« alogblog MT Interface for ver. 3.2 | Main | QuickImagePost, a blogging tool for an entry with representative image »

CCode and TCode for blocking comment/trackback spam for MT 3.2

Go to Korean page

MT 4.0 users should go to this entry

MT 3.3 users should go to this entry

Current Version(for MT 3.2 users) : 3.2.03

This plugin is for blocking feedback[ct(=comment) and tb(=trackback)] spams by adding an additional CCode(hidden ct input field) or adding TCode to original tb ID in tb URL, and then obfuscating that Code for the purpose of not easily guessing it.

MT 3.2's enforced anti-spam system is performed mainly after getting feedbacks. So if many spams are arrived, then it also uses system/MT user resourses when filtering, junking, unpublishing, and deleting spams although it becomes comparatively easy than pre 3.2.

CCode and TCode works in before saving spam feedbacks to MT system. CCode/TCode make it very difficult for spam-bots to guess tb URL and required ct input fields. Target ct/tb URLs to send spams are calcuated from unrevealed entry/trackback data and obfuscated by Javascript.

PHP plugins are also provided.

Requirement

MT 3.2
RDB like mySQL if you are using Dynamic Publishing. (This plugin provides PHP version)

Installation

Download this plugin and untar it under mt home.

ex) $ cd mt_home; $ tar xvfz CTCode-3.2.03.tar.gz

Then all files will be located in proper sub-folders as below.


  • (mt home)/default_templates/obfuscator.js

  • (mt home)/php/plugins/alogblogObfuscator.php

  • (mt home)/php/plugins/init.alogblog-CCode.php

  • (mt home)/php/plugins/init.alogblog-TCode.php

  • (mt home)/plugins/BigPAPI.pl

  • (mt home)/plugins/alogblog/CCode.pl

  • (mt home)/plugins/alogblog/TCode.pl

  • (mt home)/plugins/alogblog/lib/alogblogObfuscator.pm


You have to add the content of default_templates/obfuscator.js file into blog's Site JavaScript(mt-site.js) template. There are two methods.

In your blog's Index Template menu page, open "Site JavaScript" template, and then add the content of obfuscator.js into the bottom of that template. And Save and Rebuild it. That's all.
This method is easy but If you created a new blog, then you would have to do this process again.

Second method is more recommanded. Open (mt_home)/default_templates/site_javascript.tmpl and add the content of obfuscator.js into the bottom of it. Then in Index Template menu page, check Site JavaScript template and do "Refresh Template(s)" action. Then the content of obfuscator.js will be automatically added. With this method, you don't have to add it manually to each newly created blogs, because we modified default template of Site JavaScript.

Tag Usages

1. CCode

Insert <$MTEntryCCode$> tag within the comment <form> tag of Individual Entry Archive template and Comment Preview template. Proper inserting position may be as below.

<input type="hidden" name="entry_id" value="<$MTEntryID$>" /> <$MTEntryCCode$>

And then rebuild individual entry archives. ( You can see above tag's results by openning this page's source. )

* Also, these tags can be added to the default templates for Individual Archive (individual_entry_archive.tmpl) and Comment Preview (comment_preview_template.tmpl) much like the second method described under Installation of site_javascript.tmpl. This provides the same advantage of using refresh instead of manually updating each blog's template set. ( Updated with help of Jeb )

2. TCode

MT's default template tags, <MTEntryTrackbackID>, <MTEntryTrackbackLink>, <MTEntryTrackbackData>, are used. So you don't have to edit templates. Just rebuild individual entry archive if you are not using Dynamic Publishing. ( You can also see this entry's tb URL example and RDF tb data in its source. )


* Added attributes of MTEntryTrackbackID / MTEntryTrackbackLink in 3.2.02

  • <MTEntryTrackbackLink nocode="1"$> : If you want to embed trackback link to some XML feeds, then you need to use this attribute. ex) ".../mt-tb.cgi/24.your ping is to be moderated, so please dont't send repeatedly"
  • <MTEntryTrackbackLink nocode="2"$> : ex) ".../mt-tb.cgi/24"
  • <MTEntryTrackbackLink hidden="1"$> :The "hidden" makes ID/Link invisible, and then those values are assigned to __MTTBID__, __MTTBLINK__ javascript variables. You can use trackback ID/Link in Javascript. For example, if you want to implement copy-to-clipboard feature, then you need to use that variable like copytoclipboard(__MTTBLINK__);

Description

1. CCode

CCode adds an additional input field to the defalut comment form. This value(=CCode) is calculated from entry's own data, and that value is obfuscated by Javascript routines. I used the obfuscator probided by http://www.jottings.com/obfuscator/

So as to send comment spams, spam-bot must parse a page and calculate it reversely. This reverse solution is not impossible theoritically. But although spammer finds a solution routine for CCode, the problem is still there. They have to visit a page, parse it, solve it, and finally send spam to only "that" page. If they want to send spams to 100 different entries, they have to always loop above full process for each 100 entries.

