My problem with spams being added to my comments has recently escalated. They're coming more regularly, and instead of promoting stupid zipcode websites, they're promoting 'lolita' sites. That's too much. Must stop.
When I searched Google it was clear EVERYONE with a moveableType installation is suffering this problem.
Everyone has their pet solution, and many of them seem way too complex too fast, and all are immature. I'm not keen to start getting involved in collaborative blacklists and comment vetting queues and so on.
Pareto Solution?
So my pareto solution was to rename my mt-comments.cgi file something different. The hope being that the spammers aren't actually parsing my blog itself for the comment link, just assuming that its the default MoveableType name.
To implement this, just change the name of your mt-comments.cgi file indicated in mt.cfg, rename the mt-comments.cgi to the same name, and then rebuild your site.
Form Hacks
Some other guy had a crude little hack that wedged a hidden form variable into the comment templates, which mt-comments.cgi dies on if if doesn't find that variable. Again this assumes that the spammer is not doing a great deal of parsing of my specific page, just shotgunning spams designed around the default MoveableType installation.
The problem was, the guy didn't bother to list exactly which templates needed modified. I fucked about for forty-five minutes trying to get it to work, but somehow I wasn't able to find one of the templates. I just gave up when I stumbled onto the mt-comments.cgi rename trick. If that fails to work, maybe I'll pursue this one again.
Other Solutions
Probably the most "advanced" (complicated?) solution so far is by Jay Allen. It's tidy in that it doesn't involve hacking mt scripts, but it does involve a bunch of plugins, and then having new behaviors with MT, etc. I also don't like it in that it actually stills allows the comments to be added, it just doesn't display them. I don't want the fucking things cluttering my system at all, on both the user or admin side. I hope I don't have to implement this solution to find relief. Or if I do, that it is sufficiently matured that I'm not beta-testing this thing.
Of course someone put out a "noisy number picture" authentication solution too. If I have to go "advanced," at least that would be an interesting one.
One last solution was to lay honeypots on your site that could only be seen by a harvesting bot, and if touched, resulted in that ip address getting .httpaccess blocked. Not really that helpful. So what? I turn mt-comments.cgi into a honeypot? Ok, first time someone goes to that url, referred by a Google Cache or whatever, I've fired a false-positive -- the worst sort of failure.
Parsimony
One parsimonious aid would be a better comments/blocking admin page. I should be able to see a page with all comments for all blogs I am hosting. Each comments should have a "delete comment" and "delete comment and ban ip" link. And if I ban an ip, it bans it on every blog, not just the blog which suffered the spammy comment.
Conclusion
This will be a continual fight, but MoveableType/SixApart seems to be taking this seriously and is looking to create core functionality to aid in the fight.
=== followup ===
One more pareto solution is to stop google from indexing the comment entry page by itself.
It makes sense for two reasons -- one it prevents spammers from finding an easy hook to your commenting mechanism. Secondly, aesthetically, it's a really crappy search result for google to return, because it doesn't have any links to the original blog article.
To be clear, simply add the the meta tag to the top of the "Comment Listing Template" inside MoveableType then rebuild your site.
=== Update (11/09/03) ===
Here's the best summarization of anti-comment-spam strategies I've seen yet.
=== Update (2/19/04) ===
I implemented MT-Blacklist tonight. My earlier apprehensions were wrong; this is a good product.