Day: March 24, 2006

Security

Comment Spam

While not usually on the top of the list of dangerous attacks, blog comment spam is a serious annoyance if nothing else. I just watched half a dozen spam comments pop up in the span of 30 seconds. Nice work by the bot, but a total pain in my rear.

So, I removed the spam comments and added the “magic word” pyBlosxom plugin available here. This is not perfect, but it should at least deter automated bots from generating comments.

A more serious type of comment spam was mentiond by Ted Leung – where a spammer uses the comment field to insert an entire email message including headers, which most comment mailers will simply pass through the open SMTP connection where the mail server will blithely parse and send out the message based on the headers contained. Ted’s workaround involves wrapping any To: From: and Subject: in the comment body in html tags so it will still display, but will be illegal as SMTP commands.

Once again, the arms race continues, but by taking the simplest methods of correction, we leave ourselves in a better position to later add more and different kinds of protection against attacks that (maybe) haven’t been invented yet.