Blog
About
Wishlist
rss 2.0 feed
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
Earlier

January 25, 2005

Movable Spam

It appears that any web site running Movable Type, the online publishing software by Six Apart used not only by this humble site, but by countless other reputable blogs and online magazines large and small, have suddenly become incredibly vulnerable to spam.

No no no, not receiving comment spam. I know you already knew that. I'm referring to sending spam.

That's right. Spammers with the know-how (or the initiative to go and read how to do it) can hiijack the mt-comments.cgi script on a Movable Type installation and use it to send out spam to hundreds of email addresses at a time. Using your address.

This isn't spoofing (faking the return address), this is using your address and your mail server. Yes, that's right - this is extremely bad.

This is hot on the tail of news that this same script was responsible for bringing down expensive servers all over the place because of the load it places on the host when a spammer hammers it with an automated process that tries to leave comment spam on an MT blog.

So what can you do about it?

If you host on TypePad, you shouldn't have to do anything as no doubt Six Apart will upgrade you automatically. MT users who have bought a recent version of the software can upgrade to version 3.15 for free. And for those of us who are still running an earlier version, a patch is available, and should be good for most older versions (I think the most recent version before Six Apart began charging for MT was v 2.661).

Or you could just upgrade to TextPattern or WordPress, both fine personal publishing systems that are really evolving into mature and intelligent products. And so far, immune to such attacks. Whether these products are less susceptible because they are designed better, or just less popular, is a call I'm not qualified to make. It's probably a bit of both.

I have been using TextPattern for a few projects recently and have been impressed enough to decide to upgrade 35 Degrees and opinios to use it soon. Unfortunately it takes time and effort, so it won't happen overnight. But it will happen!

Posted by mattymcg at January 25, 2005 09:39 PM
Comments