Press "Enter" to skip to content

Fight spam with

The only thing I really don’t like about MT-Blacklist is that I have to fiddle around and cut and paste URLs and click a lot when I want to mark a comment as spam. This is mostly my own fault for using an old CRT-based mail reader, but still. So I wrote a little script that takes an MovableType comment email as input and runs MT-Blacklist on the comment. Now, whenever I get comment spam, I pipe the email alert to this script and the comment spam goes away.

This works for me. It may not work for you. No warrantee, etc. Test before using. Requires the CPAN modules WWW::Mechanize and HTML::TokeParser.

#!/usr/bin/perl -w
use strict;
use WWW::Mechanize;
use HTML::TokeParser;
use HTTP::Cookies;
my $agent = WWW::Mechanize->new();
### Configuration
my $username = "YOUR USERNAME HERE";
my $password = "YOUR PASSWORD HERE";
my $mtURLprefix = "EXAMPLE:";
my ($blacklistURL, $form, $spamURL, $URLs);
### Get the despam URL from an mt-comment email -- always the 8th line from
### the bottom
chomp($blacklistURL = (reverse <>)[6]);
$blacklistURL =~ s/([[:cntrl]])/sprintf('[%02X]',unpack('C',$1))/ge;
die "Malformed blacklist URL: $blacklistURL" unless $blacklistURL =~ /^\Q$mtURLprefix\E/;
### Log in
$agent->field("password", $password);
$agent->field("username", $username);
### Then despam
$form = $agent->current_form();
$URLs = $form->value("foundURLs");
### Show what happened
print "Despammed:\n";
foreach $spamURL (split(/\n/, $URLs)) {
$spamURL =~ s/([[:cntrl]])/sprintf('[%02X]',unpack('C',$1))/ge;
print "\t", $spamURL, "\n";


  1. Ok, this is probably just me being paranoid, but how hard would it be to fake an MT-Blacklist message to you that pointed at, say:

    Especially if this fake email were sent to you in the midst of a comment-spam flood, would you necessarily notice the difference? Another possibility, I suppose, is to send a sufficiently long comment spam so that the eighth line from the bottom is obscured in most terminal sizes. Unless you scroll down, you won’t realize that you’re sending your MT username and password off to $RANDOM_HOSTILE_SITE.

    The patch to fix this is pretty obvious – in the configuration section, include a url prefix that blacklistURL must match, say:

    my $mtURLprefix = "";

    (It’s important to use something that includes the slash after the domain name). Then, after you get blacklistURL, do:

    die "Malformed blacklist URL: $blacklistURL"
    unless $blacklistURL =~ /^\Q$mtURLprefix\E/;

    (The \Q and \E are necessary so that someone doesn’t get you with

    Removing harmful control characters from $spamURL before they are sent blithely to a user’s terminal is probably also a good idea – though perhaps the url-catching regexp in mt-blacklist is already sufficiently paranoid to avoid them.

    $spamURL =~ s/([[:cntrl]])/sprintf('[%02X]',unpack('C',$1))/ge;

  2. Hm, good point. I was trying to simplify configuration but I think you’re right about the dangers.

    The url-catching regexp is paranoid but it never hurts to double filter. I’ll make both changes in this post.

    Thank you!

  3. Note that the de-fanging of control characters should also be apllied to the $blacklistURL before the die message.

Leave a Reply

Your email address will not be published. Required fields are marked *