Small fix to 0.6.4

Looks like I neglected to remove a line of debugging code from the newblog.php page in version 0.6.4. This causes the redirect after creating the blog to fail, so you never get sent to your new blog. The fix is just to remove the echo statement on line 107 of newblog.php. Or you can just download the fixed file here and extract it to the root of your LnBlog folder, overwriting the old version.

Figuring out my comment spam

So I come home after a rotten day, feeling really down, and what do I find in my inbox? Twenty-four (yes, that's 24) e-mail notifications for comments on my blogs: all of them spam. Damned degenerate scumbags. I guess it's time to get serious about implementing a content filter, because these sub-human wastes of perfectly good carbon atoms just won't leave me alone. And I'm getting tired of deleting comments and trackbacks by these walking piles of monkey excrement, so my only choice is to get pro-active.

The thing that really pisses me off about today's hit and run is that it isn't even commercial spam. Oh, I hate the assholes who leave that too, but at least I can understand it. Deleting links to online gambling and loan refinancing sites is unpleasant, but at least the act of posting such links on blogs makes sense: more links = better Google ranking = more money. They're still slightly below flesh-eating bacteria on the scale of human worth, but at least their actions aren't completely incomprehensible.

Today's round of comment spam, however, is different. This isn't the first time I've suffered this type of attack, but it is the first time I ever stopped to analyze it. You see, there were two distinct types of comment. The first makes absolutely no sense to me. It is simple something@skepticats.com posted as the name, subject, and body of the comment. That's it. No links or anything. Just an invalid e-mail address at my domain. Does anybody have any clue what the purpose of such a comment could be? Does it have something to do with gaming e-mail harvesters? That's pretty much all I could think of.

The second type of message is significantly more complicated. Like the previous message type, it contains a random e-mail address at my domain in the subject and body of the comment. However, for the name field, it contains some variation on the following text:
to
Content-Type: multipart/alternative; boundary=912124b723a23f3d33ad518075fc69e8
MIME-Version: 1.0
Subject: carelessly. s no one in the hut, no
bcc: real_address_removed@aol.com

This is a multi-part message in MIME format.

--912124b723a23f3d33ad518075fc69e8
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

strove to compete with the steam packet, the dark smoke from which, like some demon, partly rested upon the vessel, partly
--912124b723a23f3d33ad518075fc69e8--

.
I actually had to look at the raw data files on my server to figure out that this was going in the name field. On the comments page, most of it actually showed up in the body. This seems to be because the comment class expects every field except the body to be one line, because that's the only way to enter it on the form.

I could be wrong, but this appears to be an attempt to piggyback on the comment notification system. Apparently the idea is that by injecting mail headers directly into the name field, they can fool the mailer into thinking they're real headers and sending a copy of the message to the address in the BCC line. Fortunately, it doesn't appear to work. However, I'm still concerned that there's no actual commercial content in the messages. They appear to be just text snippets taken at random from a story of some type. Why would anyone want to send that? Is somebody just using this as a test? What on earth is going on with these messages?

DisableComments 0.2.0

Just as a change of pace, I'm releasing a new version of a standard plugin. Actually, I'm doing it because the comment and trackback spam is starting to bug me (it's been picking up again lately), so I figured I'd adjust one of the plugins to get rid of it. And since I'm not planning a new release any time soon (unless I get some bug reports), I figured I'd just release it separately.

You can download the DisableComments plugin version 0.2.0 here. To install, just extract the PHP file from the ZIP archive and copy it into your LnBlog/plugins folder, overwriting the old version. This version adds an option to automatically disable comments and trackbacks on entries older than a certain number of days. To enable the new feature, just go the the plugin's configuration page and enter a number in the text box. That'll stop the trackback spam on entries that are a year old!

LnBlog 0.6.4 released

Time for yet another maintenance release. LnBlog 0.6.4 is now available. This release includes a critical security fix for users who have AUTH_USE_SESSION set to false. If that's you, consider this a required upgrade. Users who are using the default authentication configuration are not affected by this bug.

In other news, this release also fixes several minor bugs and annoyances. For starters, the broken "back to plugin list" links in the plugin configuration now works. I've also removed the broken default code when the pageheader plugin is disabled and fixed the trailing newline bug in LBCode that's been annoying me for some time.

By way of small "features," I added a warning when trying to create a blog in your LnBlog installation directory, because that just won't work. I also added a little feature to the LBCode URL auto-translation to allow absolutizing to the blog root. Previously, any URL given in a url or img tag that didn't contain slashes had the URL of the entry it was stored in prepended to it, so that it would display correctly on the front page or in RSS feeds. Now, however, you give links relative to the blog root by including a slash in them and links relative to the root of your site by starting them with a slash. So, for example, when I post a link to the LnBlog download page in this blog, I can give content/download/, whereas if I want to link to my computing blog, I can give /linlog/. Just a little extra convenience.

As usual, you can grab the new archive here or go to the download page itself and grab the signature, checksums, and documentation. If you find any problems or have any questions, you can e-mail me or post a comment.

LnBlog 0.6.3 is up

Well, I finally got around to uploading the next maintenance release. You can grab the archive here or get all the associated goodies from the download page.

This release fixes the previously mentioned sitemap problem, sorts blacklisted IP addresses for easier management, and adds out of the box support for running from /home/user/public_html (which it could do before, but required setting a configuration regex). The one big "feature" is a redesign of the ever-so-crappy plugin loading configuration page. Now, instead of three crappy text areas, it uses a table with text boxes to enter the load order and check boxes to disable loading a file.

As usual, please e-mail me or leave a comment if you have any problems or questions.

Sitemap error

It turns out there's a bug in the script used to set the custom sitemap. The file name was not being set correctly, so changes never showed up on the page. I'll fix this in the next release, but here's a quick fix to use in the mean time. Just save this in the LnBlog root directory as "sitemap.php", overwriting the old file.

LnBlog 0.6.2, "No Need to delete"

I've uploaded release 0.6.2 of LnBlog. This is another bug-fix release. Thanks to R. Damon for reporting several of the issues. Here's the list of fixes:

  1. Fixes bug that broke support for PHP 5.
  2. Fixes warning messages about DOCUMENT_ROOT in initial setup.
  3. Fixes broken links in terminal theme.
  4. Fixes problem with deleting entries when history is disabled (which is the default since version 0.6.0).

You can get the new version here or from the download page. As usual, please mail me or leave a comment if you have any questions or find any bugs.

LnBlog 0.6.1 is up

I finally got around to uploading the first maintenance release for LnBlog 0.6. You can get it from the download page. My apologies for not getting it out there sooner, but I've been pretty busy lately and just haven't had time to work on this project.

This fixes several bugs in the 0.6.0 release. These bugs include:

  • Bad user profile links in comments.
  • Comments not being added when posting from pretty permalink page.
  • The "post a comment" link not showing up in tuxice theme.
  • The "remember me" feature for comments not working.

As usual, please e-mail me or leave a comment if you have any questions, feedback, or if you find any other bugs.