the arrival of trackback spam


At least in this weblog. This morning there were some 50 spam trackbacks to different entries.

I've been waiting for this to happen--until today trackback had never been abused massively. But it was clearly just a matter of time, particularly since trackback allows to set snippets and in many weblogs they are rolled in with the rest of the comments.

Conclusion: I'll do what I did for comments: change the 'allow trackbacks' flag. Luckily I switched to MySQL not long ago, making it easier to access the raw data, since Movable Type still doesn't support a "close all comments & trackbacks in entries after this date" feature (and for me using SQL is easier than using a plug in).

Anyway. Another line crossed...

Update: Very strange. A couple of hours after closing the trackbacks and rebuilding the weblog, spam restarted. I verified that the entries had trackbacks closed, and yet spammers were able to post trackbacks anyway. I tested sending a trackback myself to an entry which was closed, and correctly got a message "Ping 'ENTRYID' failed: This TrackBack item is disabled." The trackback was not received. I have to assume that they have found a way to post trackbacks even if they are closed... (some unknown hole in MT's trackback implementation? Or maybe the additions were in a queue somewhere and got in anyway, since they were so many?). As a temporary measure, I've changed the name of the trackback script, so they shouldn't be able to post to the URL they have crawled.

Another update: Definitely some form of queueing was at play. I have done some more experiments and looked at my logs and enabling/disabling the trackback script returns the spammer (which is still going at it) a 404 and a 500 HTTP Error alternatively, so the check is working. Leaving the old script disabled is better, obviously, since it doesn't hit the MT db for checks.

Categories: technology
Posted by diego on February 1 2005 at 10:19 AM
Comments (please see the comments & trackback policy).

Arrived on my blog as well overnight... *sigh*

You might also want to check out this little script:

http://www.rayners.org/2003/12/closing_comments_on_old_entries.php

If only I'd bothered closing all the trackbacks as well as the comments... ah well.

Posted by: dwlt at February 1, 2005 11:28 AM

Many of us went through this in the beginning of January. I can't believe you hadn't heard of it?

Posted by: Ann Elisabeth at February 1, 2005 12:42 PM

Dave: yeah, definitely a pain. It seems that they're scaling up spam on targets they hadn't gone after previously.

Ann: "At least in this weblog." :) I definitely missed discussion about this though, and I'm not surprised, at the beginning of January I was traveling and working, without time to do much else. Although I expected it to happen sooner or later. Also: good info over at your weblog on spam related topics!

Posted by: Diego at February 1, 2005 1:01 PM

Diego:

My website was absolutely slammed last night (around 600 trackback spams for online poker), but I was left unscathed last month.

Posted by: Joe Grossberg at February 1, 2005 7:17 PM

The online-poker spammer hit me at 8:00 this morning... just as I was checking my email.

chmod -rwx on the talkback script put an end to that. A few months earlier I did the same thing to the comment script after I got tired of dealing with spam.

I seriously need to get off my ass, and off MoveableType.

Posted by: Mark Denovich at February 2, 2005 12:01 AM

Mark: switching from Movable Type won't help much; they're targeting everybody. This current spate of trackback spam started out attacking WordPress sites about a month ago, and has now broadened to include other systems including MT.

Trackback is a difficult channel to secure, because it's *intended* to be used by scripts rather than by humans. The trackback protocol is standardized across all weblogging systems, so only one spamming script is needed - all the spammer needs is the trackback address. Pingback is even nastier, because it allows the script to auto-discover the trackback address.

I suspect that the current trackback and pingback technologies are a lost cause. They are no longer worth the risk for most of us.

Posted by: Doug at February 2, 2005 4:51 PM

I received around a hundred about 2 weeks ago. Luckly I moderate trackbacks on my site though, which is something I would rather not do, but it's better than getting spam.

Posted by: Brian at February 4, 2005 3:47 PM
Post a comment









Remember personal info?







Copyright © Diego Doval 2002-2007.
Powered by
Movable Type 3.35