Looking sideways at MovableType
Yeah, we had an outage yesterday evening that went till this morning. I was pulling a Rumplestiltskin because I'd been going for a few days, so I didn't see it till this morning. It was the comment spammers again, which is starting to get on my last nerve. My options basically are:
- Turn off comments/trackbacks (unlikely)
- Move the site somewhere and let them deal with this stuff (highly unlikely, although MT getting banned from many servers is probably good for TypePad)
- Upgrade to MoveableType 3.x and use some of its dynamic stuff (highly unlikely)
- Stop letting myself get distracted from playing with Drupal, and push switching to WordPress up the queue (likely)
On a side note, keep sending snapshots of your comps with The Cow, they're cracking me up and I'll post a few soon. Some of you have taken the extra step of printing him out and lugging him around, but I'm still trying to talk a London reader to take him to Big Ben. Or snap a picture of him with a Beefeater, because I'm lame enough to think that would be funny.
Posted by drunkenbatmanMay 28, 2005, at 12:37 PM
Comments (23)
Posted by: Mike at May 28, 2005 12:45 PM
Wordpress is the way to go man. The comment spam has been a lot less since i had users register, but i just turned that off and now i just have to approve your first comment, works great and no spam :D
Posted by: TeRanEX at May 28, 2005 02:13 PM
Did you consider Nucleus CMS? http://www.nucleuscms.org/ It's, like WP, a free CMS for weblogs with a very nice Plugin API. Ofcourse there are also Anti-Spam plugins available, like BlackList and Captcha
Posted by: Cafeine at May 28, 2005 03:07 PM
Try dotclear. Best blog sys around, open source, french so not as popular as wordpress but english help is here now and I think the admin is waaaayyy better. Look at my blog or http://zecaf.free.fr/dotclear/
to see some skins.
http://www.dotclear.net/en/
Posted by: PXLated at May 28, 2005 03:27 PM
Take a look at Expression Engine, a lot of MT converts in the forums and an MT import utility to help make the switch. Good spam controls, I haven't had any. Very flexible and robust. Version 1.3 out very soon.
http://www.pmachine.com/expressionengine/
Posted by: solios at May 28, 2005 03:31 PM
All I gotta say on the matter is I've stuck with MT 2.x because it does everything I need, and 3.x does nothing I want. Seems all of the underthehood went into comment handling (good for you) while image handling and overall behaviour is still the same as 2.x (bad for me).
I've had my own blog comment spammed, which is pretty impressive considering that comments aren't even on and there's no place you can leave them - the bastards 'sploited the existance of the cgi script itself. Animals! A rename solved that but stilll left me with a grotesquely inordinate amount of traffic that was hitting me only to shit on me, as opposed to read the comic or blog, so out the whole mess went.
As for Drupal... a friend of mine recently switched a site FROM Drupal TO Mt, citing template issues and user problems. And Wordpress seems, last I checked, to be very tied to php.
Whatever your course, best of luck.
Posted by: Diggory Laycock at May 28, 2005 04:20 PM
Wordpress.
Posted by: Jesper at May 28, 2005 04:47 PM
The comment policy wants me to be sane. Here's sane, or more sane than I've heard in these comments yet (no offense, I just haven't seen anyone address this yet).
If you're already using a spam blocker, and these spams didn't get into your entries through fallacies in other MT code, aren't you logically better off with just a better spam blocker or tighter rules? It seems to me that anything else is just a placebo effect, thinking that you're more secure because your weblog is now set up in accordance to a *different* couple thousands of other sites.
And if you aren't using a spam blocker in the first place, won't it take you way less effort to install one than to switch to another system?
That said, switching to another system is of course entirely up to you, and you may have a thousand other good and valid reasons, but it seems to me that to tear up everything for a few days for a logical fallacy isn't quite the way to go.
Posted by: drunkenbatman at May 28, 2005 05:13 PM
It seems to me that anything else is just a placebo effect, thinking that you're more secure because your weblog is now set up in accordance to a *different* couple thousands of other sites.
This is something you can find in the archives under 'drunkenblog', as I think we're talking about different things. It's not about the quality of MT-Blacklist, or MovableType, but about how it works. By default, it servers out static .html files (which is good for a lot of traffic) and rebuilds them when the content changes. I.E., every time you leave a comment, a perl script is spawned and it rebuilds the static file.
The problem is right there with the perl script being spawned, as every time one is spawned the perl interpreter needs to go up with it (unless you're using something like mod_perl, but I ran into problems with that and MT) and each one uses around 6 Megs of memory. The virus rarely realizes it's killing the host, and spammers go for fucking broke, meaning its easy to get 150-200 perl processes running. This has to happen even when spam is being blocked and a page isn't being rebuilt, which is an even worse deal because it has to run a long check against a database of spammers...
Run the calcs of what 150-200 perl processes (150 x 6, etc) and you can get an idea of why the server can die. Imagine this going on on several sites on a server, and you can get an idea of why many hosts are banning MT. You can alleviate this by capping the amount of connections apache will serve out, but to do any good you're setting it low enough that the server will then die under a slashdotting. Damned if you do, damned if you don't.
Something like wordpress is all-dynamic, which means each page has to run some calcs so your average load is higher in general than a static system like MT, but during something like this it evens waaaaaaay out. Newer versions of MT allow you to go all dynamic all the time, but it's a bit of a kludge and just feels weird.
