New features include:

• Added a simple check against spammers’ dynamic link pages.
• Simplified the data submission process.

The first public version (v0.5) of the WP Trackback Validator is now available from the following URL:

http://idli.cs.rice.edu/~dsandler/trackback/trackback-validator-plugin/

The idea behind the Validator, which is under development by students in the Rice University Computer Security Lab, is simple: Trackback URLs that point to pages that don’t link back to your blog are bogus. It’s an easy test to perform, and one that no current Trackback spammer is bothering to try to defeat; since we’ve started using this plugin on our personal WP blogs, our Trackback spam rate has dropped to zero.

This test is already present in some other anti-spam plugins, typically included among a hodgepodge of other content-based schemes and rules. If you’re looking for something lightweight that does one job extremely well, please check out the Validator.

The point of the project, in addition to helping to combat Trackback spam, is to collect data. We’re interested in the kinds of spams people get, from which sources, at what rate, etc. We’d like to see if, once everyone starts applying the simple reverse-link check, the spammers step up their assault. In order to help us, the Validator distribution comes with a small shell script which will send us a profile of the spam you’ve caught recently.

So, in short, to save Trackback from an untimely death, try out the Trackback Validator plugin, and send us back some data. In the meantime, enjoy spam-free Trackbacks on your WordPress site.

The last six months has seen a massive rise in content theft blogs and spam blogs, and there’s one thing these blogs usually have in common, and that’s the whole “Blog and Ping” thing … Blog and Ping is a online marketing term applied to a system that utilizes blogs and pings (short for pingback) to deliver content and/ or sites for indexing in search engines with the ultimate aim of profit.

[…]

Already some in the SEO industry are saying that Blog and Ping is dead due to the massive increase in users, content theft sites and spam blogs. If you’re getting any benefit out of Blog and Ping now, you won’t be for much longer because already some search engines are talking about excluding your sites.

The spam ‘bot will iteratively request “index.php?p=[n],” where n is incremented each time. After each successful request, it will then send a trackback to “wp-trackback.php” for entry number n.

To remedy this, Scott wrote a TB Spam Blocker plugin (downloadable from the link above) which patches this particular hole. From the plugin’s included readme.txt:

This plugin will modify the WordPress permalink generator to include a mod_rewrite rule that blocks direct access to wp-trackback.php. (It still allows redirected access through cruft-free URLs. Legitimate trackbacks will use the redirected URL, as that will be what appears on your blog.)

A simple fix, though as soon as the spam bots are updated to use the cruft-free trackback URLs (by crawling the site), this solution will stop working.

Of course, as soon as comment spammers bake a JavaScript engine into their spambots, it’s all over, so Hashcash isn’t really breaking out of the “arms race” model of spam prevention. (But it does represent an impressively large leap in that race, so it’s likely to be quite effective for a while.)

When your technology is open to abuse, silence is deadly. You might think that 6A, as the authors of the spec, would have made notice of the deep problems with TrackBack and been on top of finding solutions. Such is not the case: the official TrackBack blog hasn’t been updated in nearly a year, and their Professional Network lumps TrackBack spam in with comment spam and advises use of tools like MT-Blacklist for both. The result is a perception that no fix is coming, which leads people to abandon ship rather than wait for a fix they think will never come.