the arrival of trackback spam

At least in this weblog. This morning there were some 50 spam trackbacks to different entries.

I've been waiting for this to happen--until today trackback had never been abused massively. But it was clearly just a matter of time, particularly since trackback allows to set snippets and in many weblogs they are rolled in with the rest of the comments.

Conclusion: I'll do what I did for comments: change the 'allow trackbacks' flag. Luckily I switched to MySQL not long ago, making it easier to access the raw data, since Movable Type still doesn't support a "close all comments & trackbacks in entries after this date" feature (and for me using SQL is easier than using a plug in).

Anyway. Another line crossed...

Update: Very strange. A couple of hours after closing the trackbacks and rebuilding the weblog, spam restarted. I verified that the entries had trackbacks closed, and yet spammers were able to post trackbacks anyway. I tested sending a trackback myself to an entry which was closed, and correctly got a message "Ping 'ENTRYID' failed: This TrackBack item is disabled." The trackback was not received. I have to assume that they have found a way to post trackbacks even if they are closed... (some unknown hole in MT's trackback implementation? Or maybe the additions were in a queue somewhere and got in anyway, since they were so many?). As a temporary measure, I've changed the name of the trackback script, so they shouldn't be able to post to the URL they have crawled.

Another update: Definitely some form of queueing was at play. I have done some more experiments and looked at my logs and enabling/disabling the trackback script returns the spammer (which is still going at it) a 404 and a 500 HTTP Error alternatively, so the check is working. Leaving the old script disabled is better, obviously, since it doesn't hit the MT db for checks.