Upgraded to MT 2.66


Movable Type came out with a new release today. Changes in this version:

1. New mt.cfg parameter: ThrottleSeconds

From the changelog):

Comments are throttled based on IP. The new config parameter ThrottleSeconds gives the number of seconds which must pass between comments before the same IP can post again.

From the documentation:

Movable Type uses IP-based comment throttling to provide some protection against comment flooding. ThrottleSeconds sets the number of seconds after which a visitor has posted a comment that he/she will not be allowed to post another comment. For example, if Alice posts a comment at 30 seconds after the minute, she will not be allowed to post another comment from the same IP address for the number of seconds set in this setting. You can increase this setting if you don't get too many people commenting often on your weblog.

This setting is also used to determine the amount of time after which an IP address will be automatically banned from commenting on your weblog. Default value: 20

ThrottleSeconds 60

I was just thinking the other day that MT could really use some sort of throttle so comment spambots would not be able to post hundreds of spam comments per hour to a weblog.

User who are upgrading will have to manually add this parameter to their mt.cfg file.

Update: MT-Blacklist version 1.62 is reported to not be compatible with this parameter (the parameter has no effect if MT-Blacklist is installed). Ben Trott says this is because MT-Blacklist overrides the comment posting process, which I take to mean that the MT code where this parameter was added is bypassed by MT-Blacklist.

2. Change in the behavior of <$MTCommentAuthorLink$>

From the changelog):

Author links are now served by meta redirect, so that commenters' links don't appear directly on the comment page.

From the release announcement:

Also in 2.66, we've changed the behavior of <$MTCommentAuthorLink$> to use redirects when linking to URLs given in comments. The goal of this is to defeat the PageRank boost given to spammers by posting in the comments on a weblog.

I'm not sure if I like this one or not.

Update: Okay, now I like it less. The new comment author URLs do not validate because the & characters used in the redirected URLs are not encoded.

Update 2: This probably won't be needed for very long, but here's the fix to make the comment author URLs valid XHTML...

The fix needs to be made in lib/MT/Template/Context.pm, line 1189 -

Original code:

return sprintf(qq(<a target="_blank" href="%s%s?__mode=red&amp;u=%s">%s</a>),

Change "&" (encode it) to "&amp;":

return sprintf(qq(<a target="_blank" href="%s%s?__mode=red&amp;amp;u=%s">%s</a>),

3. Improved email address validation in mt-send-entry.cgi.

Good for those who use this script; I do not and disabled it back in November (set file permissions to 400) when it became known that spammers were abusing it.


Aha, and I thought it was EZSubscribe. Shucks, and Jay's on vacation too or something... =/

Thanks for posting the fix for the ampersands on the forums, TM. =)

You're welcome, Lisa. At first, it seemed like such a trivial fix and I figured Six Apart would have a patch out sometime tomorrow. When Maddy linked to the forum thread with the patch that fixed something else, I felt it was time to step up to the plate.

My first MT patch!! :) Woo-Hoo!!