Population Statistic: Read. React. Repeat.
Wednesday, May 17, 2021

no longer valid?
When I started using Rice University’s Trackback Validator plugin for WordPress back in October, I knew it wouldn’t work forever:

I’m not fooling myself that this is a permanent solution. At some point, spammers are going to figure out how to beat this; I can’t imagine it’d be that hard to scrape permalinks, post them to a site, and then send forth the trackback. But until that happens, this’ll do.

Well, it took them half a year to figure it out, but tonight it happened: I received a spam pingback (spingback?) from a spam blog, and the Validator let it through clean. Which it should have, because indeed, the splog sent its pingback the way any pingback is sent: Via a post that contained a valid permalink to my targeted blog posting, obviously obtained via an automated scraping program.

In short, this is exactly the way to beat the fundamental method that Validator and similar spam filters use to identify spams. Which means that this level of protection is dead, or will be soon enough.

So, I’m going to have to go with something else, unless I want to login to a few hundred spingbacks every day. The obvious choice is Akismet and/or Bad Behavior. Of course, it may be tough to get up-to-date version of those plugins for the version of WordPress I’m running, which means I might have to bite the bullet and upgrade to WP 2.x. Which I’d like to avoid, because upgrades tend to cause headaches for this ol’ blog (and I have even less time to deal with that sort of mess these days than I used to).

I guess this new strain of pinging attack is related to the general rise in malicious comment/ping spam that’s been affecting blogs far and wide. Just this past week, Gary Said, Dustbury, and MemeMachineGo! have written about the uptick of digital sludge heading their way. Looks like the spammers are working overtime. Maybe they’ll eventually overwhelm every legitimate website in existence, and put us all out of our misery.

by Costa Tsiokos, Wed 05/17/2006 10:16:38 PM
Category: Bloggin' | Permalink |

8 Feedbacks
  1. Wow! I got a “real” trackback from you for this. Trackbacks are so rare, I assumed at first it was spam.

    This spam problem is really too bad since trackbacks are so valuable and they so rarely get used.

    Thanks for the ping! Good luck if you do the update…

    Comment by Gary LaPointe — 05/17/2006 @ 11:16:19 PM

  2. So, this is pretty interesting. We’ve forced the spammers to change their tactics. That usually means you’re doing something right!

    Now, here’s the crux of the matter. If someone has set up a blog, and linked to yours from a stable URL, it kind of stretches the definition of spam. How does this differ from some blogger writing about your site, except that you disapprove of the content on that person’s blog?

    Increasingly we’re forcing spammers to act less like evil resource-sucking robots, and more like real humans. I agree that now we’re all forced to look at the comments posted to our blogs and decide, on a per-comment basis, whether we “like” the contents or not. I’m not aware of any general-purpose, reliable way to automatically filter out people you don’t like. (Such a device would be a big hit in the “real” world…)

    Comment by Dan Sandler — 05/17/2006 @ 11:42:40 PM

  3. Oh, by the way: you say you got a spam Pingback. The Validator doesn’t look at these at all, so I assume you meant to say TrackBack. (Right?)

    Comment by Dan Sandler — 05/17/2006 @ 11:54:58 PM

  4. […] An exciting development today, coincidentally hot on the heels of our 0.7 release: The existence of the Validator (and other tools now using the same technique) has forced spammers to change their tactics.

    Well, it took them half a year […]

    Pingback by Trackback Spam Resources » Blog Archive » Escalation! — 05/17/2006 @ 11:55:37 PM

  5. […] Updated: The powerful TrackBack Validator plugin for WordPress has been revved to version 0.7. This plugin kills almost all existing TrackBack, dead. [I say “almost” because I (coincidentally) received word today of a spammer who sets up real blogs to try to spam people. I think of this as a victory for our plugin: It has forced spammers to, you know, behave like real bloggers. Who’s to say a TrackBack from this guy is spam and not a legitimate link to your blog?] […]

    Pingback by dsandler.org ≡ Recent hacks. — 05/18/2006 @ 12:06:31 AM

  6. Dan: That is the bright-side way to look at it. But unfortunately, not very realistic.

    I’m not going to post the link to the site that sent the spingback — obviously, that’s only going to give it the linkage it’s seeking. But if you look at it (I sent you the link via email), you’ll see that it’s a blog in format only. It’s obviously an auto-generated product, solely for the purposes of aiding the dissemination of its spam — i.e., a splog.

    It’s not a case of me not liking that particular subject matter. Realistically, this is just a further evolution of spamming.

    I don’t mean to put across a harsh tone with you, Dan. Like I said, I appreciate the effort you’ve put toward the problem, and I’ve been happy to aid it in my small way. But the way I’m seeing it, it seems like the game’s over.

    Gary: I’ve been fortunate, in that the Validator had been deflecting the scores of spam trackbacks that have been coming at me since last Fall. So if I got a trackback, it was virtually always a real one.

    But yeah, like a lot of blogs, trackbacks of any sort are kinda rare. Actually, most of them come from me: I routinely send trackbacks to my own old posts when I link back to them. That’s why I’m loathe to shut them off completely; I send a couple a week on average to my old posts.

    We’ll see how it plays out.

    Comment by CT — 05/18/2006 @ 12:09:43 AM

  7. A couple of anecdotal considerations for you:

    1. I upgraded my WordPress from 1.5 to 2.0 and it was entirely painless (yes, I did a complete backup first, just in case but, thankfully, I didn’t need it).

    2. I was using Akismet for a while and then, all of a sudden, I started getting more spam than I kenw what to do with. Much if it was caught but some of it still fell through. Also, it was catching oh-so-few legit items, which I had to manually un-flag (this wasn’t so bad until the number of spams per day exceeded the queue of 150 items displayed; at that point, I couldn’t tell whether the other hundred or so-which I could not view-were legit or spam).

    Bottom line on #2 is that I started using dr Dave’s Spam Karma 2 and it ROCKS! If you haven’t already, you can check it out at http://unknowngenius.com/blog/wordpress/spam-karma/

    Good luck!

    Comment by Richard Harlos — 05/18/2006 @ 06:43:35 AM

  8. Thanks for sharing your experiences. For whatever reason, I’ve always had a rough time with WP installs, starting with the very first initial setup. So I’m not fooling myself that the next one is going to be anything less than a pain in the butt — it’s my destiny. :)

    Comment by CT — 05/18/2006 @ 11:30:04 PM

RSS feed for feedback on this post.

Leave a comment

Comment form closed to reduce comment-spam opportunities. Sorry about the inconvenience. Please feel free to respond to this post via Trackback and/or Pingback!