By Pete Freitag
When I implemented the new trackback feature on my blog, I was aware that spammers like to use trackbacks, so I coded in a keyword blacklist. Roger Benningfield added a comment about track back autodiscovery and spamming that got me thinking.
Pete: Unless you've got some industrial-strength spam control running in the background, make sure you don't add any TB autodiscovery elements to your pages. 'Cause if you do, the bots will find you, and you'll wake up one morning with a few thousand Trackbacks for poker and drugs.
I had assumed that since I'm not using main stream blogging software, I wouldn't have much of a problem (I don't have much of a problem with comment spam), since my url's were not common. But My url's were quite easy to exploit I realized:
https://www.petefreitag.com/tb/entryid all a spammer has to do is loop from 1 to n, and avoid my blacklist and they have just posted a trackback in all my posts... So my solution to this is Trackback Salt. I create a somewhat unique hash for each entry, and include it in the trackback url. That way its impossible for someone to just loop over all my entry id's.
There are lots of ways you can do this, you could create a salt based on the current day, so trackback url's would change every day. You could generate a unique id, and store it in your database, or you could simply use the entry id, and a predefined string to generate the hash.
Trackback Salt was first published on March 30, 2005.
If you like reading about trackbacks, blog, salt, crypto, spam, or trackback spam then you might also like:
- Over 90% of trackbacks were spam
- Google Blog Search - Not Impressed
- How I block comment spam
- Trackbacks working on my blog