scriptygoddess

1 | dave

October 29th, 2002 at 3:20 pm

i did not get hit by this particular vulture, but recently i did have someone post some basic PHP code into my comments in an effort to try to get my .passwd file. since it was enclosed in PHP brackets, the code wasn't visible except in the email notification sent to me.

so, along the lines of your post topic, is this an additional vulnerability these spammers (or script kiddies) might be able to use against MT users in our comments?

2 | Jennifer

October 29th, 2002 at 4:03 pm

Dave – we had similar problems like that (someone trying to write php code in the comments) a few weeks ago… since then, someone came out with a plugin for MT – that will let you filter out certain stuff… like javascript and php (you specify WHICH tags are allowed – everything else gets ignored.. Kristine posted about it (download the plugin here)… it's called the "sanitize plugin". That will help, at least, on that problem…

Promo – still don't know what to do about your problem… How annoying… I wonder if Ben and Mena could shed some light… Have you posted on the MT forums?

3 | j. brotherlove

October 29th, 2002 at 4:19 pm

I am really stabbing in the dark (since I know very little compared to the goddesses – and gods – in this community). But, I read somewhere (probably in the MT Forums) that you didn't have to settle for consecutive numbering of entries. If, for example, you used entry titles instead of numbers, would that alleviate this ability to write a script/tool to mass send spam?

4 | Phil Ringnalda

October 29th, 2002 at 4:31 pm

Mena said in my comments that they'll be thinking of ways to thwart the moron spammers, but it's a tough thing to block without doing things like requiring registration (and approval of registration) or not publishing comments until they've been approved, both of which would be annoying and would discourage comments. I think the solution has to involve comparing a new comment to the last few comments, looking for things that are too similar for comfort, but even with that everything I've come up with so far would take me less time to script around than it would take to implement in the first place.

Using titles rather than numbers would make things slightly more difficult for the spammers (at the expense of breaking every existing link to your entries), but not too difficult: once a spammer has your first entry, you very nicely provide him with "next entry" links to navigate through every entry, and getting a thousand entries and parsing out the next link and the data from the form shouldn't take more than a few minutes (my unthreaded, took a few minutes to write script took around a second to get five entries and parse out the form data).

5 | DidionSprague

October 29th, 2002 at 5:29 pm

The model you might want to check out is Slashdot. It's been a while since I've looked at the code, but they have implented stuff like comment queuing (only one comment per 20 seconds), comment scanning for spam (a tweakable filter that looks at the submitted comments and sees if it has certain keyword — like 'first post' — or contains a lot of carriage returns or has one sentence per line, etc. etc.) It's not perfect, but I'd bet something like this would at least slow the potential down.

I'm planning to look into the idea of a 'comment pause' and a configurable spam filter.

6 | Scott Meinzer

October 29th, 2002 at 8:02 pm

This is just my idea on how to keep this from happening you know, the comments subscription script how it has a go-between file? you could have it also output the name, ip, or msg or something to a file with a time stamp, then when someone posts another comment it could say "Alrrady Posted Please Wait 60 Seconds" or something, then take it out of the file. just an idea and dont know if it would work.

/Scott

7 | Jennifer

October 30th, 2002 at 8:18 am

(posted this same comment on Phil's site…)

I think Pepino (a commenter on Phil's site) is on the right track… if it is a script, then they probably aren't even going to each page (?) to send the comment… it could be either a checksum or some value that can only be given on an ENTRY page… and without that value, the comment does not go through… kind of like a "session id" or something… the server gives it to the page new each time, each page refresh, or load… then when the comment is posted, it checks to make sure that session id is there, and it's the one that *IT* generated…

unfortunately, while I could probably figure something like that out in PHP, I'm clueless when it comes to Perl… Does this sound doable to anyone?

—
one additional note… when the server generates these "session id"s… if it's coming from the same IP in too short a timeframe when a comment from that same IP is generated, it could decide NOT to generate the id… or alternatively it can be cookie based… if the comments are coming from the same cookie within to tight a timeframe… etc. (Again, this would all have to be done directly into the MT code, as any "front" you put up with PHP, could eventually be gotten around…)

8 | kd

October 30th, 2002 at 4:56 pm

ok, i'm not as geeky as i'd like to be, so this may be a dumb question: since this script is automatically filling out a form, it's probably set to look for certain fieldnames right?

wouldn't it put the script off its game if everyone made their own custom fieldnames, something that would be hard to guess at?

9 | surreally news and updates

October 30th, 2002 at 3:15 am

comment spam
a new type of spam rears its ugly head — spambots spamming comments. this is very much a new issue,

10 | kd: a blog

October 30th, 2002 at 6:52 pm

there's evil afoot
geeky evildoers of evil