CCode is similiar to SCode in that it adds one more input field. But CCode doesn't require commenter's interaction. And it doesn't store any additional CCode-related data to DB or file.

2. TCode

Trackback spambots visit meta blog sites and download recent updated entries, and then collect trackback URLs using RDF tb data which was embeded into page for blogger's easy use of Bookmarklet or QuickPost or Auto Trackback Discovery featues or so. I think the main customer of embeded RDF tb data is ironically trackback-spambot. (If I were tb spam-bot programmer, I would thank the inventor of RDF tb data)

Spambots need just one sampling tb URL for each blog. If they know one tb URL, then they will make other entry's tb URL by simply iterating as like example below.

loop ( i = from 500 to 1 ) {

   result = send_ping(tb base URL + i );   # i is tb ID

   if(result is OK) {

     bombing to that URL with many pings

   }

}

They don't care tb ID is really existent. If sampled tb ID is 500, then it mean at least 1 ~ 500 tb URL may exist.

TCode comes out from the idea that longer tb ID(by adding TCode into origianl tb ID) is, more difficult or time-consuming for guessing tb ID. Moreover, obfuscating it will frustrate spambots for re-calculating it.


Additonal notes for TCode:

1. RDF's trackback::ping
TCode treats entry's RDF trackback URL differently from the original one. In this entry's source, you can find RDF tb data. See trackback:ping field.(If you installed QuickPost, you can see tb URL in QuickPost window)That tb URL is as like "http://www.example.com/mt-tb.cgi/777.your ping is to be moderated, so please dont't send repeatedly" Yes, it is also this entry's tb URL. This URL is for automatic trackback sending tools like QuickPost, Bookmarklet or TB Auto-Discovery and MAINLY for spambots.

It is because an obfuscated TCode by javascript can't be applied in RDF tb data. In MT 3.17, I removed MTEntryTrackbackData. But in 3.2, all pings sent to above URL(ie. by automatic tool) will always(even if you turn off comment moderation) have PENDING state.

2. Category incoming trackback
Category Trackback URL also works as like an entry. If you turn on incoming category trackback, tb URL applied with TCode will be used.(Of course, passphrase can be used with no problem.)

Credits

Thanks, Tim Williams and Andrew Moulden for obfuscator. It initiated me in making CCode/TCCode plugins.

Thanks, Kevin Shay. With his BigPAPI, TCode of category trackback could be dramatically easily programmed.

License

Relased under the Creative Commons License.

Version History

  • 3.2.03 : Missing <$MTCategoryTrackbackLink$> tag added. Thanks id.tiiop for notifying me
  • 3.2.02 : nocode="1", "2" attributes are added in ID/Link. Thanks dusl for this option.
  • 3.2.01 : for MT 3.2, PHP plugin added.
  • 1.0 : for MT3.17

Posted by Lee, Joon on September 6, 2005 05:27 PM |  | 

webSSearchy

Search::Movable Type anit spam Search::Movable Type anit spam

TrackBack

TrackBack URL: http://alogblog.com/movabletype/plugins/TCode.name/3.

※ If you send a trackback by using an automatic blogging tool like QuickPost or so, then your ping will not be shown until the site owner approve it. This is for blocking spam-trackbacks. So please don't try to send pings repeatedly.

 

Listed below are links to weblogs that reference CCode and TCode for blocking comment/trackback spam for MT 3.2:

» CCode from Twisted Technology
Well earlier today my blog got hit by a big comment spam attack. Not sure what if anything it did to the server. Compared to some it was actually pretty small. I got hit with around 120 in about four minutes. Since I upgraded to MT 3.2 I hadn't had any... [Read More]

Tracked on September 9, 2005 03:27 PM

» blocking spam from /blog
i just cannot seem to stop it! my blog is sometimes so majorly hit by spam comments, that chris sent me an email saying that i strain the server too much (technospeak: "ca. load 20"). even renaming the relevant... [Read More]

Tracked on July 13, 2006 07:11 AM

» getting rid of comment spam from /blog
just a quick note to all the MT-users under my readers: since i've implemented this anti-spam measure a month ago, i've gotten TWO single comment spams. i didn't even bother analyzing them carefully, wether they've been submitted by a... [Read More]

Tracked on August 9, 2006 06:04 AM

Post a comment

☞ Your blog URL:

(A comment by authenticated (using TypeKey or OpenID) user will be shown immediately. Other comments need to be approved by the site owner. Until then, it won't appear on the entry. Thanks for waiting.)