The other morning I got a message from my web host that I was over my bandwidth for the month. In and of itself this didn’t overly concern me; but once I thought about it and realized it was about 5 days into my monthly billing cycle, I started to wonder.
The logs indicate that the cause was many thousands of hits on my _captcha_. (Its the little picture of letters and numbers that you have to type into the form field if you post anonymously.)
I am not quite sure why this is happening.
- I do not think the captcha image can be actually used elsewhere;
- the requests appear to be direct, and singular. (It is listed as the entry and exit page for all visits recorded.)
- there was also a corresponding increase in SPAM attempts, although the number of completely submitted spam was only a couple hundred, compared to thousands of requests for the captcha. (By completely submitted I mean that spam was in the list of comments waiting to be approved, but had not been published.)
I think that is a bug in MT. The program should check to see that the request for the captcha image came from a site or page that the program has published.
Anyway, if you have the same problem, there are a half a dozen sites with instructions to keep someone from “hot linking” images from your site. I adapted one of those to refuse attempts to request the captcha unless the refering page is on my site. The lines in my .htaccess file look something like this and they appear to work as I planned.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?advisorbits.com/ [NC]
RewriteRule ^.*captcha.*$ – [F,NC,L]
If you wanted to use something like this, you would replace advisorbits.com with your own domain name.
As of about 2 months ago, these instructions stopped working. This has turned out to be the straw that broke the camel’s back with regard to MovableType.