By reikiman on

I just posted this issue: http://drupal.org/node/45902

I've implemented it on my site but it's a little early to tell how well it will work. The idea is simple and ought to help.

Namely ... when an incoming trackback request arrives, there is a page from which the trackback is being requested. The idea is to check that page and determine whether that page refers to my page.

The typical use of trackback is to write an article that refers to someone elses article. In that case you're going to link to the article you're writing about, yes? That's the situation I want to encourage.

With the trackback spammers I'm seeing most of the time their source URL is ..e.g... their home page, and doesn't refer to my page at all. That's the situation I want to discourage.

By the way, there's something terribly wrong with the SURBL the spam module checks. It thinks my domain (7gen.com) is a phishing site... which, absolutely and completely, is untrue.

Comments?

- David Herron, http://www.7gen.com/

Categories: Drupal 4.6.x

Comments

reikiman’s picture

reikiman commented

In the past I've gotten tons of spam trackbacks, but lately there's been only a few.

In any case, I wrote the patch to the trackback.module this morning ... and just a few minutes ago received a trackback attempt which was blocked by my patch. Here's the details:

Page requesting trackback does not refer to 
<em>http://www.7gen.com/blog/computers/carchip---explore-the-data-recorded-by-your-car/770</em>, 
source is <em>http://b-link.ch/cure/carpal-tunnel-syndrome.htm</em>

- David Herron - http://7gen.com/

+ David Herron - 7gen.com/, The Long Tail Pipe, davidherron.com/drupal-blogging-hints

FlemmingLeer’s picture

FlemmingLeer commented

I posted this earlier as a way of hiding the trackback and reducing the server load.

But I´m don´t know how to implement it.

http://drupal.org/node/29792

reikiman’s picture

reikiman commented

Did you look at the trackbacks on that article? The last one is obvious spam.

- David Herron - http://7gen.com/

+ David Herron - 7gen.com/, The Long Tail Pipe, davidherron.com/drupal-blogging-hints

FlemmingLeer’s picture

FlemmingLeer commented

Damn... :/

I left a notice on his site.

I rather like the idea of hiding the trackback urls and thus saving both computer time and bandwith.

Wordpress has another way around also with some javascript coding. I will see if I can find out how they do it.

FlemmingLeer’s picture

FlemmingLeer commented

Hi Reikiman,

Perhaps if you used captcha before accessing the trackback url could prevent bots from posting it.

http://drupal.org/project/captcha

I do hope somebody with programming skills would pick the javascript idea up and use it.

The whole idea of adding yet another php script just eats away ressources that could be used for better purposes - imho.

reikiman’s picture

reikiman commented

So far my suggestion isn't to add a new PHP script, but to add some upfront checks in the trackback module. I think if the trackback module can proactively detect a questionable trackback, that it saves a lot of effort over the current system where all trackbacks are accepted and you rely on either the spam module or the administrator to inspect each trackback.

What you're saying is interesting ...

First you'd have to toss out automatic trackback discovery. ATD places some hidden data describing the trackback URL that software is supposed to pick up. Of course that makes for a wide open door for spammers to scan looking for ATD declarations and post to them.

What I've seen a lot of sites do, that's like what you're suggesting, is ... on the blog posting page is a link, the link causes a dialog to pop up, and that dialog has the text of the trackback URL. I suppose there could be a captcha step to that dialog...?

I think there's value in making trackback be a manual step. I get zero comment spam but have gotten tens of thousands of trackback spams. On my site commenters have to register, which stops spammers in their tracks but maybe is also why I get very few comments. If sending a trackback cannot be automated, then wholesale trackback spam would stop.

- David Herron - http://7gen.com/

+ David Herron - 7gen.com/, The Long Tail Pipe, davidherron.com/drupal-blogging-hints

FlemmingLeer’s picture

FlemmingLeer commented

What I've seen a lot of sites do, that's like what you're suggesting, is ... on the blog posting page is a link, the link causes a dialog to pop up, and that dialog has the text of the trackback URL. I suppose there could be a captcha step to that dialog...?

Yes, exactly :)

I think there's value in making trackback be a manual step. I get zero comment spam but have gotten tens of thousands of trackback spams. On my site commenters have to register, which stops spammers in their tracks but maybe is also why I get very few comments. If sending a trackback cannot be automated, then wholesale trackback spam would stop.

Few comments are normal I guess. I think people don´t see the option to participate. They kind of think that using the net is something like watching TV and goes into passive mode.

But it would be great if wholesale trackback spam (aka. splog) would stop, wouldn´t it ?

added: CET 2:25 pm
I emailed http://www.i-marco.nl/weblog/
and he simply forgot to enable a server generated key correctly. So now spam shouldn´t get through.

Can it be ported to drupal without too much work ?
it´s code is included in
http://www.i-marco.nl/pivot-blacklist-0.9.1a.zip
found via
http://www.i-marco.nl/weblog/archive/2005/08/24/trackback_spam_eliminated