There’s something a bit revealing in my access logs. Here’s one entry:
184.108.40.206 - - [03/Jul/2004:01:32:35 +0000] "GET /2004/May/09/nigritude_ultramarine.html HTTP/1.0" 200 10871 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
220.127.116.11 - - [03/Jul/2004:01:32:37 +0000] "POST /scgi-bin/mt/ping.cgi/1795 HTTP/1.0" 200 84 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
I also found that IP blocking hasn’t been as much of a failure as I thougt – I’ve had a number blocked. As Richy said, a number of these have been computers owned by the US military, which is both amusing and also very, very scary at the same time.
One thing I did find interesting was that I only had one GET request for any of the IP addresses used today, which was the one above. I reckon they have used that to find out what my trackback script is called, and then appended random numbers to it. Some of the pings were to entries where trackbacks had been closed for some months now. Richy says that despite renaming his script the attackers came back, so it’s possible that they’re rediscovering the script name once a day, or something.
incidentally, this isn’t an MT-only phenomenon, as Les has been hit – he uses pMachine’s ExpressionEngine. Therefore, my theory is that it is parsing the RDF code block with the trackback data to get the trackback URL, so any blogging system which includes that is potentially affected (assuming I’m correct).
Like Jay, I am surprised it has taken so long for trackback spam to get off the ground, considering how easy it is. I’m starting to wonder, what with the problems with character encodings that I’ve heard the likes of Sam Ruby and Jacques Distler talk about, and now this, that maybe we need a Trackback 2.0 system that addresses some of the problems with the existing system.