Quick Google Check for Weblog Spam

Think of it as checking for lumps: search Google for “phentermine,” “viagra” — or some other common spam word/phrase — along with site:domain.com (replacing “domain.com” with your own website, of course), and you should get a quick slice of possible spam on your weblog which may have slipped through your filters. Kottke.org, for example, has a mild infestation in older entries. More examples.

More Sure than a Voice from Heaven

Today was Transfiguration Sunday in the Revised Common Lectionary, and the gospel at worship service was read by yours truly. I memorized the ESV text of the reading last night, and was able to deliver it this morning in hammed-up, Shatner-esque mode. Despite one slip-up where I almost repeated a verse before I caught myself, I think I managed to pull it off.

But enough about me. More importantly, I want to draw attention to a section of today’s epistle reading from Second Peter, and the ESV text is especially striking:

For when he received honor and glory from God the Father, and the voice was borne to him by the Majestic Glory, “This is my beloved Son, with whom I am well pleased,” we ourselves heard this very voice borne from heaven, for we were with him on the holy mountain. And we have something more sure, the prophetic word, to which you will do well to pay attention as to a lamp shining in a dark place, until the day dawns and the morning star rises in your hearts….
– Excerpt from 2 Peter 1 (emphasis mine)

Are you getting what Peter is stating here? For Peter, the prophetic word is something we have as more sure than his own eyewitness of the voice from heaven. Let that sink in for a bit: the Scripture itself is more certain than the voice from heaven. By the time of this writing, the Epistles of Paul were already known in the churches, and portions of the Gospels, though fragmented, were almost certainly in circulation, and were already regarded as Scripture, of divine origin. It’s this same Scripture that we read in our bibles, and Peter is telling us that this same Scripture holds as much, if not more, assurance for us of Christ’s Sonship than even the Loud, Booming Voice From a Glowing Heavenly Cloud.

I find that as mind-bogglingly amazing as the Epiphany itself.

Trackback Spam Attack

Yes, the spammers have figured out trackback, and are now pinging our trackback URLs repeatedly with multiple GET requests, littering our old, pingable weblog entries with links to sleazy sites for personal injury lawyers and Texas Holdem Poker. Seeing as how I want to avoid the drudgery of installing additional filtering, throttling, moderation, and other hackage, and since it’s only once in a blue moon that I get an actual trackback ping, I’ve opted to go the path of least resistance and turn off trackback — utterly. No more pingable entries, no more “trackback ping URL” links, no more trackback metadata in my markup, no more mt-tb.cgi. Just comments. Good old-fashioned comments.

Here’s how to utterly remove trackback from MovableType 3.15:

  1. In MT, go to Weblog Config > Preferences > Publicity / Remote Interfaces / Trackback and uncheck “Allow TrackBack Pings On by Default.”
  2. Go to Templates and remove all occurrences of trackback tags and containers in all templates: <$MTEntryTrackbackData$>, <$MTEntryTrackbackLink$>, <$MTIfAllowPings$>, etc. (Leave a comment to tell me if I’m forgetting anything.) You want any mention of trackback — visible, linked, or hidden — gone from your weblog.
  3. Open up your MT db in phpMyAdmin (or whatever you use for MySQL) and use this query to make all entries non-pingable:
    update mt_entry set entry_allow_pings=0;
  4. FTP into your MovableType directory and rename mt-tb.cgi to something without a .cgi extension, .txt or .bak or something. (We do want to keep it around, of course, in case trackback suddenly becomes a feasible idea again in the future. Right?)
  5. If you haven’t yet done so, disallow all search bots with robots.txt. To be really thorough, see Ann Elisabeth’s guide to blocking search engine spiders in .htaccess.
  6. If you’re feeling especially mean and vindictive, you could add a series of ErrorDocument directives to .htaccess, or RewriteRules corresponding to your trackback URL — using the spammer’s own site as the error document or rewrite target. Then, every single ping he continues to send to your now non-existent trackback script will redirect to his URL. But he wants that traffic anyway, so why not indulge him?

