January 2005 Archives

Version 3.15 fixes a vulnerability in the mail sending packages for all Movable Type versions in which the user has enabled comment notifications. This vulnerability allows a malicious user to send email through the application to any number of arbitrary users.

All Movable Type users should install this update.

If you already purchased Movable Type, or downloaded the free version, you’ll be able to download the new release for free from your Movable Type account.

For those users who don't want to do a full upgrade just yet, we are also making this fix available in the form of a plugin: zip (1K) or tar/gz (1K) archive. This plugin is compatible with all 3.x versions as well as v2.661 (and perhaps even older versions although they haven't been tested) and affords your installation the same exact protections as v3.15 provides.

Full details of the release changes can be found in the changelog.

We apologize for this oversight and thank you for being patient. You can bet we like spammers less than you do.

UPDATE: It should be noted that the default Movable Type installation is not vulnerable to this exploit as comment notifications must be enabled in order for it to be effective. The post above has been modified to reflect that fact.

Today we are pleased to announce our full support for the rel="nofollow" attribute to hyperlinks introduced to address the main cause of weblog spam: the payoff of higher placement in search engine results.

This initiative, with announced support from Google, Yahoo, MSN (and surely more to come), will direct search engines to ignore links with this attribute set for the purposes of spidering or increasing search engine relevance or ranking.

For current users of Movable Type (note: this plugin is included by default starting with version 3.16), this support is implemented as a simple plugin (zip [4K], tar/gzip [3K]-- tested on MT 3.x and MT 2.661). For most users enabling "nofollow" support involves placing a single file in your plugins directory. All links submitted by external users in comments and TrackBacks will then be modifed to add the rel="nofollow" attribute.

If you're interested in specific details of its operation and the effect it has on Movable Type template tags, see our overview entitled "Introduction to nofollow" on the Professional Network weblog. For an overview of our support across all Six Apart platforms, please see Ben's "Support for nofollow" post on Six Log.

Also, in case you missed it, you should check out the "Movable Type Guide for Fighting Comment Spam" we published a week and a half ago but may have gotten drowned out by other matters.

Call it a late holiday gift or a great way to start the new year. In either case, we are pleased to offer you the Six Apart Guide for Fighting Comment Spam (also available in PDF format).

The guide covers many of the concepts and tools available to fight comment spam and explains the strengths and weaknesses that we've seen of each. We also included our "best practices" recommendations for not only keeping spam off of your site, but making sure that you and your readers have the best possible experience. The document is intended to be a fairly comprehensive, living document which will change and grow over time to reflect the changing nature of the topic.

As I've mentioned before, Six Apart is fully committed to eradicating comment spam. We look forward to moving forward in 2005 and providing you with the solid features, innovation and utility you've become accustomed to from Movable Type.