How to Block 99.9% of All Movable Type Comment Spam

December 13th, 2010 Permalink

Amongst the sites I run is a modestly trafficked Movable Type blog that - unfortunately for me - occasionally touches on topics that have comparatively high value in the ecosystem of keywords, page rank, and paid clicks. These are areas in which the search engines are flooded with worthless commercial junk, automated spam, and other unsavory line items, to the point at which it becomes hard to find useful discussions created by real human beings with actual domain expertise. Thanks to the fact that I am a real human being with actual domain expertise, and have been writing on the topic for the better part of a decade, I have a high page rank for some apparently valuable terms - something that just happened, with no effort put out on my part to make it so. As a consequence of this I might see 20-30 spam comments submitted to my blog per hour on an average day. That's ~600 per day, ~4,200 per week, ~220,000 per year - a constant, unending stream of junk.

In the midst of this river of garbage, there are comments from actual readers that I would like to see appear on the blog. Perhaps one or two per post on average. I can usually pick them out from amidst the automated spam, but wading through 600 comments every day to find the one or two that were submitted by real people is not the way I want to live my life.

There are various tools in the toolkit that comes with Movable Type that are intended to try and deal with the spam flood. By merit of the fact that they come with MT, however, they are all varying shades of unhelpful, or on the way to becoming useless. Anything that gains wide adoption or is turned on by default in a new installation of MT will soon be defeated by the spammers, be it registration, captchas, or other techniques. Once one group of spammers surmounts the challenge, the techniques used will spread through the spam-generating toolkit ecosystem until in time even the most unsophisticated script-users have access.

So that said, I made a modest change to my spam-plagued blog a few years ago that cut out 99.9% of all incoming spam comments, and continues to do so to this day. It works because (a) my blog isn't a major web site with name recognition and a massive user base, and (b) the technique isn't widely used. Because of that latter point, I'm not going to give you the cut and paste description of how to set it up - but rather tell you how to create a similar version that should still get the job done. Even if a thousand blogs use very similar versions, the differences between them will still ensure that there is no monoculture for spammers to target.

The basic outline is as follows:

  • Set comment posting to require an additional parameter passed with the form submission
  • Amend comment form templates to add Javascript code that will set this parameter dynamically

1) An additional parameter for comment submission

In your Movable Type install, find the lib/MT/App/Comments.pm file. For Movable Type 4.*, you are looking for the following lines of code, but it's very similar in 3.* and 5.* versions as well:

sub post {
    my $app = shift;
    my $q   = $app->param;

    return $app->error( $app->translate("Invalid request") )
        if $app->request_method() ne 'POST';

Change this by adding two lines as follows:

sub post {
    my $app = shift;
    my $q   = $app->param;

    return $app->error( $app->translate("Rejected as spam.") )
        if $q->param('begonefoulspam') ne 'forthwithinhaste';

    return $app->error( $app->translate("Invalid request") )
        if $app->request_method() ne 'POST';

Now a comment form submission lacking the parameter "begonefoulspam" set to the value "forthwithinhaste" will be rejected - note that previews still work, however.

2) Amend the comment form templates

Unless you have heavily edited and rearranged your templates, you should only have to amend the "Comment Preview" System Template and the "Comments" Template Module. Both contain a comment submission form.

As a first step, simply adding the additional parameter into the template HTML might eliminate some spam:

<input type="hidden" name="begonefoulspam" value="forthwithinhaste" />

But then it's easy enough for a comment spam script to parse the form HTML and correctly submit any additional parameters. I imagine that many spam toolkits do that already in order to defeat trivial customizations such as changing field names or adding an additional field. Thus in order to defeat the spammers, you must instead set the parameter using Javascript, either on page load or when the form is submitted. There are so many different ways to do this that only a general Javascript engine coupled with inspection of the DOM would allow a spam toolkit to successfully submit the form without having been customized to your site - and so far, that seems to be a way beyond the state of the art for the average spammer.

This is true for so long as you are not running a large site, however. If you are big enough to be a target worthy of effort all by yourself, you'll need more sophisticated methodologies, since the spammers will be spending time trying to defeat whatever techniques you adopt.

In any case, this use of Javascript to add an <input> element to the form DOM is the part of the process that I'm asking you to create yourself. No cut and paste here. Be inventive, be different, and in doing so you help to make it harder for spammers to create tools that can circumvent this simple method.

3) This technique works elsewhere as well

Hand-crafted Javascript alteration of the DOM can make it expensive for spammers to overcome a wide range of conceptually similar but materially different obstacles created by owners of small web sites. If you can raise the cost of spamming your small web site with software such that it is greater than the cost of spamming your website using poorly paid menial workers, then you are far ahead of the game.

This same approach works for a wide range of situations: registration forms, forums, and in fact pretty much anything involving form submission on a small web site. As to the results on my Movable Type blog: the only comment spam I've seen for years now is the trickle created by a combination of self-promoting fools and poorly paid menial workers at the periphery of the spam industry. If I see one or two of these submissions a day, it's unusually busy. So this methodology works for me, and if your situation is similar to mine it will probably work for you as well.