TrackBack Spam Alert: Dealing With Trackback Spam

Posted by Travis Smith on 02/01 at 05:05 PM • Blogging News

Spammers appear to have discovered TrackBack in a more significant way today.  The discussion on the Moveable Type professional developers mailing list is full of folks watching TrackBack spam grow.

Why is TrackBack spam an issue?

It drives traffic to the spammer in several ways:

1) As a blog owner, when you see a new TrackBack arrive, you’re likely to go visit that site. Kaching!

2) When the TrackBack appears on your public site, others might click the link. Kaching!

3) Because the URL appears on your site, it is likely to increase the spammer’s standing in search engines. Kaching! Kaching! Kaching!

Currently, the volume of TrackBack spam is still fairly low.  Whether this is because comment spam was much easier, because many people don’t enable TrackBacks (or remove them from their site when it is customized) or because spammers find TrackBack as confusing as the rest of us, I don’t know.

One factor , pointed out by Jay Allen, is that TrackBack entries typically have all URLs removed from the body, so the spammer only gets one URL, in the title of the TrackBack, which isn’t a good payoff.

Here are some tools for blocking TB spam:

1) Turn off trackbacks. A drastic measure, sure, but it works 100%, guaranteed! You can also turn off comments on only older entries, in MT, using MT_Close2.

2) Rename your TB script.  This is an easy fix in most software, but at best temporary delay. The spammer will either have to a) come look at your site to find the new name for the TB script, or b) change his program so that it automatically comes to look for your TB script name before posting.  Because autodiscovery is a key part of the TB system, they will be able to do this, and you’ve now got twice the page hits on your server.

3) Moderate TrackBacks.  This can be difficult; many blogging solutions treated TBs differently than comments, and don’t have the same tools to control them.  If you’re running MT, MT_BlackList gives you some control over blocking TBs.

4) Block spammers at the Web server level using modsecurity . Or if you run on apache but aren’t an administrator, try a .htaccess file that stops certain types of accesses to your TB script.  Or install, on MT, MT-DSBL which takes a list of (what it thinks are) spam-sending computers (the Distributed Sender Blackhole List), and denies those computers access to your trackback system.

5) The “nofollow” attribute doesn’t do anything to stop you from getting spammed, but it does help Google keep spam out of its index.  Of course, some people think that spam is spreading to TBs as spammers to get around the “nofollow” restriction; this makes no sense because “nofollow” is usually implemented for both comments and TBs.

Unfortunately, many tricks that work with comments (requiring registration, having people typing in a word-image (CAPTCHA), or requiring additional secret codes in the trackback submission) don’t work with TB, because it’s not a form-based technology, and these protections weren’t baked into the standard.

I think we’ll see more spam in TrackBacks, not less, because as the number of tools and sites that support it grow, and as it becomes more difficult to spam in other venues, spammers will seek the most rewarding path to spam.

Powered By Qumana

 
Comments (2) • Permalink