Trackback Spam

Well, I got bombed last night with some 300 trackbacks advertising an online poker site. WordPress handles trackbacks processing differently from comments processing (even though they all wind up in the same database table), so this spam robot escaped the captcha. As I get notification of each comment/trackback posting, I basically woke up to find my Inbox full of crap.

There’s an unofficial WordPress anti-spam resource with a short discussion of trackback spam. This spam is still still in its infancy, so the available tricks are somewhat limited. What I’ve done is disable trackbacks completely by renaming the PHP file to something innocuous. If and when a reasonable method to deal with this is developed, I’ll put it back in place.

I don’t see a good way to deal with this, at least in a way analogous to the captcha. Captchas probably can’t be used because the trackback mechanism can’t push anything back to the commentor creating the trackback, so we can’t force a Turing test. Email confirmation requests could be used as a spam bomb or joe job. There’s always moderation, but, as my 300 junk emails this morning showed, a massive burden is then being put on the moderator. Hopefully, some clever WordPress hacker will come up with something, but trackbacks have this feel of the something from the old days of the Internet, where services were left more open because, hey, no one’s going to do something bad, right?

Update: This SpamKarma looks interesting, in a SpamAssassin way. From the description, it does scoring of incoming comments and trackbacks, and then discards them, requests a captcha, posts them, or submits them for moderation. The author notes that it fully works with WP 1.3, which I’m not using yet, so I’ll hold off until a future upgrade.

Update 2: The Register has an interview with a link spammer. Interestingly, link spammers don’t do what they do on the behalf of others, but write their bots to improve the rankings of their own sites and/or get their own referrals. Link spamming apparently hasn’t been outsourced yet. The Reg wonders if this is the sign of an immature industry.

Comments are closed.