Neil Turner's Blog

Blogging about technology and randomness since 2002

My anti-spam arsenal

Elise is collecting together tips about how to combat comment and trackback spam for Movable Type users. To continue the theme, I’m going to use this entry to list the ways in which I prevent spam from getting through.

  1. MT-Blacklist. Pretty much mandatory if you have a Movable Type weblog and have comments or trackbacks enabled. It doesn’t require much effort on the user’s part but is very effective.
  2. Renaming my mt-comments.cgi and mt-tb.cgi scripts. This was one of the first methods I tried back in October 2003 and is detailed here. This works reasonably well as it makes it harder for automated bots to guess the URLs of your scripts.
  3. Closing old comments. This does require a bit of effort every day, although Kasia offered a Perl script that can be run as a Cron job to automate the process. At the moment I’m using this script from David Raynes to close comments and trackbacks on entries more than 60 days old but I believe there may be better script out there. MT-Close2 for example looks interesting.
  4. Real Comment Throttle. This allows me to set a maximum number of comments to receive per hour or per day, to limit possible damage caused by a flood of comment spam.
  5. MT-DBSL, which forcibly moderates any comment coming from a known open proxy. Alas it doesn’t filter much but it does help.

This seems to keep the problem pretty much under control for me, though just because it works for me doesn’t mean it will work for you. Elise suggests a few other methods that you can try, however, including a hash generator that can further prevent automated submissions.
Some bloggers have implemented ‘captchas’, which show a number in an image that you then have to type in to be able to enter the comment. I think you can probably guess that I’m not keen on the idea due to accesibility reasons.
By the way, you may have noticed that I’m no longer forcibly moderating non-TypeKey comments. I will re-apply moderation if I’m going to be away for a few days or if the problem gets worse, but for now I’m letting any comment that doesn’t fail the automated checks through.


  1. Thanks for the list! I’d imagine it’s the best we can do short of physically hunting down the spammers, beating them with a cattle prod, then lighting their equipment on fire (not that I’m advocating violence or anything).

  2. If you’re tired of the effort of #3, you may want to check into my MT-Moderate script. It doesn’t close old comments, it simply moderates them. If a comment comes in on an entry over 7 days old, it checks to see if there is another, recently approved, comment on that entry. If there is such a comment in the last day, then it lets it through. Otherwise it moderates it.
    I’ve found this effort remarkably effective for much comment spam, as they seem to come in on old entries. And comments don’t generally pick up again once an entry is older than a few days (on my blog, anyway)!

  3. I don’t know a lot about MT, but Chu Yeow’s Redemption in a Blog uses WordPress and has a rather nifty anti-spam measure. You simply have to type a specified letter of the alphabet into a text box. This would address accessibility issues as it’s an actual character and not an image.

  4. Dave2: I’m the last person to advocate violence, but yeah, I’d love to do something nasty to them too 🙂
    jayseae: MT-Blacklist seems to do everything that MT-Moderate does already 🙂
    John: Jeremy Zawodny does a similar thing – to post a comment, you have to type in his name. It would require hacking the MT code to implement though, which I hate to do.