January 2004 Archives

While I was compiling a list of all MT template tags, I ran across some tags that are not documented in the MT manual. Here is a list of those tags with an approximate explanation of what I believe they do:

MTBlogCCLicenseImage
Returns a URL for the Creative Commons License image/logo.

MTCGIRelativeURL
The relative URL (path) extracted from the CGIPath setting in mt.cfg.

MTCommentName
Alias for MTCommentAuthor.

MTSearchScript
The setting for SearchScript in your mt.cfg file; the default value is mt-search.cgi.

MTXMLRPCScript
The setting for XMLRPCScript in your mt.cfg file; the default value is mt-xmlrpc.cgi.

These tags are not anything earth-shattering, but I thought they were interesting. Why was I compiling a list of template tags (and attributes)? So I can take full advantage of UltraEdit's syntax highlighting when editing my MT templates.

A new beta version of Technorati is up. David Sifry, founder and CEO of Technorati, explains the new redesign:

"We focused 100% of our time on completely refurbishing our underlying event engine - essentially taking a volkswagen engine out and putting a Ferrari engine in."

Check it out! (Hat tip: Jeff Jarvis)

1. Three days ago, MT-Blacklist logged its first comment rejection for matching the "online casino" regex.

2. Yesterday, MT-Blacklist logged its second comment rejection for matching one of the domains in the blacklist.

3. Today, MT-Blacklist logged another comment rejection for matching the "Mike's Apartment" regex.

4. Also today, a spammer commented on 2 of my posts from back in August. (I guess some of these spammers think they'll escape notice by commenting on old posts.) Anyway, this spammer posted links to 32 web sites, all of which were sub-domains of a single domain. I entered the single main domain in MT-Blacklist and let it do the rest. The spammer can create all the sub-domains he wants - they are *all* blocked now. Just for good measure, I also reported the spam to the MT-Blacklist clearinghouse.

It's been two days since MT 2.661 was released and I haven't heard any word on whether another upgrade will be released to address issues and complaints from MT users. Looking at changes in 2.66 and 2.661, I decided to downgrade my MT installation back to 2.65 for the following reasons:

1. Unwilling to give up MT-Blacklist in order to able to use ThrottleSeconds parameter in mt.cfg

MT-Blacklist 1.62 prevents the ThrottleSeconds parameter from working at all. If I have to choose one over the other, I'd rather have MT-Blacklist. I have yet to be hammered with dozens or hundreds of comments, which ThrottleSeconds is supposed to help protect against. MT-Blacklist provides protection from and easy removal of comment spam, no matter how many or few there are.

2. MTCommentAuthorLink redirection

I don't see anything to like about this. MT 2.6 appended the destination URL to the end of the redirect link, but this opened a security hole where malicious users could use MT as a relay to visit any URL. MT 2.661 fixed this by appending the comment ID instead, and letting MT look up the URL in the comment database. The new code in 2.661 now causes an error to be thrown on the comment preview page, because comments don't have a comment ID before they are posted.

A side-effect of the 2.661 redirect links is that you can no longer tell what the destination URL is (by hovering the mouse over such a link) without clicking on the link (and hoping for the best) or looking up the link in the comments database. This alone was enough for me to be against the whole idea of redirects (not that I was ever comfortable with them in the first place).

3. Improved e-mail address validation of mt-send-entry.cgi.

I don't use mt-send-entry.cgi, so I don't see any of the benefits from improving its code.

Since I can't use the ThrottleSeconds parameter, do not want redirected MTCommentAuthorLink URLs, and do not use mt-send-entry.cgi, not only do I receive zero benefit from upgrading to 2.6 or 2.661, I get a couple of problems that I didn't have before and do not want. Downgrading to back to MT 2.65 seemed to be the only logical choice.

As I thought they would, Six Apart released a minor upgrade to yesterday's 2.66 release:

Update: We've released 2.661, an update to 2.66, to fix a problem with invalid XHTML in the comment redirect script, along with using comment IDs instead of URLs to fix an open redirect problem.

The update does incorporate the change to Context.pm I noted in my previous post, so the comment author links are now valid XHTML.

Update: It seems that there are problems with this version as well.

1. When a comment is previewed, a HASH error is displayed at the bottom of the window:

Use of uninitialized value in sprintf at lib/MT/Template/Context.pm line 1187.

MT 2.661 changed comment author redirect URLs to use the comment ID instead of the actual author URL in the redirect link. The HASH error is occurring when comments are previewed because the comment has not been stored in the MT database yet and it does not yet have an ID number (it is "undefined" by definition).

2. It appears that the author URL saved by MT in a local cookie is somehow mangled when MT 2.661 is first installed. I have always used http://tweezersedge.com/ as the URL to my weblog, and this is where the comment author redirect URL should take me to. I posted a couple of test comments today and found out my comment author URL preference had changed to http://tweezersedge.com/mt/.

Once I realized this was occurring, I edited the URL on the comment form and posted another comment. This appears to have fixed the problem - my comment author URL is remaining correct. I had posted a couple of test comments with the bad URL, and I had to edit the data in the MT comments database to correct the stored URL.

I am seriously considering downgrading to MT 2.65, or writing up some template code that emulates the <$MTCommentAuthorLink$> tag without using redirected URLs.

Movable Type came out with a new release today. Changes in this version:

1. New mt.cfg parameter: ThrottleSeconds

From the changelog):

Comments are throttled based on IP. The new config parameter ThrottleSeconds gives the number of seconds which must pass between comments before the same IP can post again.

