Software, Fitness, and Gaming – Jesse Warden

Blog

  • Prevent Blogspam in MoveableType using Flash

    This solution works like a Captcha test in that the Perl for your comments is looking for a specific variable equaling a specific phrase. Unlike Captcha, the user doesn’t have to enter in anything; Flash merely holds the variable and it’s value, and when the user submits their comment, it sends if off with the rest. When Perl sees that variable, just like Captcha, it’ll allow the comment to go through. Spammers cannot look at your website and “see” the variable in an attempt to modify their code; it’s hidden in the SWF.

    This solution is extremely effective at spam bots who hit your mt-comments.cgi file directly.

    1. Download MTgotoAndComment – English | French

    2. Open the FLA in the Source folder in Flash MX or Flash MX 2004. Open the Library. Open the “StefClasses” folder. The first component, “MTgotoAndComment”; edit the symbol. Click the “:: AS ::” layer, and go to line 28 in your actions window. Add a new line via hitting the Return key. You’ll know your in the right spot if you see this line of code:

    this.blogURL = _root.blogURL;

    Add this line of code:

    this.secretvar = "makeupweirdwordsand1111";

    You’ll want to make up, and remember, your own word with #’s in it. This is the word of power that the blogspammers will never see ’cause it’s buried deep in this SWF.

    3. Now, go to line 101 and add this line of code on a newline:

    this.fields.push({name:"secretvar", type:"hidden", req:true});

    4. Complile the FLA; a new form.swf will be placed in the Source folder. Upload that form.swf to your site in place of the one they give you.

    5. Now, the Perl. Navigate to the “Comments.pm” file in your MoveableType installation. It’s something along the lines of:

    moveabletype/lib/MT/App/Comments.pm

    Make a backup of the file.

    6. Open the file in any text editor. In MT 3.121, go to line 247. You want to add the code I give you AFTER this block of code:

    if (!$q->param('text')) {
    return $app->handle_error($app->translate("Comment text is required."));
    }

    Go to a free line after that code, hit return twice to give yourself some room, and add the bot-blocker-code-of-wonder +3:

    # JXL hack start
    #
    unless($q->param('secretvar') eq 'makeupweirdwords11111') {
    return $app->handle_error($app->translate(
    "Sorry, please try again."));
    }
    #
    # JXL hack ends

    Basically, if the POST to your comments does not contain the secret variable with the correct variable, they’ll be sent to your MT Error template and show that text in bold. While it’s tempting to write obsenities, I wouldn’t just in case someone friendly accidentally goes there.

    Save the changes to the Comments.pm, and upload back to your site (make sure you have a backup!).

    You done, sucka!

  • Anti-blogspam: MTGotoAndComment Deployment Methods?

    It’s too early to declare victory over blogspam utilzing a SWF form to pass a hidden variable to Perl via MTGotoAndComment’s Flash form. However, it’s been just about 24 hours since my initial deployment, and I’ve received no blogspam in the hundreds like usually happens in a 24 hour period.

    I’m risking underestimating my enemy by assuming they will not be able to solve the SWF form riddle by Sunday evening, so without another gerund use, I’m curious what forms of deployment people think is best, specifically, how the SWF is written and loaded.

    1. Create a AS2, Flash Player 7.0.53.0 version of MTGotoAndComment’s Flash form, and hand off with the necessarey Perl code (3 lines) to be added to lib/App/Comments.pm.
    2. Same as above, except create an AS1, Flash Player 6.0.0.0 version.
    3. Same as above, except create an AS1, Flash Player 6.0.79.0 version.
    4. Create an AS2, Flash Player 7.0.53.0, FP 6.0.79.0 version, a 6.0.0.0 version, and a loader movie to detect version, and load as necessarey.

    The reason I like #1 is I don’t get paid for this jazz, and it’s pure benevolence for my fellow man that I even spend time fighting off this evil. It’s quick, it works on all platforms & browsers (win, mac, linux, solaris, ie, safari, mozilla), and takes advantage of Flash Player 7’s speed of runtime, and speed to create content. If there is a bug found, it’s pretty quick for me to fix and re-deploy a new version.

    The reason I like #2 is so I can target the most amount of users, and I don’t have to code any Flash; I just rig the cab file in the HTML to point to that version #, and utilize St

  • Viva La Resi-staunch: French Canadians (?) Help Fight Blogspam

    Andy Makely sends me a translated link to gotoandplay.ca‘s Flash Form, created to replace MoveableType blogs commenting form in an effort to prevent blog spam. The only thing it does is prevent form auto-fill scripts from spamming your blog, and the instructions mention to rename your mt-comments.cgi file which the SWF reads from an XML config file.

    “Dude, this is worthless… the spammers can find the CGI file via google, and they hit the cgi directly, NOT my web page…”.

    To accentuate my point, 7 minutes after re-activating my mt-comments.cgi after installation of the Flash comments, I got a new blogspam.

    Then I got an idea. Some dude had written me in an email, talking about his solution. He basically added an extra form field for the user to type in a value, and have perl check to see if that value exists when the form data hits it.

    The flaw in that theory is that the blog spammer can read your comment page, see the new variable Perl is expecting, and modify his/her script as need be.

    …you can’t do that with Flash. You can decompile the script, but I don’t think most blog spammers know how to do that. Hidden form fields on HTML pages are easily spotted via View Source, but doing that in Flash requires a SWF decompiler… and I’ll have to test to see if they can spot the variable name when I get home to check via ActionScript Viewer.

    SO, I added the variable with a whack value:

    specialVar = “some whack string”;

    To the “MTgotoAndComment.fla” file, and recompile to the form.swf, and replace the one they give you.

    In Perl, I check for the value, and if it’s not there, I throw an exception… at least, that’s what the code looks like its doing, I don’t know Perl.

    After some tests, it appears to be working. IF this solution does work after this weekend, I’ll delve into further detail of how I got it to work, and then I’ll rewrite this form for AS2.

    …and to the blogspammers, I say…

  • Call a Woman a Dude

    This goes out to the Canuck last week, the cool mom in QA at BellSouth, and the cool mom in QA at Surgical Information Systems.

    SEE!? I was being politically correct!

    “Men report that they use dude with women with whom they are close friends, but not with women with whom they are intimate,” according to the study.

    CNN Article

    Via her majesty… who isn’t a dude.