All recent versions of Movable Type include a number of plugins for blocking spam, including a set of plugins called SpamLookup. We wanted to update you about a third-party service that’s affected the performance of one of the plugins, along with some easy steps you can take to fix the issue.

Recently, an IP blacklist service known as Blitzed ceased its operations. Movable Type’s SpamLookup plugin uses this service to process incoming comments and TrackBacks to determine if they are spam or not. With Blitzed shut down, a lot of you might be experiencing delays when publishing your readers’ comments.

Though we’re sorry to see Blitzed go (and thank the team for their efforts), the good news is that a free replacement is available. The SpamHaus Project has been in operation for over 9 years and has a long track record of providing excellent protection against known spammers. In addition to their technology that they allow people to use for free, Spamhaus works with Law Enforcement and cyber-crimes teams worldwide, helping them not only to block these miscreants, but also to bring them to justice.

Adding Spamhaus to your spam filtering rules is straightforward; You’ll need to make a small change to SpamLookup’s configuration. To fix follow these simple instructions:

1. Login to Movable Type. (Your account will need to have System Administrator privileges.)
2. Click on the “Plugins” link in the main navigation on the left hand side.
3. Look for the “SpamLookup - Lookups” plugin set listed among your other plugins.
4. Click “Show Settings.”
5. Under “IP Blacklist Services” highlight and replace the text “opm.blitzed.org” with “zen.spamhaus.org”.
6. Click “Save Settings.”

That’s it — your sites’s visitors should experience faster commenting times immediately, and your blog will keep blocking known spammers. If you need more information on fighting spam on your blog, take a look at the Movable Type Spam-Fighting resources on the community wiki, or contact Movable Type support for assistance.

This evening we released many enhancements to our TypeKey authentication service. For this release we addressed some lingering issues, and implemented several new features. Here are some of the highlights.

• For new users, we streamlined the registration and account activation process.
• When you login to TypeKey, you can now elect to have the system remember you for up to two weeks, streamlining the commenting process for users who comment on TypeKey-enabled blogs frequently.
• We introduced a new page that is displayed to TypeKey users if their email sharing preference conflicts with the requesting site's email address collection requirements.

A note to developers that have built applications that integrate with TypeKey: this release does not change the TypeKey protocol, and should not have any impact on your applications.

We're very excited about this release, and hope that it will simplify the TypeKey registration and authentication process.

Today we are releasing a patch to fix an issue for customers running Movable Type versions 3.16 or 3.17 and using UTF-8 character encoding on their weblogs. Specifically, a bug introduced in Movable Type 3.16 causes the dirify routine to preserve dashes in transformed text where, historically, it has suppressed them. This could be problematic because the dirify routine is used to create all URLs in Movable Type.

While default Movable Type installations are not adversely affected by this bug, there are certain common or legacy customizations (which will be detailed below) that could cause problems. For that reason, if you are using UTF-8 and MT 3.16 or 3.17, we suggest that you download and install the patch just to be safe. The steps are as follows:

1. Download the patch plugin (1K): tar/gzip (good for Unix), zip (good for Windows)
2. Uncompress the file as you would Movable Type (e.g. double click it or use a decompression program like Winzip or Stuffit)
3. Upload the uncompressed file (named patch-20050616-utf8dirify-nodash.pl) to the 'plugins' folder of your main Movable Type application directory.
4. Rebuild any templates or archives that published statically

More details on the bug and the patch can be found below. We apologize for any inconvenience that this may have caused and thank those of you who brought the issue to light.

Just a short note to those of you who may have tried to contact us recently: Apparently, we've had some trouble with the hamsters[*] who power our contact forms — most noticeably between Feb 28th-March 1st.

If you tried to contact us and haven't heard back, please re-send your inquiry through either through the contact form or to contact@sixapart.com, and we'll make sure it gets answered.

Sorry about the inconvenience and thanks for your patience.

[*] - Don't worry. They are treated well and also have dental insurance but simply went on vacation without telling us...

Version 3.15 fixes a vulnerability in the mail sending packages for all Movable Type versions in which the user has enabled comment notifications. This vulnerability allows a malicious user to send email through the application to any number of arbitrary users.

All Movable Type users should install this update.

If you already purchased Movable Type, or downloaded the free version, you'll be able to download the new release for free from your Movable Type account.

