Overview

There are a number of junk spewing scripts out in the Internet Wilds that will pound on the default scripts for comments and trackbacks in Movable Type, regardless of whether the scripts exist or not. Many installations rename these scripts in the hopes of avoiding such junk scripts, but generally to no avail. Whether that succeeds or fails, one is left with an error log full of “404: File not found” errors. This makes it difficult to observe real problems.

Because of this, I decided that I would put in a replacement script that would simply accept the connection and ignore it. Then I realized that if I put a delay in that replacement script, it would slow down the junk scripts. Instead of rapidly passing over targets that are disabled, the junk script would instead spend quite a bit of time waiting uselessly, while imposing very little burden on the weblog host machine. The only way to make progress is to impose burdens on the junkers, reducing the set of them for whom this activity is profitable.

The point being to impose more cost on the junkers than it does on the weblog host. The junkers aren’t magical or invincible, they have their resource limits as well. While the junkers are much bigger than any single weblog, I have no doubt that in aggregate there are far more processing resources belonging to the weblog community than the junker community. Even if it just means that the junkers have to buy bigger hardware, well then they have to spend a lot of money in response to a small effort for each weblogger. That’s still a win.

Implemenation (Simple)

I implemented this concept and decided that it would be even better if other weblogs did the same thing, to throw ore sand in the gears of the junk machine. You can get the script here or cut and paste the following:

#!/usr/bin/perl -w

use strict;
local $|=1; # Disable buffering

print <<HTML;
Content-Type: text/html

<body>

<div style="font-size:200%;
            text-align:center;
            background:red;
            color:white;
            margin-bottom:1ex;
            ">
Invalid Access
</div>

<p style="border:2px solid red;padding:1ex;">
There is no reference to this script from anywhere else on the Internet.
You can only have accessed this script by guessing its name.
There is no legitimate reason for doing that. Cease your annoying abuse.
</p>

HTML

sleep 30;

print "</body>\n";

You can, of course, customize the message or the style. I strongly recommend against using a style sheet, as the point of this is to use minimal resources on your host. And really, how well designed does the page have to be?

To install

  1. Put the script in your MT install directory (where the mt-comments.cgi or mt-tb.cgi script was originally).
  2. Edit the first line to be identical to that in your mt.cgi script.
  3. Rename the script to mt-comments.cgi or mt-tb.cgi to replace the missing script.
  4. Set the permissions to “755”.

Note that this scripts works for either comments or trackbacks, since it doesn’t do anything except print and sleep. Also, only use this if you’ve renamed the original trackback and/or comment script. Do not use this as a direct replacement of either script.

You can see the script in operation here.

While this script should impose very little burden on your webhost, even under rather heavy use, it may not be suitable for installations that run at the limits of their processing power. For those of us in the long tail, however, it should pose no problem. The long tail is the best place for deployment as well.

Implementation (Advanced)

While I have not observed a burden from this technique, that doesn’t mean it can’t happen. Because of this, I have developed an alternate mechanism that uses PHP instead of Perl so that no external processes are spawned, lowering the burden both computational and in terms of resources (because in many Apache installations, the number of simultaneous external processes is limited). The downside is that this implementation requires the use of ModRewrite and the consequent editing of .htaccess files.

You can download the script here, or cut and paste the text in the box below.

<body>

<div style="font-size:200%;
            text-align:center;
            background:#822;
            color:white;
            border:2px solid red;
            padding:1ex;
            margin-bottom:1ex;
            ">
Sand Trap
</div>

<p style="border:2px solid red;
          padding:1ex;
          ">
You have been redirected to this script because
you have used an obsolete resource to which
no references exist on this website. This makes
you presumably a junker, and therefore your
session has been bogged down with this webpage.
</p>

<?php
ob_flush();
flush();
sleep(30);
?>

<p style="text-align:center;
          border:2px solid red;
          padding:1ex;
          margin-top:1ex;
          ">
If you are going to abuse me, I will abuse you right back.
</p>

</body>

Put this script somewhere where the weblog can access it without a redirection1, name it sand-trap.php, and set the permissions to 755. Then edit the .htaccess file to do the rewrite.

For this example, it is presumed that

  • sand-trap.php is installed in the root directory of the weblog domain. E.g., for this weblog it is installed at http://blog.thought-mesh.net/sand-trap.php (try it if you’d like).
  • The .htaccess file is in the Movable Type install directory.
RewriteEngine On
RewriteRule ^mt-comments.cgi /sand-trap.php [last]
RewriteRule ^mt-tb.cgi /sand-trap.php [last]

You can also install the .htaccess in the root directory of the domain, which is what is done on this weblog2.

RewriteEngine On
RewriteRule ^cgi-bin/mt/mt-comments.cgi /sand-trap.php [last]
RewriteRule ^cgi-bin/mt/mt-tb.cgi /sand-trap.php [last]

You would, of course, need to change cgi-bin/mt to the local path to your Movable Type install directory.

Note: This will render any scripts with those paths inaccessible, so don’t do this if you haven’t renamed those scripts. Alternatively, you could leave this in to turn comments / trackbacks on and off by putting a leading ‘#’ on the appropriate lines to change them to comments (or not).

As a side benefit of this mechanism, if you use the MT 3.2 Patch: Trackback By Name modification, you can use ModRewrite to drop junkers still using the now invalid numeric form in to the sand trap as well. This is what you would use in a .htaccess file in the MT install directory, presuming that sand-trap.php was in the domain root directory.

RewriteRule ^mt-tb.cgi/[0-9]+ /sand-trap.php [last]


1 I.e., accessible from the same webserver. This is important because if a redirection happens, the junker will drop the connection and the goal is to keep him on the line as long as possible.

2 Because I moved from cgi-bin/mt to scgi-bin in the past, but the junkers keep hitting the scripts in the no longer extant cgi-bin/mt directory. Because that directory doesn’t exist, I can’t put the .htaccess there. Instead, I put it in the root directory to handle both the old and current directories.