We’ve just released version 0.7 of the Validator; this is a strongly recommended upgrade for all our current users. We have improved the reliability and robustness of almost all aspects of the plugin, including spam classification, administration, and data reporting. Go grab version 0.7 and be free of TrackBack spam!
A new version of the Trackback Validator plugin is available! Download it here.
New features include:
It appears that a vulnerability has been found in Movable Type allowing Trackback spammers free reign to sneak links in without rel=”nofollow”. (I haven’t yet found details of the exact attack being used.)
Here’s a slightly edited version of the message I sent to wp-hackers today:
The first public version (v0.5) of the WP Trackback Validator is now available from the following URL:
http://idli.cs.rice.edu/~dsandler/trackback/trackback-validator-plugin/
The idea behind the Validator, which is under development by students in the Rice University Computer Security Lab, is simple: Trackback URLs that point to pages that don’t link back to your blog are bogus. It’s an easy test to perform, and one that no current Trackback spammer is bothering to try to defeat; since we’ve started using this plugin on our personal WP blogs, our Trackback spam rate has dropped to zero.
This test is already present in some other anti-spam plugins, typically included among a hodgepodge of other content-based schemes and rules. If you’re looking for something lightweight that does one job extremely well, please check out the Validator.
The point of the project, in addition to helping to combat Trackback spam, is to collect data. We’re interested in the kinds of spams people get, from which sources, at what rate, etc. We’d like to see if, once everyone starts applying the simple reverse-link check, the spammers step up their assault. In order to help us, the Validator distribution comes with a small shell script which will send us a profile of the spam you’ve caught recently.
So, in short, to save Trackback from an untimely death, try out the Trackback Validator plugin, and send us back some data. In the meantime, enjoy spam-free Trackbacks on your WordPress site.
Nice writeup of the current trends in spam blogs and RSS content theft.
The last six months has seen a massive rise in content theft blogs and spam blogs, and there’s one thing these blogs usually have in common, and that’s the whole “Blog and Ping” thing … Blog and Ping is a online marketing term applied to a system that utilizes blogs and pings (short for pingback) to deliver content and/ or sites for indexing in search engines with the ultimate aim of profit.
[…]
Already some in the SEO industry are saying that Blog and Ping is dead due to the massive increase in users, content theft sites and spam blogs. If you’re getting any benefit out of Blog and Ping now, you won’t be for much longer because already some search engines are talking about excluding your sites.
Scott Buchanan explains one of the mechanisms by which WordPress sites are attacked by trackback spammers (circa March 2005):
The spam ‘bot will iteratively request “
index.php?p=[n],” where n is incremented each time. After each successful request, it will then send a trackback to “wp-trackback.php” for entry number n.
To remedy this, Scott wrote a TB Spam Blocker plugin (downloadable from the link above) which patches this particular hole. From the plugin’s included readme.txt:
This plugin will modify the WordPress permalink generator to include a mod_rewrite rule that blocks direct access to wp-trackback.php. (It still allows redirected access through cruft-free URLs. Legitimate trackbacks will use the redirected URL, as that will be what appears on your blog.)
A simple fix, though as soon as the spam bots are updated to use the cruft-free trackback URLs (by crawling the site), this solution will stop working.
Not a trackback spam solution, of course, but WP Hashcash is a cute defense against comment spam by requiring a proof of work from the client.
Of course, as soon as comment spammers bake a JavaScript engine into their spambots, it’s all over, so Hashcash isn’t really breaking out of the “arms race” model of spam prevention. (But it does represent an impressively large leap in that race, so it’s likely to be quite effective for a while.)
Funny: Trackback: A Tragedy In 3 Acts. Jason Lefkowitz offers a tongue-in-cheek play set at SixApart, as well as some slightly more sober analysis of how we got where we are today:
When your technology is open to abuse, silence is deadly. You might think that 6A, as the authors of the spec, would have made notice of the deep problems with TrackBack and been on top of finding solutions. Such is not the case: the official TrackBack blog hasn’t been updated in nearly a year, and their Professional Network lumps TrackBack spam in with comment spam and advises use of tools like MT-Blacklist for both. The result is a perception that no fix is coming, which leads people to abandon ship rather than wait for a fix they think will never come.
From earlier this year, an interview with a link spammer in The Register. (TB is mentioned as a fallback for when comment-based link spamming becomes too difficult.)
Judging by some of the recent articles on SpamHuntress (another site dedicated to analysis and eradication of spam, including trackback spam), there are indeed lists of vulnerable weblogs floating around the Internet—just like the lists of live addresses that email spammers buy and sell. Update: More SpamHuntress links, including her catalog of TB spam solutions and the new Spamhuntress Wiki, which includes some very interesting spammer profiles.
Atom |
RSS