8 Ways to Sunday

NOTE: See the bottom of this entry for instructions and downloads to patch this flaw.

In a perverse new twist in the ongoing battle against comment spam, the spammers have found a way to use Movable Type’s comment-handling script as a powerful spam engine. Instead of comment spam coming in, now we have to worry about it going out as well.

According to discussions on the MT-Blacklist forums and the TextDrive forums, a flaw in the mt-comments.cgi script allows an attacker to easily use functionality provided by MT to send out tons of e-mail spam from the servers of your web host.

I’m hosted on TextDrive, and as you can read in the above-linked forum thread they’ve been hit hard by traffic from spammers attempting to exploit this bug. To keep the servers from melting, they’ve turned off comments on all Movable Type weblogs system-wide until Six Apart makes a patch available. Anyone attempting to leave a comment on my MT-powered photoblog until that time will get the following error message:

Sorry

But MovableType comments had to be temporarily turned off due to a massive influx of comment spam attempts

Comments on the TextDrive forum thread and at Photomatt.net indicate that a patch is almost ready, but as with Microsoft Windows the real problem will be getting people to install it. With a problem of this magnitude, however, I wouldn’t be surprised to see hosting providers making this upgrade mandatory. If the patch only comes out for MT 3.x and you still use 2.6x, that means you’d be upgrading like it or not.

Meanwhile if you run MT, and if your host hasn’t already done something similar to TextDrive, please turn off comments across the board for all your blogs, and then delete the comment script until the patch is available. Doing anything else makes you a spam facilitator, and you wouldn’t want that would you?

All software has bugs — no exceptions — and I don’t fault Six Apart for this problem. I say this because I’m sure there will be no shortage of fire-breathing blame leveled their way over this problem. They are doing everything they can to fix it in a timely manner. Who I’m really pissed off at is the spammers. I am so fucking sick of these pathetic parasites!

(Props: Photomatt.net — thanks for bringing this to my attention)

Updates:

• 1/24/2004 @ 10:30 PM — The patch is now available, in both upgrade and plug-in flavors. The plug-in is backward compatible to at least Movable Type 2.661 and possibly further. Nice work, Six Apart! (Props: Brad Choate via TextDrive forums)
• 1/24/2004 @ 10:46 PM — I’ve patched my photoblog with both the new anti-spam plug-in and the plug-in that provides the rel="nofollow" link attribute. Seems to have gone very smoothly, though comments are still turned off server-wide. I’ll update again when they’re back.
• 1/25/2004 @ 7:00 AM (ish) — As of right now, comments are still turned off on my photoblog. The support staff at TextDrive are in the process of finding out who has upgraded / patched their MT installation and who still needs to, and the comment ban is being lifted on a site-by-site basis. If someone hacks their MT install to get around the ban and run an unpatched MT installation, the current policy is that they will have their subscription to TextDrive canceled. Like I said above, mandatory upgrades for everyone! Given the severity of the problem, it makes sense to me.
• 1/26/2005 @ 12:27 AM — Comments are back on the photoblog.

HOW TO PATCH YOUR MOVABLE TYPE INSTALLATION

As of this writing, the Movable Type web site is unreachable by me, probably due to the huge influx of traffic by people seeking the patch. If Technorati is any indication, news of the exploit has now spread far and wide. In an effort to make this patch as widely available as possible, I will be hosting it on my own site for anyone to download: get it here.

Here are the instructions you’ll need to follow to apply the patch to your own Movable Type weblog:

1. If you don’t already have one installed on your computer, download and install an FTP client such as FileZilla or CuteFTP. Again, as of this moment the web sites for most major FTP software seem unreachable. Whether this is due to a swarm of MT users trying to download their wares or a problem with Cox’s internet service is unknown to me, but just in case you can download FileZilla from me here. FileZilla’s web site is reachable from my work computer, which leads me to believe that the problems were due in whole or in part to my ISP. I’ve removed the FileZilla download from my site, but you can find it here.
2. Unzip the downloaded plugin. Users of Windows Me and higher can do this with built-in OS features. Others can download one of the many shareware zip/unzip utilities.
3. After setting up and starting a connection to your site via FTP (see your FTP program’s help files and documentation from your service provider), navigate to your Movable Type installation directory. This will often be cgi-bin, but this may vary from one set-up to another. Inside this directory is another called plugins.
4. Transfer the file patch-20050124-mail-spam.pl to the plugins folder.
5. Change the permissions of the patch-20050124-mail-spam.pl file to make it executable.
6. You should probably inform your hosting provider that you’ve patched your MT installation.