The TrackBack Validator plugin for WordPress performs a simple but very effective test on all TrackBacks in order to stop spam.

Legitimate TrackBacks are sent by people commenting on your weblog, accompanied by a URL that points to that commentary. Spam TrackBacks are accompanied by a URL that points to a pay-per-click affiliate website or other irrelevant material. The Validator exploits this key difference:

1. When a TrackBack is received, the plugin retrieves the Web page located at the URL included in the TrackBack.
2. If the page contains a link to your weblog, the TrackBack is approved.
3. If the page does not link to your weblog, the TrackBack is flagged as spam and rejected.

Because TrackBack spammers do not set up custom Web pages linking to the weblogs they attack, this simple test will quickly reveal illegitimate Trackbacks.

We are actively developing additional heuristics to add to the plugin; if you observe TrackBack spam that makes it past this plugin, please let us know.

—Dan Sandler and Andy Thomas

Downloads

• TrackBack Validator Plugin v0.7.1 (ZIP)
• Older versions: v0.7, v0.6

Installation

Prerequisites: You need an installation of WordPress version 1.5 or later.

1. Unzip the trackback_validator_VERSION.zip file; it will contain the file README.txt and the directory TBValidator. Move TBValidator to your <wordpress-directory>/wp-content/plugins directory.
2. Using the WordPress administration interface, turn on the Validator from the “Plugins” page.
3. The “Options” page will now have an additional tab, “Trackback Validator,” which allows you to configure the plugin and to see a graph of recent trackback classifications (see the screenshot).

Changelog

• version 0.7.1 [21-May-2006]
  • Fixes a bug with WordPress 2.x blogs.
• version 0.7 [17-May-2006]
  • Removed problematic dynamic link page detection. (Additional research will tell us what exactly we need to look for in order to defend against dynamically generated spam sites; since we’ve never seen any of these in the wild, it’s not currently a high priority anyway.)
  • Improved the robustness of data reporting. Reports now use an HTTP POST interface and will submit data to trackback-db.cs.rice.edu, rather than a fragile IP address (!). Data reported by our users is crucial to the research process; see our forthcoming technical report to see how this data is used.
  • Fixed the trackback history graph. It would silently fail on hosts without GD installed; the new version doesn’t require GD at all (and is therefore a lot simpler).
• version 0.6 [announced 19-Nov-2005]
  • Added a simple check against spammers’ dynamic link pages.
  • Simplified the data submission routines.
  • Set up framework for PageRank comparisons.
  • Cleaned up code.
• version 0.5 [announced 24-Aug-2005]
  • first iteration

A plea for help

This is the subject of active research by the Computer Security Lab at Rice University. We ask you to enable the “Submit Data” option, to send data back to us for scholarly analysis. You’re free to use this plugin without reporting data, but your data is important to us as we attempt to understand the evolving attack profiles of weblog spammers.

Screenshot

Support

For the time being, just get in touch with us if you run into bugs (or false negatives/positives).