Fight spam with (June 04, 2004)

The only thing I really don’t like about MT-Blacklist is that I have to fiddle around and cut and paste URLs and click a lot when I want to mark a comment as spam. This is mostly my own fault for using an old CRT-based mail reader, but still. So I wrote a little script that takes an MovableType comment email as input and runs MT-Blacklist on the comment. Now, whenever I get comment spam, I pipe the email alert to this script and the comment spam goes away.

This works for me. It may not work for you. No warrantee, etc. Test before using. Requires the CPAN modules WWW::Mechanize and HTML::TokeParser.


#!/usr/bin/perl -w
use strict;

use WWW::Mechanize;
use HTML::TokeParser;
use HTTP::Cookies; 

my $agent = WWW::Mechanize->new();

### Configuration

my $username = "YOUR USERNAME HERE";
my $password = "YOUR PASSWORD HERE";
my $mtURLprefix = "EXAMPLE: http://popone.innocence.com/mt/";

my ($blacklistURL, $form, $spamURL, $URLs);

### Get the despam URL from an mt-comment email -- always the 8th line from
### the bottom

chomp($blacklistURL = (reverse <>)[6]);
$blacklistURL =~ s/([[:cntrl]])/sprintf('[%02X]',unpack('C',$1))/ge;
die "Malformed blacklist URL: $blacklistURL" unless $blacklistURL =~ /^\Q$mtURLprefix\E/;

### Log in

$agent->get($blacklistURL);

$agent->form_number(1);
$agent->field("password", $password);
$agent->field("username", $username);
$agent->click;

### Then despam

$agent->get($blacklistURL);

$agent->form_number(1);
$form = $agent->current_form();
$URLs = $form->value("foundURLs");
$agent->click;

### Show what happened

print "Despammed:\n";
foreach $spamURL (split(/\n/, $URLs)) {
        $spamURL =~ s/([[:cntrl]])/sprintf('[%02X]',unpack('C',$1))/ge;
        print "\t", $spamURL, "\n";
}

Comments

Ok, this is probably just me being paranoid, but how hard would it be to fake an MT-Blacklist message to you that pointed at, say:

http://popone.inmocence.com/mt/

Especially if this fake email were sent to you in the midst of a comment-spam flood, would you necessarily notice the difference? Another possibility, I suppose, is to send a sufficiently long comment spam so that the eighth line from the bottom is obscured in most terminal sizes. Unless you scroll down, you won't realize that you're sending your MT username and password off to $RANDOM_HOSTILE_SITE.

The patch to fix this is pretty obvious - in the configuration section, include a url prefix that blacklistURL must match, say:

my $mtURLprefix = "http://popone.innocence.com/mt/";

(It's important to use something that includes the slash after the domain name). Then, after you get blacklistURL, do:
die "Malformed blacklist URL: $blacklistURL"
  unless $blacklistURL =~ /^\Q$mtURLprefix\E/;

(The \Q and \E are necessary so that someone doesn't get you with http://popone-innocence.com/mt/)

Removing harmful control characters from $spamURL before they are sent blithely to a user's terminal is probably also a good idea - though perhaps the url-catching regexp in mt-blacklist is already sufficiently paranoid to avoid them.

$spamURL =~ s/([[:cntrl]])/sprintf('[%02X]',unpack('C',$1))/ge;

Posted by: Daniel Martin at June 4, 2004 10:43 AM

Hm, good point. I was trying to simplify configuration but I think you're right about the dangers.

The url-catching regexp is paranoid but it never hurts to double filter. I'll make both changes in this post.

Thank you!

Posted by: Bryant at June 4, 2004 11:05 AM

Note that the de-fanging of control characters should also be apllied to the $blacklistURL before the die message.

Posted by: Daniel Martin at June 4, 2004 11:49 AM

Post a comment










Remember personal info?


Subscribe to this comment?
Yes




To subscribe to this thread without commenting, enter your email address here:

Trackback URL for this entry: http://popone.innocence.com/mt/mt-tb.cgi/1596