The "Email this to a friend" functionality in the mt-send-entry.cgi script is vulnerable to being used by spammers to send spam messages. In principle, all "email this to a friend" programs are vulnerable to being used by spammers, because they allow the user to specify a To: address and a message body. But in practice, MT's implementation of this is not as robust as it should be, and a new version is available below.

This fix is already included in all versions of MT 2.64 downloaded from today on.

If you're not using this functionality at all, we recommend that you simply remove mt-send-entry.cgi from your MT directory. MT doesn't have any hooks to use this script by default anyway, so you won't be breaking your MT installation.

If you are using this functionality on your MT weblog, you should download this package with a new version of mt-send-entry.cgi, unzip it, and replace the version of mt-send-entry.cgi on your server. The new version:

• fixes a vulnerability that allows spammers to inject extra headers into messages;
• removes the ability to send the message to multiple recipients;
• restricts the message to 250 characters.

All of these fixes serve to discourage the script being used by spammers.

As many of you who maintain public weblogs with Movable Type know, there's an increasing problem with comment spam on many weblogs, and we've discussed some of the ideas for how we'll be dealing with the problem in the future on our company weblog. While we're working on integrating these spam protection techniques into Movable Type and our recently-launched TypePad service, you can protect your site in the mean time by trying out Jay Allen's MT-Blacklist plugin, which is a clever solution to most common kinds of comment spamming, as well as being a great demonstration of the creative ways people are extending Movable Type through plugins.

Also, if you're interested in joining our team and helping out with creating and developing creative solutions to problems like these, you might be interested to know that Six Apart is hiring.

One of Movable Type's less-trumpeted features is its ability to support localization, which lets you download a language pack in order to display the user interface in your language of choice. Like all of our features, localization shows how much Movable Type is improved by the contributions of our user community, as dozens of translators from around the world have contributed to the language packs that are now available.

We're committed to making our tools as language-neutral as possible, and as we work to make sure every possible language gets first-class support, we thought we'd draw some attention to our little-known localization weblog. On the weblog, you can find instructions on how to contribute to a language pack, how to organize a translating effort, and some documentation on what steps are required to complete a language pack.

And, if you're just interested in trying out a new language for your Movable Type interface, you can simply follow the language pack installation instructions. We've already got 11 languages completely translated and available for you to download now, and there are efforts underway to add support for everything from Galician to Urdu. If you're bilingual and want to help out the Movable Type community, take a look!

We've made a few housekeeping improvements around the movabletype.org site, including a number of high-profile new Movable Type users we're proud to feature as Spotlight Sites, and some clarifications and long-awaited improvements to our list of Frequently Asked Questions. Chief among these improvements is repeating the fact that there is only one "e" in "Movable" when you're talking about weblog publishing software. Feel free to spread the word.

Looking for a way to hang out with other Movable Type users in real life? To talk about the writing on your sites, weblogs in general, or just a chance to meet interesting new people who have something to say? Well now there's a way. The folks at Meetup have added a Movable Type Meetup where you can sign up and pick a venue for the Meetup to be located.

The first Movable Type Meetup is scheduled for Monday, August 11 at 7 pm, and future Meetups are planned for the second Monday of every month after that.

We've recently had a few questions raised about the licensing for Movable Type, and while the personal and commercial licenses are of course the definitive lists of your rights, we thought we'd summarize how Movable Type can and can't be used.

First, for personal, non-commercial users, Movable Type is free to download and use. We don't consider an Amazon wishlist link or a PayPal donation link to be a commercial use of your site, so you're free to update your weblog and maintain your site with Movable Type and all we'd ask is that you link back to movabletype.org and donate whatever you feel the software is worth to you.

For commercial users, we offer a few ways you can use the software. Businesses and other organizations can use Movable Type to manage weblogs on their intranets or behind their firewalls by paying for one $150 commercial License Fee per installation on each of the servers running the application. There are no per-user fees or client fees for using Movable Type in an organization. You can also use the system to update content on your public site, with the same rules applying.

Currently, if you're a web developer or designer, and you want to offer Movable Type to your clients so they can update their own site, or you want to use it to perform updates on their site, one License Fee must be paid per server installation, either by you or your client.

So what can't you do? You can't sell the software yourself, or redistribute it with changes, or offer it installed as part of a hosting service, either bundled or as a pay option.

Based on the comments and questions raised about offering support services, we'll be revising our licenses and working on creating a Movable Type Developer/Service Provider Network that will rely more on a software/service-provider relationship rather than that of licensor/licensee. We'd love to hear what you think about this sort of a program and if you have any ideas or suggestions of how it would work best for you as a service-provider or developer.

We just found out that MovableType.org has been recognized with the Best Practices award in this year's 7th Annual Webby Awards. The criteria followed by the Webby judges for awards in the Best Practices category fit this decscription:

Sites demonstrating unparalleled excellence across The Academy's six criteria: content, structure & navigation, visual design, interactivity,functionality, and overall experience. Best Practices sites serve as an industry benchmark for the most current, innovative, and advanced practices in Web development.

We're thrilled to have been recognized in a field with such distinguished competitors and such stringent criteria. Though the award names MovableType.org, we consider it an award for the Movable Type system as well and a reflection of the community that's been built by people using the tool to share their thoughts with the world. We thank all of you who've downloaded and used Movable Type, donated to support its development, participated in our forums, extended or customized the tool to fit your needs, or just contributed by spreading the word about personal publishing on the web.

If you're new to Movable Type, or not familiar with our company Six Apart, you may wish to read our company weblog Six Log to find out what we've been up to or check out some information about our company. And if you've got friends who want to get started with weblogging, we've built an easy new service on top of the Movable Type platform that's designed to let any user just sign up and start publishing. It's called TypePad, and it's coming soon.