This solution works like a Captcha test in that the Perl for your comments is looking for a specific variable equaling a specific phrase. Unlike Captcha, the user doesn’t have to enter in anything; Flash merely holds the variable and it’s value, and when the user submits their comment, it sends if off with the rest. When Perl sees that variable, just like Captcha, it’ll allow the comment to go through. Spammers cannot look at your website and “see” the variable in an attempt to modify their code; it’s hidden in the SWF.
This solution is extremely effective at spam bots who hit your mt-comments.cgi file directly.
1. Download MTgotoAndComment – English | French
2. Open the FLA in the Source folder in Flash MX or Flash MX 2004. Open the Library. Open the “StefClasses” folder. The first component, “MTgotoAndComment”; edit the symbol. Click the “:: AS ::” layer, and go to line 28 in your actions window. Add a new line via hitting the Return key. You’ll know your in the right spot if you see this line of code:
this.blogURL = _root.blogURL;
Add this line of code:
this.secretvar = "makeupweirdwordsand1111";
You’ll want to make up, and remember, your own word with #’s in it. This is the word of power that the blogspammers will never see ’cause it’s buried deep in this SWF.
3. Now, go to line 101 and add this line of code on a newline:
this.fields.push({name:"secretvar", type:"hidden", req:true});
4. Complile the FLA; a new form.swf will be placed in the Source folder. Upload that form.swf to your site in place of the one they give you.
5. Now, the Perl. Navigate to the “Comments.pm” file in your MoveableType installation. It’s something along the lines of:
moveabletype/lib/MT/App/Comments.pm
Make a backup of the file.
6. Open the file in any text editor. In MT 3.121, go to line 247. You want to add the code I give you AFTER this block of code:
if (!$q->param('text')) {
return $app->handle_error($app->translate("Comment text is required."));
}
Go to a free line after that code, hit return twice to give yourself some room, and add the bot-blocker-code-of-wonder +3:
# JXL hack start
#
unless($q->param('secretvar') eq 'makeupweirdwords11111') {
return $app->handle_error($app->translate(
"Sorry, please try again."));
}
#
# JXL hack ends
Basically, if the POST to your comments does not contain the secret variable with the correct variable, they’ll be sent to your MT Error template and show that text in bold. While it’s tempting to write obsenities, I wouldn’t just in case someone friendly accidentally goes there.
Save the changes to the Comments.pm, and upload back to your site (make sure you have a backup!).
You done, sucka!
Hi! That’s a really good idea!
With the cgi renammed, I neved had any spam, but heard of some person who did. Your solution seams the perfect add-on that makes it really spam-proof.
I’ll try to add this in MTgotoAndComment and release a new version (I should do an english translation too!) soon.
Thanks!
Nice work smartypants! I’m not as inundated as you with this crap, but I’m gonna give this a shot.
Brent
arrrrrrr
asfasdfs
What prevents me from listening in or using Firefox’s TamperData plugin to determine what your flash file is sending?
The answer is: not much.
Your secret key is ‘else89ford04’.
This could be automated very easily by searching the html source for your swf file, then altering the parameters so that it sends the data to my own server. At which point, I could then craft the URL to post directly to your blog.
1) you could simply automate the posting by snagging the entry ID from this page’s html source, and using it with this
2) You could craft a url on-the-fly, like this one, that would post a comment.
The fact of the matter remains that this method will never be secure if it is ultimately accessing a URL that is not guarded from such an attack. It will only be useful on blogs that are not currently targets of spam. And, if I were a spammer, all blogs that had this flash file would now be a target.
Nice one, Nick! After 20 months, someone finally figured it out.