For those users who don't want to do a full upgrade just yet, we are also making this fix available in the form of a plugin: zip (1K) or tar/gz (1K) archive. This plugin is compatible with all 3.x versions as well as v2.661 (and perhaps even older versions although they haven't been tested) and affords your installation the same exact protections as v3.15 provides.

Full details of the release changes can be found in the changelog.

We apologize for this oversight and thank you for being patient. You can bet we like spammers less than you do.

UPDATE: It should be noted that the default Movable Type installation is not vulnerable to this exploit as comment notifications must be enabled in order for it to be effective. The post above has been modified to reflect that fact.

The "Email this to a friend" functionality in the mt-send-entry.cgi script is vulnerable to being used by spammers to send spam messages. In principle, all "email this to a friend" programs are vulnerable to being used by spammers, because they allow the user to specify a To: address and a message body. But in practice, MT's implementation of this is not as robust as it should be, and a new version is available below.

This fix is already included in all versions of MT 2.64 downloaded from today on.

If you're not using this functionality at all, we recommend that you simply remove mt-send-entry.cgi from your MT directory. MT doesn't have any hooks to use this script by default anyway, so you won't be breaking your MT installation.

If you are using this functionality on your MT weblog, you should download this package with a new version of mt-send-entry.cgi, unzip it, and replace the version of mt-send-entry.cgi on your server. The new version:

• fixes a vulnerability that allows spammers to inject extra headers into messages;
• removes the ability to send the message to multiple recipients;
• restricts the message to 250 characters.

All of these fixes serve to discourage the script being used by spammers.

If you upgraded to 2.6 or 2.61, you need to upgrade immediately to 2.62. There is a security vulnerability in 2.6 and 2.61. If you have already upgraded, you can either download the upgrade distribution and perform a normal upgrade, or download the Author.pm file to replace the lib/MT/Author.pm on your server.

We're sorry for the inconvenience this may have caused. Because beta-testing with the number of testers we use makes it difficult to catch all bugs, we will most likely be implementing public beta tests in the future.

Movable Type 2.21 has now been released with a very important bug fix to the MySQL schema.

The bug was that the created_on columns were timestamp fields, which means that MySQL updates them when an explicit value is not provided for them--this modifies the Authored On dates of any entries you modify. This bug will not occur if you are using MT itself, but only if you try to issue an insert or update command from the mysql client, phpMyAdmin, or another client tool. Thanks to shanson for finding this bug.

Version 2.21 has an updated schema that fixes the problem. So:

If you have not yet upgraded to 2.21 or installed Movable Type:
You can just install the system as normal, because the fixed schema has been integrated into the distribution.

If you have already upgraded, AND you are using the MySQL support:
1. Upgrade to 2.21 per the usual upgrade instructions.
2. Download this additional file and unpack it. It contains a CGI script called mt-upgrade221.cgi.
3. Upload mt-upgrade221.cgi to your webserver in ASCII mode into the directory containing mt.cgi.
4. CHMOD mt-upgrade221.cgi to 755
5. Run mt-upgrade221.cgi from your web browser. It should list the "alter table" statements that it is performing, then tell you that "all went well". If so, you're upgraded successfully, and you can delete mt-upgrade221.cgi from your server.

If you have already upgraded, and you are not using the MySQL support:
It is not urgent that you upgrade to 2.21, although there are some other small bug fixes in this release. Note: if you're not using MySQL, you don't have to run mt-dbupgrade221.cgi.

Here's the full changelog. The upgrade and full install for 2.21 can be download from the download page.

We made a rather messy mistake of naming the default stylesheet included in 1.4 "styles.css" because that clashes (if stored in the same directory) with the name of the stylesheet used by the MT app.

If you haven't downloaded 1.4 yet, don't worry -- a correction has already been made to the distribution.

If you have downloaded 1.4 and just happened to wipe out your MT system stylesheet, you will need to re-upload the styles.css that was in the distribution into the directory containing mt.cgi. Then go into MT, and change the name of the Stylesheet index template to "styles-site.css" (or something), then change each of the templates to use this new stylesheet name (rather than styles.css).

If you have downloaded 1.4 and nothing seems amiss, then it is because the two stylesheets are in separate directories.