Posted by: Jesper at May 28, 2005 05:22 PM
Thanks for reminding me of the MT usage issues which I had managed to suppress for now - the sheer slowness of the entire system as it is was a big part of why I switched systems personally. But I'm still missing a piece here - isn't launching numerous PHP processes just as bad as numerous Perl processes, even if we assume that the PHP processes take up half the virtual memory, and even given that the WP codebase seems to be far more leaner?
Posted by: peterb at May 28, 2005 05:52 PM
I've been very happy with MT-captcha for my blog. Since I've installed it, I've basically had no comment spam whatsoever.
Posted by: drunkenbatman at May 28, 2005 06:04 PM
But I'm still missing a piece here - isn't launching numerous PHP processes just as bad as numerous Perl processes, even if we assume that the PHP processes take up half the virtual memory, and even given that the WP codebase seems to be far more leaner?
Little more complex than that. Chances are, your web server loads its PHP engine as a module, meaning its cost is built into an instance of apache, meaning you just need to add-in the memory size used by the script itself. If you have keep-alive on in any form (mine is fairly low) you're often looking at doubling your usage for MT often doubles for awhile, as you have to keep in mind the cost of apache spawning an instance of dealing with it plus spawning the perl engine. It's not uncommon to see the system dying just from having to deal with that, while things are waiting.
And the PHP stuff seems to execute a lot faster than MT"s perl stuff... let alone when the spam gets through and the page actually has to be rebuilt. If something isn't in your blacklist, and they're hammering, this can be as many pages as you have several times over. It's a nightmare.
Basically, with something like WP you keep the script execution time but drop the cost of having to spawn the perl engine(s) with its time and memory overheads, and the rebuilding such. Under optimal conditions something like MT's system does pretty darn good, but under sub-optimal conditions it's a complete and utter nightmare... which is why their recc to those having problems is to upgrade to 3.x and make everything dynamic (like WP).
Posted by: Jesper at May 28, 2005 06:09 PM
It's at this point that I wonder who'd actually "win" of a mod_perl setup of MT3 and a CGI PHP setup of WP. mod_perl is way less common than the module PHP variants, so the field isn't exactly level to start with.
Posted by: Charles at May 29, 2005 03:50 PM
Wordpress does have the advantage over MT that it doesn't get slammed in the same way by comment spammers. The new WP 1.5.x version also stops posts from open proxies, which is what comment spammers use (they don't care, there's a million more blogs out there).
And if you do go the WP way, a plugin called "Kittens Spaminator" will do the rest for you.
Posted by: padawan at May 29, 2005 04:09 PM
"Move the site somewhere and let them deal with this stuff" > Why do you rate this "highly unlikely"? That's what I did when I moved my MT-driven blog to TextDrive and they're effectively dealing with spam before it hits my site. Once in a while I get a few manual spams, otherwise it's all filtered and I'm not using any anti-spam plugin. Changing the blog software vs. changing host, I'm not sure the former is the easiest way to go (but it surely is the most religious choice for certain people!).
Posted by: padawan at May 30, 2005 09:59 AM
And as an illustration of my previous comment, you may want to check this:
http://weblog.textdrive.com/article/89/the-centrality-of-security
Posted by: drunkenbatman at May 30, 2005 01:33 PM
"Move the site somewhere and let them deal with this stuff" Why do you rate this "highly unlikely"?
It would move up from highly unlikely if there was a host the offered the bandwidth I often use for a price that wouldn't be several orders of magnitude greater than what I pay now, or would put up with the slashdottings/traffic. These are shared resources, and everything that comes with it -- try throwing a popular bulletin board system on one of them without having the guys come down hard, let alone some of what I do to a server. :)
Posted by: josh at May 30, 2005 02:38 PM
Try renaming mt-comments.cgi (and the various references to it in your templates and mt.cfg). Works like a charm -- the automated spammers can't find it.
Posted by: padawan at May 31, 2005 03:53 AM
I understand. Then what about getting your current host (or yourself if you have a hand in what your server runs) to put mod_security in front of the web server?
Posted by: GG at May 31, 2005 04:08 AM
"I understand. Then what about getting your current host (or yourself if you have a hand in what your server runs) to put mod_security in front of the web server?"
Padawan -- Not to sound mean, but do you know what mod_security is for?
Posted by: padawan at May 31, 2005 12:56 PM
"Padawan -- Not to sound mean, but do you know what mod_security is for?"
I do. I even contribute mod_security rules to combat comment-, trackback- and referrer-spam to protect my site and others hosted at TextDrive. It's convenient and highly, highly efficient for the issue discussed in this post.
Why that question?
Posted by: Wotak at May 31, 2005 07:50 PM
Get the WordPress on brother.
It's workin' great for me. I can't complain at all.
Comments? I don't use 'em because I deal with to much controversy as far as content goes to even think about having time to keep up with the spam kiddies. I disabled all that shit early on.
I'm thinking of throwing up a PHP Nuke board though, just to watch the religious nut-jobs beat the hell out of one another.
Recently I hosted a little video that ate up 100GB of bandwidth in about 5 days.
I've gotten 75 million "I hate you" messages... so I guess it's time to give the wacko's a place to play.
Brother, the interface isn't really all that important.
It's the content.
Find the front end that works for you and rock on wit yer bad self.
Wotak
Posted by: Jesper at June 1, 2005 04:48 AM
Wotak: MT will work equally great for him in this respect if he was out to disable comments. He isn't.
There is beefeater vodka. How about my computer with a bottle of beefeater vodka next to it. Will that work? :^)