Category: numlock.ch

I’ve just upgraded to Movable Type 3.11 which once again comes with amazingly many new features, among others dynamic PHP publishing, post scheduling and sub-categories (full feature list).

I had to uninstall MT-Blacklist however (soon there will be a MT-3.11 plugin package that includes MTB). So far, my experiences with MTB have been pretty okay, though not overwhelmingly good. It deleted about 250 spam comment postings and forced moderation of about 35 comments (which were spam, mostly). The disadvantage of MTB’s approach is that fighting spam still consumes a considerable amount of time as it can’t fully prevent spam from being posted, just from being displayed. So I still had to watch out for new spam commments and manually delete them. I’d probably prefer approaches like those “real human” comment filters such as SCode or HumanVerify. I haven’t tested their effectiveness and efficiency yet however. And as a major drawback, these solutions aren’t very friendly in regard to web accessibility (visually handicapped people). The latter issue could eventually be solved by adding a dynamically generated sound sample of the displayed numbers.

The sound/radio stream links listed at the bottom of this page are now detachable (i.e. can be opened in a separate pop-up window). Just click on

(OPEN IN POPUP WINDOW)

below the title of the section and see what happens ;) Feel free to use it as your switch desk for your daily dose of sweet tunes ;)

Replaced the rather buggy firewall with a better one, updated its firmware and enabled Quality of Service (QoS) control. Web server access should now be faster and finally, remote JBoss and remote SMTP authentication using SASL work :)

In other news, last night was pretty short as I tried to fix my network printer[1] which ceased working (and still doesn’t work). I don’t expect this night to be much longer. Once I read that people who sleep less live longer (contrary to intuition). Good prospects, I suppose ;)

[BTW indicated times on this blog seem to be wrong (it’s 02:13 local time ATM). Need to check it ASAP.]

[1] Update 20040830: It’s alive again :)

Thanks a lot for your comments! I am always eager to know about your opinions, hints and tips :)

As I’ve recently installed MT-Blacklist (a nice anti-comment-spam filter) however, it might happen that your comment doesn’t appear right after posting it. If this happens, it’s likely that MT-Blacklist has forced moderation of it due to matching anti-spam rules. First: Don’t panic! :) You don’t need to post your comment again and you don’t need to send me any e-mail message as I get notified by e-mail automatically. I will then approve your comment as soon as possible. On very rare occasions, MTB might wrongly qualify your comment as being spam and delete it right away without even notifying me. Hence, if your comment doesn’t appear within about 2 days, please send me an e-mail message.

I’m sorry for any inconveniences caused by this spam filter, but modern times (i.e. massive comment spamming) take their toll. In any case I strongly favor a spam-filter/moderation based approach over forcing people to register or disabling anonymous comments or comments at all etc. I hope you agree.

For your information, here are the most important rules of MT-Blacklist for this blog:

* both comments and trackbacks are scanned
* a master-blacklist is used
* comments by TypeKey authenticated users aren’t scanned
* duplicate submissions are blocked
* if your comment contains more than 5 URLs, your comment is force-moderated (i.e. needs to be approved by /me to appear on this site)
* if you are commenting on an entry that is older than 14 days, forced moderation applies (i.e. approval is required)
* MT-Blacklist omits an old entry from forced moderation if its last approved comment is within 2 days

I hope, these rules aren’t too disturbing for you (if so, please tell me). Happy commenting! :)

My site got massively spammed once again (*yawn*). MT Blacklist worked fine and put the comments under moderation, but SimpleComments 1.11, the plugin I used to display recent comments and trackbacks on the front page, showed all the spam-comments regardless of MTB. Fortunately, there’s SimpleComments 1.2 out since July 27 which fixes this and only displays approved comments.

I’ve just installed MT-Blacklist v2.0e by Jay Allen. An excellent MTB_README file is included in the MTBv2.0e.tar.gz archive which makes installation pretty straightforward. Configuration is intuitive, further Neil Turner provides a pictorial tour about how to configure MTB. I’m looking forward to seeing MTB in action :)

Discovered a strange behavior (some might call it a bug ;) of MT’s notification feature. MT doesn’t seem to ensure that 8-bit mail headers are properly encoded (“7-bit clean”), as the following extract of an amavisd-new error message shows:

INVALID CHARACTERS IN HEADER

If you don’t know how to fix or avoid the problem, please report it
to _your_ postmaster or system manager.

Such messages hence aren’t standard-compliant and might get rejected by some picky mail hosts (which is the correct behavior). This particularly limits the use of MT in non-US countries (where 8-bit characters are much more common)

Other things I found out (mostly trivial things, but eventually nice to know as they’re not always intuitive):

* Gentoo doesn’t seem to ship with the Mail::Sendmail Perl module. If you use Gentoo, don’t set “MailTransfer smtp” in mt.cfg as it probably won’t work. Instead either set “MailTransfer sendmail” or simply comment it out (as “sendmail” is the default). You don’t need to change or enable “SendMailPath /usr/sbin/sendmail” as this is the default setting which is fine for Gentoo.

