I've learned that my understanding of how comment spam works is flawed. I had assumed that most spammers were just posting to the mt-comments.cgi file directly and bypassing the input form altogether. If that were the case, adding a hidden field that's not part of the standard MT comment form and requiring that field have a particular value would prevent most automated attacks. However that seems to have had no effect.
I decided to take a look at the logs to see what might be going on. It looks as though "they" are actually going directly to one of my individual archive pages before they submit the form. I have to imagine that they are scraping the form before reposting. Sometimes it even looks as though it's hitting the comment preview page. Two days ago the referrer for the first request of each spamming session came from "12.163.72.13." Today they seem to be coming from spam-y URLs themselves (perhaps trying to skew referrer logs as well?). The only other thing they have in common is the lack of a session cookie which all other valid records have.
I still can't image it would actually be a person stopping by the site and entering in bogus comment and contact information. It must be some sort of script. I just need a new trick to slow it down. Some bloggers have suggested using a captcha which would require the user to type in a word in an image that has been distorted in such as way as to make it unreadable to computers. I'm currently playing with the idea of adding an easy multiple choice question to my comment form which a person should be able to easily answer but a script should choke on. I've installed MovableType on my Mac to see if i can get a plugin working that would help me out.
Posted by Matthew at October 28, 2004 10:28 PM