Dear community,

I host a blog on a dedicated server using MT 4.1 with ~20.000 unique visitors and ~200 (legit) comments per day. Comment spam was manageable so far.

Unfortunately, the server seems to be on some spammer's radar now. Yesterday, over 280,000 emails were sent using the POST command from mt-comments.cgi to randomly generated email addresses. Most of them returned as those addresses weren't valid, effectively doubling the server load.

The problem is basically the same as described here: http://www.adammessinger.com/2005/01/24/mt-spam-zombie

Quote:
----
The spammers have found a way to use Movable Type’s comment-handling script as a powerful spam engine. Instead of comment spam coming in, now we have to worry about it going out as well.
A flaw in the mt-comments.cgi script allows an attacker to easily use functionality provided by MT to send out tons of e-mail spam from the servers of your web host.
----

Luckily, my ISP didn't pull the plug from the server (yet), but instead set CHMOD of mt-comments.cgi to 000 to stop exploitation of the script. Server works fine now, but as no one is able to execute the cgi script, comments created from valid visitors are obviously embraced with a server error.

Not having to look at 200 comments per day saves a lot of time, but that's the only good part of the story. So what can I do to stop the server abuse?

I found a lot of information on the web concerning automated comment spam, but most of that stuff (like renaming mt-comments.cgi to something random or masking the name of the comment script behind some javascript). Unfortunately, most of it refers to problems with onsite spam, not email abuse. Additionally, those once helpful advices are probably outdated by now, as I guess the spam mafia already has found solutions to continue their dealings.

Does anyone have a solution to stop the mt-comments.cgi exploit, which works in 2008? Any help is greatly appreciated.

Regards,
Harry

I'm curious if you have more information that helps to pinpoint that it is, in fact, a bug in mt-comments.cgi? I've seen some odd hits to mine as well in my apache logs (looking for that led me to your post in fact). Stuff like:
"POST /mig-archives/https:///mt/mt-comments.cgi HTTP/1.1"

Mostly from the same IP in Vietnam. I only see 1 here and there though.

Does it directly try to email, or does it use the local MTA install that would also show up in logs (I ask because I see nothing corroborating in my mail logs)? I also don't see any other indications that it actually worked, or if it was just someone poking to see if I was exploitable. I haven't been able to catch a hit in action to look for any other network activity at the same time that would make me really worried.

Before the other day, it was actually sending my server out of ram and causing problems.. but that was due to a bug in gcc-4.2.x related to libgomp.so.1 and imagemagick.. but I fixed that.

I wish I could find a script that tries to exploit to test my server myself.. but haven't found anything.

I recently have become the target of spammers as well, and my host has been having to suspend my account periodically just to keep the server alive. I'm interested in if you ever managed to find a solution? I'm currently running MT 3.32 (if I remember correctly) and my host has set my scripts to CHMOD 000 so the site stays alive for the time being, but it's not the ideal solution since now I can't even update the site under the current permissions. I'm perfectly fine with disabling all comments, but somehow the script was still being run even though I had turned feedback off.

If you disable commenting then keep mt-comment.cgi CHMOD to 0000. What it sounds like is people arn't commenting through the forms on the page but calling it directly.