update MT guru Brad Choate has come up with a useful application of this bug. I still say it's the wrong (i.e. unexpected and undesired) behavior for 99% of MT users.

After reading Jay Smooth's reaction to a spam attack, one of his observations stood out: "it even got a comment into posts I only had saved as drafts".

I tested this on my own Movable Type installation and, sure enough, spammers can visit and use the mt-comments.cgi?entry_id= page for any entry — even those that have a Post Status of "Draft".

Even worse, by saving the spam comment, it forces MT to generate the individual archive page for that entry, releasing content that you're not ready to publish.

Possible solutions?

• Disallow comments by default and then enable them when you change the Post Status to "Publish". This is feasible, but inconvenient and I bet people are likely to forget the step of enabling comments.
• Don't use incremental IDs or any other discernable pattern. There may be other alternatives, but it's probably not a trivial hack.
• Rename mt-comments.cgi. This, however, only helps until they discover the new filename (e.g. by following a "Comments" link on another entry).
• The CGI scripts for posting comments should really verify the post status as "Publish" before proceeding any further. This is my personal favorite, and would require a few lines of Perl.

I'm not sure what the appropriate channels are for publicizing this, but I've posted a comment in the MT bug forums.

Hopefully someone can come up with a patch and/or they'll put it in MT 3.0.

No more comments! Either someone has violated Godwin's Law, I'm tired of the discussion or, most likely, the ten-week window has closed. You can, however, contact me through email.