Trackback Spam Resources

From earlier this year, an interview with a link spammer in The Register. (TB is mentioned as a fallback for when comment-based link spamming becomes too difficult.)

Judging by some of the recent articles on SpamHuntress (another site dedicated to analysis and eradication of spam, including trackback spam), there are indeed lists of vulnerable weblogs floating around the Internet—just like the lists of live addresses that email spammers buy and sell. Update: More SpamHuntress links, including her catalog of TB spam solutions and the new Spamhuntress Wiki, which includes some very interesting spammer profiles.

Found elsewhere: Analysis of one particular attack on WordPress blogs.

Read the rest of this entry »

Unclear to me at this point is exactly the mechanism by which trackback spammers find their marks. There’s some evidence that there exist Web spiders which look for Movable Type trackback URLs at conventional locations (in particular, the amount of spam can be reduced by obfuscating this URL; see the previous post on best practices).

Presumably there are also more sophisticated spiders which examine pages for the magic bit of RDF XML which identifies the correct Trackback location; obviously obfuscation doesn’t help here. But how do the spiders find weblogs? It’s likely that they follow links from other weblogs that they know about. This would perhaps help account for the power-law distribution in spam: the more popular your site, the more inbound links, the more visible your site to attackers.

Here’s an interesting corollary, gleaned from the WordPress 1.5 announcement:

The quote is part of a section touting the new whitelisting features in version 1.5, meant to keep the comments flowing from known-good writers. But why would spam beget more spam?

What Matt seems to be saying is that, much like email spammers who use various techniques (Web bugs in spam emails, for example) to determine that an email address is “live”, weblog comment and Trackback spammers may rely on successfully posted spam links to identify vulnerable sites. If a spammer sees your website in his referrer logs (even if none of your readers click on the spam links, Google sure will), he knows your site is ripe for further exploitation.

It would be interesting to observe the increase in comment spam associated with a few deliberate clicks to spam websites (using your weblog URL as the referrer). Is it possible to go from zero to spam in this way?

Let’s find out!

No contemporary discussion of the viability of Trackback would be complete without a reference to Tom Coates’ fatalistic article last month: Trackback is dead. Are Comments dead too?

Rounding up some reasonably authoritative links on current best practices in Trackback spam prevention:

The manual said,

I took it to heart.

You can see the results.