Neil Turner's Blog

Blogging about technology and randomness since 2002

Temporary trackback spam solution

I’ve found another method for potentially reducing trackback spam, this time blocking them at the server level. The code below is for Movable Type but could be rewritten for any system that allows for pings. You’ll need to be on an Apache web server with mod_rewrite enabled for this to work.


In your Movable Type CGI folder create a file called .htaccess and add the following lines:

<Files mt-tb.cgi>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^Mozilla
RewriteRule .* http://www.example.com/ [R,L]
</Files>

(If you already have a .htaccess file in that folder then just add this on to the end of it)
Replace example.com with a page on your site – in my case this is a ‘trackback help‘ document, but you could just use your home page – then save it.
What this bit of code does is redirects any pings where the user agent appears to be that of a web browser to another page. Almost all web browsers have a user agent string starting with “Mozilla”, so we use this as the trigger for the redirect.
Why does this stop spam? It would seem that a lot of trackback spam comes in with a web browser user agent (incidentally mimicking IE5.5 under Windows Me), yet most legitimate pings have user agents like ‘MovableType/3.14’, or none at all. So the spam pings would be redirected to another page, while the legitimate pings would be accepted as normal.
It also has the advantage that if a user tries to visit the trackack URL in a browser, they won’t get a confusing bit of XML but perhaps a friendly error message or at least something resembling a proper web page.
However, you will have noticed that I’ve called this a ‘temporary’ solution. Doing the above will stop a number of the current trackback spam bots, but I doubt it will stop the next generation of them. They’re already forging the user agent string to send the pings so forging them again to match those of popular weblog products would be a trivial task. But, for now, this may afford you a bit of extra protection.

6 Comments

  1. Is this working for you? I just got flooded with another 40 pings.

  2. It seems to be working for me, yes. I did a scan of my raw Apache logs just now and all the spammy pings were blocked.

  3. TrackBack Spam Alert: Dealing With Trackback Spam

    Spammers appear to have discovered TrackBack in a more significant way today. The discussion on the Moveable Type professional developers mailing list is full of folks watching TrackBack spam grow. Why is TrackBack spam an issue? It drives traffic t…

  4. Add:
    RewriteCond %{REQUEST_METHOD} ^POST$
    If you use a trackback popup, people won’t be able to get the trackback link unless you add the above…

  5. links for 2005-02-05

    Neil’s World – Temporary trackback spam solution seems very successful so far, no trackback spam since (categories: trackback spam htaccess)…

  6. 스팸 트랙백 공격중 (Tackback Spam)

    드디어 올 것이 왔네요.
    오늘 드디어 ‘텍사스 홀뎀’인가 하는 유명한 키워드로
    스팸 트랙백 공격이 시작되었는데, mt-blacklist로는 방어가
    되지 않네요.