The rapid evolution and adoption of the MTBlacklist plug-in is a surprise to no one. Comments have been sitting there with scads of exploit potential the moment the first decent looking woman (who could type AND owned a digital camera) discovered the wonders of LiveJournal.
The MTBlacklist plug-in strikes me as a very good solution for the wrong problem. MTBlacklist will “block incoming comments/trackbacks with content matched by any one of the entries in the blacklist.” Groovy. It also features a “Default blacklist [that] contains over 400 known spam strings for immediate protection on install.” Super groovy.
So, what we’ve done here is move from a world were webloggers afflicted with spam stop blocking IPs and start blocking based on content strings. My question is, simply, “what is the difference?” Now, I have not installed MTBlacklist, so I am not an expert, but the problem which needs to be solved isn’t the content, it’s the people who are generating the content.
Back when everyone was still shaking in their boots about transferring money over the Internet, a company called PayPal had a problem. They were complementing Ebay as a (semi) neutral clearinghouse for cash transactions and, by doing so, needed to provide various financial vehicles to move money. This meant they need to support credit card transactions and interface with banks. The russian mafia saw PayPal as a great way to launder money, so they set-up an automated system to create accounts on PayPal using stolen credit cards and they started to move money around. Go bad guys!
To handle this fraud, PayPal came up with what seems like a goofy idea. They started requiring new account holders to read a graphic which contained some bizarrely formatted text. The idea was that the text could not be read by optical character recognition software which meant that every new account would need to be touched by, at least, one human being. Human interaction and automation doesn’t scale… they’re aren’t enough humans or enough time, so problem solved. The PayPal “human interaction” authorization is all over the place now. Go good guys!
Back to our original topic.
Yes, I am suggesting that there is little difference in being authorized to have a bank account and being authorized to post on a weblog. In both cases, the person who wants to post must prove they are a human being. The PayPal goofy text graphic approach might sound like overkill and will likely decrease the chance someone will post to your weblog, but it solves the problem. Human beings don’t spam.
The folks at MovableType are all over this.