* You only need to add your e-mail address to MT’s “Notification List” if you’d like to receive a notification when new entries are posted. Usually, this feature only makes sense for readers who don’t use an aggregator already.

* If you just like to receive notifications when new comments are posted, you only need to

1) tell MT to send e-mail messages through sendmail (see above)
2) Enable “Email New Comments” in your weblog’s “Preferences” screen (at the bottom of the page under “Comment Configuration”)
3) enter your e-mail address in your user profile (click on your username to get there)
4) Eventually make sure you only use 7-bit characters for the subjects of your entries and the name of your blog (as long as this issue isn’t fixed)

Finally, e-mail notification works for me :) IOW: I’m ready to receive all the comment spam twice ;) Probably time to install MT-Blacklist soon. [1]

[Addendum: useful links (Movable Type User Manual: TROUBLESHOOTING):
I never receive email notifications for comments
My webserver doesn’t have sendmail]

[1] Update: I’ve just received my first comment spam as an e-mail message too, but guess what, spamassassin has correctly qualified it as being spam :) Soon, MT-Blacklist will be added to this blog.

As I didn’t have time to redesign the whole site for use with WordPress, I simply upgraded this blog to MovableType 3.01D. It went smoothly although there is still much space for improvements regarding the deployment and the upgrading path of MT (it still largely relies on manual file handling etc. -> if I were SixApart, I’d sponsor people to better streamline MT’s deployment with current operating system distributions – the lower the entry barrier, the steeper the adaptation curve – dead simple. Once you’re in, migrating to another blog soft usually requires considerable efforts and costs – see above. Well, yeah, there’s the TypePad business, but I tend to favor offensive strategies..). As a (positive) side-effect of manually upgrading MT, I could clean up the directory structure a bit.

Surprisingly, MT 3.01 (MT 3.1 allegedly even more) brings quite some improvements. The most obvious being the brushed-up admin interface which offers better usability and among others – finally – HTML shortcut buttons for Mozilla Firefox users too :) Spam protection seems to be better now: Anonymous comments can be moderated, there’s optional TypePad authentication and comments can be deleted effortlessly through the admin UI.

As a conclusion, there’s still the major drawback of a not-so-clever architecture (rebuilding static entries instead of generating them dynamically). Nevertheless I like the improvements MT 3.01D brings as much that I’m thinking about keeping it (instead of migrating to WP). Well, for now, I keep it – experience doesn’t hurt.

this was the most massive blogspam attack i ever experienced: within the last two days, this site was hit by 87 blogspam comments! which equals 87 * 3 + (87 \ 5) * 2 = 312 clicks just to get rid of them again through moveabletype’s admin interface[1]. sheesh.

for spammers, blogspamming is even easier than e-mail spamming as so far, none of the currently available blog apps offers a convincing way to deal with this problem (and it’s more effective too – people trust google’s page ranking more than a filthy e-mail spam message).

* ip based blocking doesn’t work as ips are spoofed anyway (yes, i verified it)
* content-based blocking only works in few cases – the comments i had two delete were full of intentional misspellings to circumvent any blacklist-based filtering approach.
* disabling direct links: might work in the longterm, but at the moment, spammers obviously don’t care (my site doesn’t allow direct links and yet it was spammed. they don’t even seem to have checked the site prior to spamming). reason: so far, too few blogs use such a feature – and those few don’t count when mass-hammering thousands (or millions) of blogs.
* renaming comment-scripts. this site is proof enough that this approach is not effective either.
* requiring posters to decipher distorted signs/numbers/words. might work but can be circumvented as machine character recognition improves. use questions/phrases instead? mostly annoying for real humans, not computers.
* disabling anonymous comments or requiring users to register at a central registry. might work as long as there aren’t any spammer scripts to create fake accounts prior to spamming. a matter of time only. and a blog is supposed to encourage a spontaneous public discussion, right? a classical trade-off between free access and control (analogous to e-mail spamming).
* moderate all posts or those with more than # links. doesn’t really fit the idea of a low-barrier communication media (i smell censorship). takes too much time in general and particularly for things like filtering spam you don’t want to spend much time for. basically just a human spam-filter, not a wise approach. prevents any spontaneous discussion.
* distributed (almost) real-time blacklisting based on comment fingerprints/hashes. one measure that might work (unless they use randomly generated characters). it’s what works best against e-mail spam (based on my experiences as a user of spamassassin). note the word “distributed”. distributed problems tend to require distributed solutions as else one usually runs into scalability troubles pretty soon.

nevertheless i’m optimistic that sooner or later {e-mail|blog}spamming will be a thing of the past. it’s on everybody’s radar now :>

eventually i should give mt 3.01d or 3.1 a try. or migrate to wordpress which doesn’t seem to be a high-profile target atm..

anyway.. happy “1st of august” (swiss national holiday ;)

[1] instead, using sql queries through phpmyadmin or the mysql console is suggested. not feasible for joe average bloggers however.