[Update: I feel a little less apocalyptic about this now, though something definitely needs to be done. According to NITLE Blog Census, Movable Type has a ten-fold lead in nonhosted weblog operation. There are real cases of crapflooding. (Real cases.) (Real cases—I saw the penisbird and ASCII hello.jpg comments myself.)]
So, this has me kinda freaked. I could be totally whacked out on brain chemistry and low sleep right now but I'm actually getting somewhat distraught over this thing.
I look at this program, and I see how easy it would be to... to... go totally apeshit and crapflood weblogs. All the Movable Type weblogs. Our “low barrier conversations” or whatever Mark Pilgrim called them are really in danger here, it feels like. Anyone you criticize of low enough moral character can get a point-and-click crapflooder to waste plenty of your time in retribution.
Take one FloodMT and mix in:
- MT-Blacklist awareness. People are eager to share their blacklists; put their data in the program such that it automatically avoids blacklisted words. Filter your proxy list for banned IPs, but keep feeding new proxies in (the Internet's full of them).
- Message faking. Go find real comments on the web and steal their names and URLs to reuse. Try to look as much like real comments as possible; steal real comment text, maybe, or Markov chain it. This doesn't work for actual spamming, unless you're kicking up a cloud of dust enough to sneak in a few of your own named links, but for flooding that's fine. You don't care what the garbage looks like as long as it's garbage.
- Real form awareness. Make sure you're getting the form that's visible on the screen; I try to hide mine with fake forms, but looking for real form elements zips right to the real one. This beats renamed elements too. You should always Preview before Posting; this cuts through my major personal protection (a hidden form field that only appears when you Preview) like butter, and nothing short of this really would. Using mechanize instead of raw urllib as the existing FloodMT does would be a step.
- A spider so it can itself find new weblogs to flood. Google API would make this work better, sliding laterally in from the “rest” of the Internet instead of only creeping across the interlacing network of blogrolls.
That leaves (a) captchas—bet a lot of these are still OCRable—and (b) actual barriers to anonymous posting like logins and screening.
Shit, shit, shit.