Trackback Spam Resources

Just spotted in the wild: a spammer linking to the blogs he sends TrackBacks to, but using CSS tricks to hide all the links. (The Validator wasn’t able to automatically classify this as spam, of course.)

An exciting development today, coincidentally hot on the heels of our 0.7 release: The existence of the Validator (and other tools now using the same technique) has forced spammers to change their tactics.

Well, it took them half a year to figure it out, but tonight it happened: I received a spam pingback (spingback?) from a spam blog, and the Validator let it through clean. Which is should have, because indeed, the splog sent its pingback the way any pingback is sent: Via a post that contained a valid permalink to my targeted blog posting, obviously obtained via an automated scraping program.

So, what’s happened here? In order to successfully submit a spam TrackBack, a spammer has to:

1. Set up a real blog (or blog-like website).
2. Create a stable URL (like a blog post).
3. Link from this post to your site.
4. Send you a TrackBack from the stable blog post URL.

We knew this would happen (assuming the writer means TrackBack instead of Pingback) and consider this a victory: The spammer is now giving you PageRank, but more importantly, his website looks just like a blog. It is, effectively, a real blog. Who’s to say he’s a spammer and not just another blogger out there (the contents of whose blog you’re not particularly impressed by)?

At this point, we’ve moved into a more philosophical area of spam prevention. I’ll still argue that this is a victory, however. Consider this: What if we “defeated” email spam to the point that the only “spam” you ever got in your INBOX was personal notes, hand-written by advertisers, custom-tailored to your interests? Is that even spam anymore, or just email you’re not as interested in? I argue we’ve now made this exact leap with TrackBack spam.

It appears that a vulnerability has been found in Movable Type allowing Trackback spammers free reign to sneak links in without rel=”nofollow”. (I haven’t yet found details of the exact attack being used.)

Nice writeup of the current trends in spam blogs and RSS content theft.

The last six months has seen a massive rise in content theft blogs and spam blogs, and there’s one thing these blogs usually have in common, and that’s the whole “Blog and Ping” thing … Blog and Ping is a online marketing term applied to a system that utilizes blogs and pings (short for pingback) to deliver content and/ or sites for indexing in search engines with the ultimate aim of profit.

[...]

Already some in the SEO industry are saying that Blog and Ping is dead due to the massive increase in users, content theft sites and spam blogs. If you’re getting any benefit out of Blog and Ping now, you won’t be for much longer because already some search engines are talking about excluding your sites.

Scott Buchanan explains one of the mechanisms by which WordPress sites are attacked by trackback spammers (circa March 2005):

The spam ‘bot will iteratively request “index.php?p=[n],” where n is incremented each time. After each successful request, it will then send a trackback to “wp-trackback.php” for entry number n.

To remedy this, Scott wrote a TB Spam Blocker plugin (downloadable from the link above) which patches this particular hole. From the plugin’s included readme.txt:

This plugin will modify the WordPress permalink generator to include a mod_rewrite rule that blocks direct access to wp-trackback.php. (It still allows redirected access through cruft-free URLs. Legitimate trackbacks will use the redirected URL, as that will be what appears on your blog.)

A simple fix, though as soon as the spam bots are updated to use the cruft-free trackback URLs (by crawling the site), this solution will stop working.

Funny: Trackback: A Tragedy In 3 Acts. Jason Lefkowitz offers a tongue-in-cheek play set at SixApart, as well as some slightly more sober analysis of how we got where we are today:

When your technology is open to abuse, silence is deadly. You might think that 6A, as the authors of the spec, would have made notice of the deep problems with TrackBack and been on top of finding solutions. Such is not the case: the official TrackBack blog hasn’t been updated in nearly a year, and their Professional Network lumps TrackBack spam in with comment spam and advises use of tools like MT-Blacklist for both. The result is a perception that no fix is coming, which leads people to abandon ship rather than wait for a fix they think will never come.

Judging by some of the recent articles on SpamHuntress (another site dedicated to analysis and eradication of spam, including trackback spam), there are indeed lists of vulnerable weblogs floating around the Internet—just like the lists of live addresses that email spammers buy and sell. Update: More SpamHuntress links, including her catalog of TB spam solutions and the new Spamhuntress Wiki, which includes some very interesting spammer profiles.