When I implemented the new trackback feature on my blog, I was aware that spammers like to use trackbacks, so I coded in a keyword blacklist. Roger Benningfield added a comment about track back autodiscovery and spamming that got me thinking.
Pete: Unless you've got some industrial-strength spam control running in the background, make sure you don't add any TB autodiscovery elements to your pages. 'Cause if you do, the bots will find you, and you'll wake up one morning with a few thousand Trackbacks for poker and drugs.
I had assumed that since I'm not using main stream blogging software, I wouldn't have much of a problem (I don't have much of a problem with comment spam), since my url's were not common. But My url's were quite easy to exploit I realized:
https://www.petefreitag.com/tb/entryid all a spammer has to do is loop from 1 to n, and avoid my blacklist and they have just posted a trackback in all my posts... So my solution to this is Trackback Salt. I create a somewhat unique hash for each entry, and include it in the trackback url. That way its impossible for someone to just loop over all my entry id's.
There are lots of ways you can do this, you could create a salt based on the current day, so trackback url's would change every day. You could generate a unique id, and store it in your database, or you could simply use the entry id, and a predefined string to generate the hash.
- Over 90% of trackbacks were spam - March 2, 2006
- Google Blog Search - Not Impressed - September 14, 2005
- How I block comment spam - July 19, 2005
- Trackbacks working on my blog - March 29, 2005
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained
- How to Resolve Java HTTPS Exceptions