[wp-hackers] Trackback Spam

Scott Merrill skippy at skippy.net
Wed Feb 2 12:54:33 GMT 2005 

Michel Valdrighi wrote:
> On Wed, 02 Feb 2005 07:27:30 -0500, Scott Merrill <skippy at skippy.net> wrote:
> 
>>>Let's not do what Anil Dash does: TrackBacks don't necessarily come with a link.
>>
>>The reference is lost on me.  In what ways has Anil Dash suffocated the
>>trackback spec?
> 
> 
> Sorry, I should have made it clearer.
> Anil Dash's linkblog does a TrackBack to whatever he's linking to. The
> problem is that these tb don't add anything to the discussion on the
> item that is linked. They just serve to say "hey, I linked to you",
> which would just be what PingBacks are for.

Ah, yes, that certainly does water-down trackbacks, doesn't it?

>>And according to the official SixApart trackback specification, a link
>>is the _only_ think specifically required:
>>    http://www.movabletype.org/docs/mttrackback.html
>>"In the Movable Type implementation, of the above parameters only url is
>>required. If title is not provided, the value for url will be set as the
>>title."
> 
> 
> This is relevant only to what is sent in the TrackBack. Nowhere does
> it say that if Alice wants to trackback Bob she has to make a link to
> Bob's entry on the URL that she sends in the trackback.
> 
> So if you're proposing that WP checks the URL in the trackback to see
> if the entry links to the trackbacked entry, then that's putting an
> unnecessary restraint on the spec.
> The only way to check for relevance is to read and comprehend the
> content, which is out of reach of our possibilities.

Actually, my code snippet only verifies that the url provided in the 
trackback ping is accessible (and then only by an HTTP HEAD request), 
and does not parse the body of the trackbacking post.

The theory is that this kind of verification will shift at least some of 
the burden to the spammers: if they want to send trackback spam they 
need to have a static target from which to originate their spams.  Once 
they have a static target (ie: a spam blog spewing trackbacks), we can 
block them with a host of other tools that have already proven 
successful (firewall rules, IP and or DNS blacklists, etc).  Sure, 
spammers can change DNS entries and try to "game" the system in all 
sorts of ways, but many of these tricks come at a cost to the spammer 
(long DNS propogation times, for example).

My code snippet is far from perfect, but seems to be another means to 
discourage spamming that is low-cost on us, but not necessarily low-cost 
on the spammers.  This, combined with other solutions, will provide 
security-in-depth.

-- 
skippy at skippy.net | http://skippy.net/

gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49  3544 476A 7DEC 9CFA 4B35

More information about the hackers mailing list