pf » Trackback Salt

When I implemented the new trackback feature on my blog, I was aware that spammers like to use trackbacks, so I coded in a keyword blacklist. Roger Benningfield added a comment about track back autodiscovery and spamming that got me thinking.

Pete: Unless you've got some industrial-strength spam control running in the background, make sure you don't add any TB autodiscovery elements to your pages. 'Cause if you do, the bots will find you, and you'll wake up one morning with a few thousand Trackbacks for poker and drugs.

I had assumed that since I'm not using main stream blogging software, I wouldn't have much of a problem (I don't have much of a problem with comment spam), since my url's were not common. But My url's were quite easy to exploit I realized: http://www.petefreitag.com/tb/entryid all a spammer has to do is loop from 1 to n, and avoid my blacklist and they have just posted a trackback in all my posts... So my solution to this is Trackback Salt. I create a somewhat unique hash for each entry, and include it in the trackback url. That way its impossible for someone to just loop over all my entry id's.

There are lots of ways you can do this, you could create a salt based on the current day, so trackback url's would change every day. You could generate a unique id, and store it in your database, or you could simply use the entry id, and a predefined string to generate the hash.