December 17, 2004

Preventing Comment Bot Spam with MT-Approval

Chad Everett has released a plugin called MT-Approval that presents an effective way to combat the comment spam brought on by spam bots that make up 99% of the comment spam most Movable Type users experience.

MT-Approval requires MT version 3.1 or higher.

MT Approval works by requiring that a comment contain an "approval hash" - a list of data that is generated in the comment form by a new template tag called <$MTApprovalHash$> on the comment preview template. Spam bots don't use the form on the preview template; therefore they are missing the hash when they try to post the comment directly to the comment.cgi and thus their comments never post.

MT Approval requires that you force a preview before someone on your site can post a comment.

Installing MT Approval

There are two paths for installing this plugin, depending if the Comment Preview Template you are using makes use of the <MTCommentFields> tag. First check your Comment Preview Template for this tag.

Install instructions for those using the <MTCommentFields> tag

  1. Unpack the zip file for the plugin found at Chad's site. Using FTP, upload the four unpacked files to your server in the following locations (where MT_DIR is the directory in which your MT cgi files are stored):

    MT_DIR/extlib/jayseae/approval.pm
    MT_DIR/plugins/Approval.pl
    MT_DIR/tmpl/cms/approval.tmpl
    MT_DIR/mt-approval.cgi

    Set permissions of these files to 755.


  2. Run the mt-approval.cgi. To do this open your main MT menu, scroll down to the bottom where the plugins are located and click on the MT-Approval plugin link.
  3. You will see the status of the program on your system. The first time you run this script it will say that it is not installed. Click on the "install" link to install it. A message will come up that tells you if it was a successful install or not. The status should then switch to "installed" with an option to remove.
  4. At this point you are done. Unlike users who do not have MTCommentFields, you only have to do this once for the entire installation, not for every blog.

If you have MTCommentFields in some blogs but not in others you will need to implement both methods.

Note that the MTCommentFields users do not have the ability to do the Javascript step outlined in the first set of instructions above. Chad is planning to add that to the install process.


Install instructions for those NOT using the <MTCommentFields> tag

  1. Unpack the zip file for the plugin found at Chad's site. Using FTP, upload the Approval.pl file to your MT plugins folder. Set the file's permissions to 755.
  2. Add the following tag
    <$MTApprovalHash$>

    to the Comment Preview template and the Comment Error template of your weblog. Put the tag right above the closing form tag </form> of your comment forms in those templates.


  3. Remove the post button from the Comment form on your Individual Entry Archive (assuming you have inline comments), or from your Comment popup template if you are using popups. The post button code that you need to remove looks like this:

    <input style="font-weight: bold;" type="submit" name="post" tabindex="6" value="&nbsp;Post&nbsp;" />


  4. Add the following Javascript to each of the input fields on your Comment Preview and Comment Error templates comment form (not the preview or post buttons):

    document.getElementById('post').disabled = 'true';

    For example, change the default Email Address input code from:

    <p><label for="email">Email Address:</label><br /> <input id="email" name="email" value="<$MTCommentPreviewEmail encode_html="1"$>" /></p>

    To:

    <p><label for="email">Email Address:</label><br /> <input id="email" name="email" value="<$MTCommentPreviewEmail encode_html="1"$>" onchange="document.getElementById('post').disabled = 'true';" /></p>

    Repeat for URL and Name input fields.


  5. Add

    id="post"

    to the post button on the Comment Preview and Comment Error template comment forms. Changing the default post button code from:

    <input style="font-weight: bold;" type="submit" name="post" tabindex="6" value="&nbsp;Post&nbsp;" />

    To:

    <input style="font-weight: bold;" type="submit" name="post" tabindex="6" value="&nbsp;Post&nbsp;" id="post" />
  6. If you have more than one weblog on your MT installation that uses comments, repeat the steps for each weblog.

Inquiries regarding MT-Approval installation should be directed to Chad Everett at Don't Back Down

If you install this plugin and it saves you time and headache from spam, please consider giving Chad a Donation for his efforts!

Links:
MT-Approval


Has this tutorial been helpful? Please consider linking to Learning Movable Type at http://learningmovabletype.com/ . Thanks!

Posted by Elise Bauer on December 17, 2004 to Comments and Trackbacks, Security
Comments(7) | Email to a friend | Printer-friendly version


Trackback

If you would like to send a trackback
please use the following URL: http://learningmovabletype.com/cgi-bin/mt32/mt-tb.cgi/394

» I think have the comments working...again.... from Queenkv's Brainpickings
My domain host disabled my comments script - too much spam. I hate spammers. So, I did some futzing with the script and some other settings....I also installed MT-Approval - to ensure a more human response on my comments. Yeah!......[read more]

Tracked: April 27, 2005 03:34 PM

Comments

" Spam bots don't use the form on the preview template"

How long do you figure we have until they start?

Hi Richard,
GREAT question! Chad will be releasing some updates soon that will make it very difficult for the bots. I think this current release is more of a stop gap for the CPU crushing spam we've all been getting lately.
I am clearly no expert when it comes to anything on the server side, but from what I've been reading, there seems to be some agreement that this hash method is a good solution. At least for the next few months.
Apparently the hash contains data that will be difficult for the spam bot to come by, especially when that data is user specified. There's been some good discussion on the ProNet list about all of this as well as on other websites.

I'm liking the "approve-once" process for some weblogs as a fairly long-term solution, though. Effectively makes your email address your password to comment.

I suppose I should be using TypeKey to post this comment, huh? :)

Hi Richard,
TypeKey has been working great for me. I don't mind putting up a small hurdle. People who really want to comment can comment. The little extra effort cuts down on flippancy. I don't know if I would like making Typekey registration a requirement, however. On LMT it wouldn't be that big of a deal. But on my recipe site it would. 99% of my visitors there are not bloggers. In fact, they are mostly middle-aged women like myself. If TypeKey evolved to be more of a localized registration process, in which the visitor never left my site to register, then I wouldn't mind requiring it for all comments.

Do I still have to remove the preview button if I am using ?

Here is my problem:
# 2
Put the tag right above the closing form tag of your comment forms in those templates
None of my default templates you mentioned has the tag in them.
Just what template would this be added?.
He has no instructions included and for the life of me I can not figure it out using your instructions.
I have used many of your tips before but this one has me stumped.

Jerry,
Are you using MT 3.1 or higher? The templates you need are the Comment Preview template and the Comment Error template. These templates each have a comment form. You need to add the hash right before the closing form tag of the comment form.

If you are not using MT 3.1 or higher, MT Approval will not work for you.


Post a comment

(Before posting a comment please see the Comments and Trackbacks Policy. Do you need help troubleshooting your weblog? Please post questions and requests for support at the MT Support Forums. Thanks!)




Remember Me?

(you may use HTML tags for style)

Email to a friend

Email this article to:


Your email address:


Message (optional):