And History Repeats »
It's really rather interesting that all the recent flutter about comment spam has already happened (two years ago, when comment spam appeared on the scene en force). At the time, more than one (1, 2, 3) person talked about the very same issues that we're rehashing now.
MT-Approval is, in fact, simply an implementation of one of the ideas floated during those discussions - putting a field into the comment form that must be there in order for the comment to be posted.
I did see where Shelley implemented a quick fix for dealing with comment spam, and that fix was in fact the same thing done by MT-Approval (the hash in MT-Approval may make it marginally harder to compromise). Her work was done nearly 26 months ago. Phil did something similar only a short time later. Nice that we're actually paying attention to things that happened so long ago.
Perhaps the problem is that the solution, while not exceptionally difficult, wasn't an easy solution such as a plugin and mucking with a template or two (as is now the case with MT-Approval). It will be interesting to see how things develop. I'm very hopeful that it will work out well - but I'm also a cynic, and would not be surprised at all if it didn't, and new measures will be required again in the very near future. Thoughts?
Comments (4)
My main thought is "what do I do now?" Having a nonce to force preview has been my Club for so long, I've pretty much stopped thinking about what's next.
It's very much a Club, only works when you have the only one on the block: three different people (at least, I assume they are different people) have written scripts to demonstrate to me that it can be trivially coded around, as if I didn't know from the start, but since only a few of us did it, I've gotten at most one or two hand-entered spams a week, through all the storms of people getting hundreds.
At first, I expected that Wal-Mart would be selling my Club fairly quickly, though I didn't talk it up too much because I was busy waving a red flag in the face of the crapflooders. Then, I just got used to not getting comment spam. Now? I might be able to eke out a bit more time with JavaScript, though I know too much about using Mozilla as a spider to have great hopes for that either.
Posted by Phil Ringnalda on December 20, 2004 7:31 PM
Well, I don't think we need to worry too much about "what's next" until the spambots can defeat what we've already got. And I don't see they've made any progress in that direction in the intervening time.
I realize full-well that it's pretty trivial to do so. But with an exponentially-rising number of easy targets, there's not exactly a lot of pressure on the spambot authors to do better.
But, if you want to see one vision of what what could be next, try the comment system at my blog (pretend you're a spambot and disable javascript and cookies).
Maybe my assumptions are invalidated if you can turn Mozilla into a spambot...
Posted by Jacques Distler on December 20, 2004 8:35 PM
I think we all agree that it's trivial to defeat. The question is really how long before enough systems sport some similar form of hash/nonce defense that makes that triviality worth exploiting?
The rising number of targets that are easily exploited is encouraging in one sense (that is, that I don't have to worry about it) but discouraing in another (that they provide the encouragement for spammers to continue).
Posted by Chad Everett on December 20, 2004 8:51 PM
Consider, too, that we're raising the cost of developing a spambot.
Usta be (and to a large extent, still is) that you could search for "mt-comments.cgi" on Google and obtain a long list of URLs that you could feed to a 'bot that did nothing more than an HTTP POST with your desired payload to each of those URLs in turn.
Then people got smart and changed the name of the CGI script, and you had to search for the labels of the comment-entry form. Your 'bot then had to GET the page, search for a form with an <input type="submit" name="post" value=" POST " /> and grab the action="..." of the <form>.
(I should point out that the spambot which is causing the current brouhaha gets totally confused if you simply remove the POST button from your comment-entry form. It can't figure out that it's found the form it's looking for, without the POST button present. There were 'bots a year ago which were smarter than that...)
Then people got smarter and moved the form off of the individual archive pages and onto a page that is *not* indexed by Google. (I see *you* haven't done that yet.) Suddenly, your spambot had to be capable of crawling the victim's site to find the comment-entry form, and then apply the procedure above.
And then people got yet-smarter, and started adding various random hidden form-fields to their comment-entry form. Now your spambot, has to be able to parse the (X)HTML (regexp's just won't cut it anymore) in order to figure out what to POST to the URI it found by crawling the victim's site.
And then other people start jumping in, saying "Hey! So your spambot can crawl, and can parse (X)HTML? How about a DOM-aware Javascript interpreter and cookie-handling abilities?"
We've come a long way from "do an HTTP POST to a list of URLs". The payoff to the spammer isn't any greater, but the programming challenge certainly is.
With all the low-hanging fruit available, I can see why most spammers aren't motivated to rise to that challenge.
Posted by Jacques Distler on December 21, 2004 12:25 AM