Using mod_security to shield Movable Type from Blog Comment Spam
jeremy zawodny writes about how he fixed blog spam using mod_security:
i recently noticed an upswing in the traffic my blog gets from comment spam bots. they’re never successfully able to post comments, of course, but it still results in a lot of hits to the movable type script that handles comment submissions: mt-comments.cgi
notice the “cgi” there? that’s right. this is a old school stand-alone perl cgi script. i’m not running it under mod_perl, so for each request apache must fork() and exec() to start the perl interpreter. then perl has to parse and compile the script, along with all of its supporting modules.
this all culminates in an error message back to the spam bot–a message that is surely discarded. in short, it’s a lot of effort to tell a spam bot to go fuck off. and it causes my 4 year old web server to strain at times.
so i decided to add a new layer to my defenses recently. i added mod_security to my apache setup and crafted a few rules to combat most of the poorly written bots as well as those that are slightly more well designed.