Recently in Security Category

Updated February 9, 2007. Originally posted in 2004 and updated several times since.

Spammers have discovered bloggers and sooner or later if you allow comments or trackback pings on your weblog you will get spammed.

Types of Blog Spam

Blog spam appears in many flavors:

1. Basic comment spam. The spammer leaves a short uneventful message in a comment field in one of your entries. The spam comes from the URL placed in the comments URL field. These URLs link back to every conceivable scam.
2. Comment spam flooding. The spammer uses an automated computer bot to flood your blog with comment spam messages, up to hundreds in an hour. The spammer doesn't necessarily leave a URL, but can leave garbage messages, almost like a graffiti artist. The comment spam can put a severe load on the server hosting your blog software to the point that it crashes.
3. Trackback Spam. Spammers have discovered how to take advantage of Trackback. TrackBack spam is very similar to comment spam. The spammer sends TrackBack pings to your site that direct viewers to a totally unrelated URL.
4. Referral spam. The spammer links to your site from their site, and then pings your site through their link, thus creating a reference and link to their site on the statistics referral log of your website. When you are reviewing your stats and see the reference to an odd site (ex. Paris Hilton), clicking on the link takes you to their site. Many people list "referrals" on their site publicly, so by spamming referral logs, not only does the spammer get a link on your referral log (which is picked up by Google) but may even get a link on your main page.

How can you fight spam on your blog?

Trackback spammers have recently been flooding blogs with spam, often with hundreds per day. Although MT's Spam Lookup plugin junks most of the spam, the flood of trackbacks can put a strain on server resources. To take a look at the amount of trackback spam you may be getting, click on "Trackbacks" from your main blog menu, then select "Junk Trackbacks".

Listed here are some defensive measures you can take.

Have you noticed the recent uptick in the comment spam levels aimed at Movable Type blogs?

We have.

Jay Allen notes the problem and has some suggestions for how to tackle it on his blog.

For those of you using Movable Type, you may have noticed quite a uptick in the last week of spam. This spammer (and yes, the signature points to just one) is wily enough to evade most of SpamLookup's default tests. He is not, however, invincible.

First, assuming you're using Movable Type 3.2 and SpamLookup, you can make your life a whole lot better if you go to Weblog » Settings » Plugins » SpamLookup -> Keyword Filters and put the following into your Keywords to Junk:

acroduke
Probaly you should read this
dx1.us
/online-?(casino|poker)/i
/(pacific|empire).?poker/i
/texas\S*hold\S*em/i


Our spam problem stopped the second we implemented these. More info and a good comment thread on Jay's blog.

Since upgrading to Movable Type 3.2 I’ve dumped Jay Allen’s MT-Blacklist and instead made SpamLookup handle comment/trackback spam on its own. The plugin is included by default on MT 3.2, and while it can do a good job as it is, you might like to try some tune-ups to make it more effective.

Moderation and Junking

In Movable Type 2.x, comments just had one status - published. Any spam blocking system could only accept or deny comments and trackbacks. In MT 3.0x and 3.1x, comments gained an additional status - ‘moderated’. This was where comments could be held for human approval before being published, and tools like SpamLookup and MT-Blacklist could hold comments here if they thought they might be spam but couldn’t be sure.

With 3.2x, trackbacks can also be moderated, but a new third status has been added for both: junk. Now, rather than deleting spam outright, you’ll find plugins send it sent here instead. That way, if you have a false positive - a comment that is seen as being spam but isn’t - you can retrieve it.

The junk status also has a rating system, and plugins can adjust the rating for an individual comment or trackback. The rating is between 10 and -10 - comments with a negative score are junked, otherwise they are moderated or published. You’ll find that SpamLookup can reduce the rating of comments that it thinks are spam, but also add points if, say the comment has no links or has been posted with a URL that has already been accepted before.

Co-authored by Elise Bauer and Arvind Satyanarayan.
Tutorial cross posted on Movalog and Learning Movable Type

The installation instructions in the Movable Type Install Guide contain a section in the Configuration area called Enable Security Features. These instructions tell you to uncomment the Umask lines in your mt.cfg if your server is running cgiwrap or suexec. If you don't know what CGIwrap or suEXEC are, you may be tempted to skip this step. Don't. This step gives your MT installation extra security, which we will explain. (Note that this tutorial is only appropriate for MT installations on Linux/Apache web servers.)

What is CGIWrap or suEXEC?

CGIWrap and suEXEC are features installed by your web host that give extra security to your files in a shared server, or "virtual host", environment. Most Movable Type weblogs are hosted at commercial web hosts who are able to give their customers affordable server space by hosting the files of several customers on a shared server. In a shared server environment, CGIWrap and suEXEC allow your cgi files to be executed with you as the account "owner". The cgi scripts can then create files with more restrictive permissions (644) that keep others from editing your files, yet still allow you to edit them. Without CGIWrap or suEXEC, cgi scripts create html files that need to have more relaxed permissions (666) so that the account owner can manage those files.

One way to set up a private, password-protected weblog is by adding a .htaccess file to the directory in which the weblog resides. htaccess files can give you extra control over your server, allowing you to password protect directories, enable server side includes, generate custom error messages, and block users by IP address among other things. I've already described the fundamentals of .htaccess in another tutorial, see What is .htaccess? If you are setting up .htaccess for the first time, be sure to read this tutorial thoroughly.

1. Create .htpasswd

The first thing you need to do, before creating your .htaccess file, is to create a file called .htpasswd, which will hold the user names and passwords of those you to whom you are giving access to your private weblog. You will need to encrypt the passwords. It has been recommended by a commenter here that you not use a web-based password generator site for security reasons. The same commenter notes that if you have root access to your server, SSH to it, change to the directory you wish to create the .htpasswd in and type "htpasswd -bc .htpasswd username password" (without the quotes; replacing username with your username and password with your desired password). The "c" mean "create a new file" and the "b" means "use the password given in the command line (rather than prompting for it)". If you do not have access to your server, it is suggested that you have your server admin do this for you.

For example, the name "bartlett" and password "westwing" would look like this, encrypted and ready to be placed on your .htpasswd file: bartlett:09ArhAKMeRSE6

Create the strings of user names and passwords for those to whom you will give access to your private blog.

Copy and paste these into a text editor, one line for each name:password. Save the file to your desktop; note that you probably will not be able to save it with the (.) in front of htaccess. That's okay, make the change when you upload the file to your server with FTP.

This tutorial needs to be updated for MT4, which has a back-up utility built-in. ~Elise

Occassionally databases get corrupted, servers fail or web hosts go out of business. So it's a good idea to back up your Movable Type blogs. There are many methods for doing so, a few of which I will cover here. The back-up process is much easier if you are using MySQL as your database.

Backing up your MT blogs with MySQL

If you have chosen MySQL as your database for your MT install you can easily back-up the entire blog - entries, comments, authors, templates, etc. - with a simple MySQL "dump" command. The dump command will create a large "dump" file that will have all of the data from your database in it that can be used to easily restore all of your weblogs. To do this you need either command line access to your database or phpMyAdmin installed on your server. The instructions for the dump command and phpMyAdmin can be found in the MT 3.2 User Manual. You can also find instructions for the dump command at MySQL's website. All that said, phpMyAdmin is not installed on my server and I could not get the dump instructions to work. So I ended up needing some handholding from tech support from my web host. Tech support also set up a "cron job" for the server to automatically create a dump file, backing up all of my blogs every night. Every few days I FTP into my server and download the dump file to my desktop, so I have a local copy of the database.