From the documentation:

Movable Type uses IP-based comment throttling to provide some protection against comment flooding. ThrottleSeconds sets the number of seconds after which a visitor has posted a comment that he/she will not be allowed to post another comment. For example, if Alice posts a comment at 30 seconds after the minute, she will not be allowed to post another comment from the same IP address for the number of seconds set in this setting. You can increase this setting if you don't get too many people commenting often on your weblog.

This setting is also used to determine the amount of time after which an IP address will be automatically banned from commenting on your weblog. Default value: 20

Example:
ThrottleSeconds 60

I was just thinking the other day that MT could really use some sort of throttle so comment spambots would not be able to post hundreds of spam comments per hour to a weblog.

User who are upgrading will have to manually add this parameter to their mt.cfg file.

Update: MT-Blacklist version 1.62 is reported to not be compatible with this parameter (the parameter has no effect if MT-Blacklist is installed). Ben Trott says this is because MT-Blacklist overrides the comment posting process, which I take to mean that the MT code where this parameter was added is bypassed by MT-Blacklist.

2. Change in the behavior of <$MTCommentAuthorLink$>

From the changelog):

Author links are now served by meta redirect, so that commenters' links don't appear directly on the comment page.

From the release announcement:

Also in 2.66, we've changed the behavior of <$MTCommentAuthorLink$> to use redirects when linking to URLs given in comments. The goal of this is to defeat the PageRank boost given to spammers by posting in the comments on a weblog.

I'm not sure if I like this one or not.

Update: Okay, now I like it less. The new comment author URLs do not validate because the & characters used in the redirected URLs are not encoded.

Update 2: This probably won't be needed for very long, but here's the fix to make the comment author URLs valid XHTML...

The fix needs to be made in lib/MT/Template/Context.pm, line 1189 -

Original code:

return sprintf(qq(<a target="_blank" href="%s%s?__mode=red&amp;u=%s">%s</a>),

Change "&" (encode it) to "&amp;":

return sprintf(qq(<a target="_blank" href="%s%s?__mode=red&amp;amp;u=%s">%s</a>),

3. Improved email address validation in mt-send-entry.cgi.

Good for those who use this script; I do not and disabled it back in November (set file permissions to 400) when it became known that spammers were abusing it.

I received another comment spam. This assclown picked an entry from last August (hoping I wouldn't notice), posted "great site, well done" then listed 35 URLs as "Other Resources". This one got the full treatment - I reported the spam to the MT-Blacklist Clearinghouse, added all 35 URLs to my blacklist, and then deleted the comment by letting MT-Blacklist de-spam my comments.

(SFGate) A woman admitted through tears Thursday that she lied about losing the winning ticket for a $162 million lottery prize. Elecia Battle, 40, is dropping her lawsuit to block payment of the 11-state Mega Millions jackpot to the certified winner, her lawyer Sheldon Starke said.

"I wanted to win," Battle said. "The numbers were so overwhelming. I did buy a ticket and I lost it. I wanted to steal the money from the rightful winner win so bad for my kids and my family. I apologize."

"I'm not a bad person, I'm really not," she said. "Everyone has a past."

I guess this woman is supposed to be a good person because she tried to defraud the lottery and the rightful lottery winner out of $162 million, lied to the police and filed a lawsuit to prevent payment of winnings to the winner. And not everyone has her past of criminal convictions:

• 1999 - Misuse of a credit card
• 2000 - Assault
• 2002 - Criminal trespass

Police Lt. Kevin Nietert said Thursday he expected Battle to be charged with filing a false police report, a misdemeanor punishable by 30 days to six months in jail.

Sounds like a Bonehead of the Day award winner to me.

Okay, I've gotten my first spam (or at least what I consider spam) since installing MT-Blacklist. This spam is a bit odd, because the name ("addy"), e-mail ("add" at "mail.com"), and URL (domain "uuo.com") are all bogus. The comment ("Hello<> friends") is pretty typical of the comment span I've been receiving.

I've deleted the comment, but should I do anything further, like add the (bogus) domain to MT-Blacklist's blacklist file, or report it to the MT-Blacklist Clearinghouse? I'm really not sure at this point. I read somewhere on the Blacklist Clearinghouse comments where someone thought a spammer was testing their blog (perhaps to see what it would accept?) - I wonder if that's what's going on here.

I installed Jay Allen's MT-Blacklist plugin today. Lately, I've been getting a few comment spams a week and it seemed like now was as good a time as any to install MT-Blacklist before it got any worse. I did not have any trouble with the installation, but I won't know if it's really working until I get another comment spam.

Some other useful MT-Blacklist links:
Latest blacklist changes RSS Feed
MT-Blacklist/Comment Spam Clearinghouse
MT-Blacklist Clearinghouse RSS Feed

The current blacklist now contains over 600 spam strings for immediate protection on install. Comment spammers, beware! I've added an "MT-Blacklist" icon to my logos to give credit to Jay, and to discourage any spammers who might be paying attention.

The local NBC affiliate here in San Francisco ran a story about new state laws that took effect on January 1. One of those new laws was targeted at smokers:

The New Year -- and a new law -- will force California smokers to move 20 feet from main entrances, exits and operable windows of certain public buildings in the state when they light up.

The Statewide Smoke-Free Entryway Law, AB 846, that goes into effect Thursday, prohibits smoking within 20 feet of public building entryways and exits, including those of California State University, University of California and community college buildings. The law excludes prison yards.

This law is just more hassle for smokers, but I didn't cite this story to talk about the law. In the story, Ned Roscoe, a former California gubernatorial candidate who ran in the recall election, conceded that second-hand smoke is indeed a problem:

"I think that secondhand smoke is definitely a threat to the mental health of non-smokers. It drives them crazy."

I totally agree.