Looks like key rotation isn't working as expected:

67.15.18.27 - - [19/May/2007:09:25:36 -0700] "GET /post.ml?reply_of=56 HTTP/1.1" 200 7586 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt\\)"
67.15.18.27 - - [19/May/2007:09:25:37 -0700] "POST /cgi-bin/post.pl HTTP/1.1" 200 5190 "http://hxbc.us/post.ml?reply_of=56" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
67.15.18.27 - - [19/May/2007:09:25:57 -0700] "POST /cgi-bin/post.pl HTTP/1.1" 302 5 "http://hxbc.us/post.ml?reply_of=56" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
67.15.18.27 - - [19/May/2007:13:20:42 -0700] "POST /cgi-bin/post.pl HTTP/1.1" 302 5 "http://hxbc.us/post.ml?reply_of=56" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

The 5 seconds delay clearly worked the first time, and the spammer proceeded to repost the comment 20 seconds later. I wonder how he is able to post again nearly 4 hours later, without getting another secret token.

I have another plan to make the spammers' lives more difficult, which I will probably implement this weekend.

Those of you who are silly enough to check this space everyday should have noticed that this site has been plagued by comment spam recently. In the last couple days I have deleted more than 100 spammy comments. Tonight I've decided that I've spent enough time deleting them (2 for loops in bash, really), so I sat down and implemented some anti-spam logic that I've thought about in the past few days.

Looking at the server log I noticed each of the spam comment involved a single POST to the comment CGI script only. The spam bots don't GET the comment page, and each IP posts only one comment. The content varies, but it's usually about Viagra. I can probably just filter out comments using keywords, but some comments contained only links and nothing else. I also don't want to do CAPTCHA or other things that depend on the spammer not being smart enough.

Now each time you request the comment page, you are given a base64 encoded secret. The secret is your IP and the current timestamp encrypted using Blowfish. When the comment is posted, I decrypt the secret and check that the poster's IP is indeed the same IP I handed the secret to. I also check that it's been at least 5 seconds since I handed out the secret, to avoid bots GET'ing the page and then POST'ing immediately. Finally, the secret is only valid for 1-2 hours. This is implemented by prepending the current hour to a secret to construct the key, and fallback to the previous hour to handle the borderline case. This is probably more difficult than it's worth since I can simply check the timestamp that's in the secret, but I figure that rotating to a different key every hour is probably not a bad idea.

Implementing it took more time than it should because the Crypt::CBC module on dreamhost is older than what I have on my local machine. I ended up copying the local copy to the server and use that instead.

This is all I am going to do for now. I realize that it's not perfect (for example, a bot can get the secret and keep posting from the same IP for 2 hours), but hopefully is enough to deter most spammers.

記得有一天—卻不記得為甚麽—談起Kinder出奇蛋的三個願望，在查究竟是哪三個願望的時候發現了一個跟我差不多年紀的人的網誌。她跟我一樣是香港移民，不同的是她去的是加拿大。她在網誌上說，Kinder出奇蛋給她帶來了許多童年的回憶。可能是因為少吃零食的關係，當年$5一個的Kinder出奇蛋帶給我的回憶不多，曾經擁有的Kinder玩具大概十隻手指也能數完。

在香港讀中學的時候，間中也試過午餐自己煮麵解決，那時候食的如果不是公仔麵，就一定是出前一丁。雖然因為父母認為味精不健康，只是用油鹽煮，但小時候的我已經認為那是最好味的食物之一。

在美國差不多九年，麵食得很多，卻一直沒有食過出前一丁，直到最近父母買了一箱五香年肉麵回來。之後雖然每次食麵都是食出前一丁，也用了附帶的味精，但已經沒有當年的感覺。或者，那是因為再沒有聽到「我唔係想食你嘅麵，我只係想見多你幾面」這兩句廣告對白。又或者，變的不是環境而是自己。

查Kinder出奇蛋那日最後並沒有發現究竟是哪三個願望，今日終於知道，當年大部份小朋友想要的，只是「朱古力，玩具，同埋新奇好玩嘅嘢」，僅此而已。

Gaim, everyone's favorite IM client, has been renamed to Pidgin. The name change has been planned for a long time, but was formally announced today. I found out about this on April Fool's day, you can probably imagine my disbelieve at the time.

Gaim is dead, long live Pidgin.

It has a new look as well:

Props to Hylke Bons for creating a new set of Gaim^WPidgin icons.

今天看了自己網站的統計報告，無意中發現一位來自香港的訪客被安裝了adware:

XXX.XXX.XXX.XXX - - [27/Mar/2007:22:12:42 -0700] "GET /?post=48 HTTP/1.1" 200 21 01 "http://khc-hxbc-us.spaces.live.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Win dows NT 5.1; SV1; FunWebProducts)"

第一次見到FunWebProducts，直覺告訴我應該是adware，一查，果然。這裏有它的中文介紹。

這位朋友是在香港時間28日早上經我的MSN Spaces網頁來訪，所以應該是在我MSN的好友清單上，也就是說只有三個可疑人物。除去當時沒有上網的表弟，我應該猜到是誰了。這位朋友，檢查一下自己的電腦吧。