In 2002, the world of weblogs and comments and trackbacks were built on a culture of trust and openness. How naive we were. And now, the spammers have set DIY weblogging back by at least two to three years.

More material elsewhere:

(If you link to this entry, leave a comment with the URL of your weblog post. See? It’s just like pinging!)

Enterprise: Belated Respect for Tradition

I just watched the “United” episode of Star Trek: Enterprise: the sequel to “Babel One,” making for a memorable two-part story arc. It’s my thought that if more episodes of the first two seasons had been like this one — with as much respect for the history of the Trek storyline as Archer’s respect for Andorian tradition — the series would not have been cancelled just yet.

That said, I’m eagerly looking forward to the rest of this last season of Enterprise: there’s a clear focus on restoring Trek continuity with multiple references to events and personalities in other series, and for the upcoming “Mirror Universe” episode, even a complete rebuild of the USS Defiant, the TOS-era Constitution Class vessel from “The Tholian Web.” Too. Cool.

Beset on All Sides

Nothing beats coming home from work and finding out that some vigilante has posted a comment to your weblog with the personal information and contact numbers of a number of people at SMS.ac (deleted), then finding a message on the answering machine from SMS.ac’s legal office requesting information on that commenter (answered), then opening up MovableType and finding about forty new trackback spams posted to various old entries (deleted and trackback turned off). This is why we can’t have nice things.

Update on SMS.ac Spam

(Continued from this entry: Spam from SMS.ac.)

Update: Joi Ito received an empty legal threat from Kevin Jones at SMS.ac. Kevin Jones also left a message on my answering machine asking for information on vigilantes who had been posting SMS.ac executives’ personal info in my comments. I’ve noticed GMail and Yahoo Mail are now automatically marking all SMS.ac invitations as “spam,” and shunting them directly to the Junk Mail folder. Heh.


Responding to complaints, “Sean” from SMS.ac (that’s where his IP resolves) comments (here and elsewhere) that there’s a PDF guide on the registration page explaining the spammer script Address Book Synchronizer. I’m trying out the signup now, and finding several usability-related problems with the whole process:

  1. Documentation is a PDF, and not a very good one. Not everyone has Adobe Acrobat Reader, and of those, there are even fewer who will slog through the whole PDF than will even bother to read the fine print on a web form, even one that asks for a password.
  2. Take a look at this form:
    Step 2 of SMS.ac registration
    The instructions say: “Enter your Hotmail login to see who’s connected and automatically bring your friends into your SMS.ac address book.” It isn’t open-ended; it makes the registration process look as though you have to enter your Hotmail/Yahoo password. Of course, you can click NEXT while leaving the password blank, but the flow of the process doesn’t make this option evident: users will most likely fill out the form simply because they see it there. Here’s what they see next:
    Step 2 confirmation
    “Per your request?” This is definitely deceptive phrasing; at no point has it made a request to import all contacts. Note also how the explanation puts ‘Next’ in quotes with a capital letter, while ‘manual selection’ is left lowercase and unquoted, with the corresponding button set unobtrusively to the lower left. Maybe I’m just being paranoid; perhaps it’s just a case of poorly written copy and badly designed flow. Or do they really not want users selecting the option which sends less than the maximum possible amount of spam?
  3. In truth, I see nothing wrong with offering invitations for a service; I’d even venture to say there’s little wrong with an invitation whose From: address is the same as the user’s. Gmail does this. The problem is with subtly leading the user into a crawl of his address book and contact list, then repeatedly hammering the found targets with invitations while the user has no idea that his name is being stamped onto multiple messages, multiple times, to multiple people.
  4. Sean of SMS.ac, though annoying in his smugness, is right: this is the internet (or more appropriately, the hinternet) — people who aren’t careful end up with adware, spyware, trojans, spam, and popups. Responsible companies try to protect their users from their own naivete. SMS.ac, however, appears to exploit it, and should therefore be avoided.

In the feedback thread, “Sean” then goes on to insult other commenters — an object lesson straight from SMS.ac on how not to endear the company to past and potential clientele when you’re out astroturfing on weblogs.

More from Russell Beattie.