be a big pull, but I’m sure it would be something they would enjoy having.

 
 
 
Comment by Geek #
2004-01-21 19:45:36

The 2.661 version simply does not work. The script kings have modified their code and somehow where able to get nearly 1000 comments added to my site yesterday in under 10 minutes. I am at my wits end and will likely have to remove comments permanently until MT gets something to us that really works.

Comment by Jacques Distler #
2004-01-21 20:45:08

They never had to modify their code, because Ben’s throttle in 2.661 is on a per-IP basis, and their program martials a legion of anonymous proxy servers.

See Phil’s post or mine for how to do something more effective.

 
 
Trackback by EmptyBottle.org #
2004-01-17 19:20:17

This Means War… or at least a good noogy-ing!

Shelley outs some script kiddies, and gets herself deliberately targetted and spammented, and has had to turn off commenting for the moment on her MT system. If I know Shelley, she’s gonna come out swinging. This should be fun. This attack is from the …

 
Trackback by Musings #
2004-01-18 20:17:09

Comment Throttle

So it turns out that the latest fad among the script kiddies is crap-flooding MovableType blogs with thousands of randomly-generated…

 
Trackback by Eclectic Echoes #
2004-01-23 00:33:17

FloodMT Crapflooding, Trackback-flooding and Whining crapflooders

It’s almost funny, in a wierd twisted sort of way… Recently the comment spam problem for MovableType users escelated when some script kiddies released an automated comment spammer. The site hails it as: the first integrated solution for tes…

 
Trackback by Eclectic Echoes #
2004-01-27 00:53:34

Crapflooded…

It’s almost funny, in a wierd twisted sort of way… Recently the comment spam problem for MovableType users escelated when some script kiddies released an automated comment spammer. The site hails it as: the first integrated solution for tes…

 
Trackback by Burningbird #
2004-01-29 03:11:29

Stepping Stones to a Safer Blog

edited In the last few weeks, I’ve been hit not only by comment spammers but a new player who doesn’t seem to like our party: the crapflooders, people who use automated applications (you may have heard of the program called ”MTFlood” or some variation)…

 
2004-02-08 01:26:05

MTFlood Attack

Somebody started massively flooding my blog with comments, obviously automated pretty efficiently. I’ve reattached the comments to this entry. Update: A quick Google search shows that the script to do this is freely available, which sucks, but there’s …

 
Trackback by fling93 loves fishies #
2004-12-02 20:35:38

Comments Disabled

The comment spam problem has gotten drastically worse over the past few weeks (yes, I already have MT-Blacklist installed). Comments will be disabled for now until further notice. Update Okay, they’re back on again. One of these days I’ll p…

 
Trackback by Don't Back Down #
2004-12-20 16:02:54

And History Repeats

It’s really rather interesting that all the recent flutter about comment spam has already happened (two years ago, when comment spam first appeared on the scene). At the time, more than one (1, 2, 3) person talked about the very same issues that we’re …

 
Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.