There's something a bit revealing in my access logs. Here's one entry:
207.8.131.172 - - [03/Jul/2004:01:32:35 +0000] "GET /2004/May/09/nigritude_ultramarine.html HTTP/1.0" 200 10871 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 207.8.131.172 - - [03/Jul/2004:01:32:37 +0000] "POST /scgi-bin/mt/ping.cgi/1795 HTTP/1.0" 200 84 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
Now, maybe this is just me, but I don't see how it's possible to switch from IE6 in Windows XP to IE 5.5 in Windows Me in 2 seconds, unless someone's using VMWare. Or, more likely, one or more of those is faked, especially as it didn't request my stylesheet or the external Javascript file for TypeKey integration. A lot of others sent a Typepad user agent instead of a IE5.5/Win Me agent.
I also found that IP blocking hasn't been as much of a failure as I thougt - I've had a number blocked. As Richy said, a number of these have been computers owned by the US military, which is both amusing and also very, very scary at the same time.
One thing I did find interesting was that I only had one GET request for any of the IP addresses used today, which was the one above. I reckon they have used that to find out what my trackback script is called, and then appended random numbers to it. Some of the pings were to entries where trackbacks had been closed for some months now. Richy says that despite renaming his script the attackers came back, so it's possible that they're rediscovering the script name once a day, or something.
incidentally, this isn't an MT-only phenomenon, as Les has been hit - he uses pMachine's ExpressionEngine. Therefore, my theory is that it is parsing the RDF code block with the trackback data to get the trackback URL, so any blogging system which includes that is potentially affected (assuming I'm correct).
Like Jay, I am surprised it has taken so long for trackback spam to get off the ground, considering how easy it is. I'm starting to wonder, what with the problems with character encodings that I've heard the likes of Sam Ruby and Jacques Distler talk about, and now this, that maybe we need a Trackback 2.0 system that addresses some of the problems with the existing system.
Well, for one thing, Six Apart could follow through with the full implementation of the spec.
Notice the deprecation at the bottom under v1.1: GET requests. Uh uh.. Still there.
Now sure, someone could write a script that POSTs the data instead, but at least this would, as Phil Ringnalda once said, raise the bar so that at least a basic knowledge of the LWP module (or comparable in other languages) is required.
(By the way, Neil, you have that data loss bug on registered preview. Are you using the MTCommentFields tag? You may want to scrap that in favor of the full template code..)
They could of course both be on the same NATed network, but yes - chances are they are both scripts rather than real people.
Being I am military I have been in contact with the appropriate .mil security people and they are working this very dilgently. I would like forward to me at geek@geeknewscentral.com any 198.x.x.x IP’s or any others that tracert back to a .mil address.