Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

July 1, 2005

Trackback Spambot

For the past 5 months, one particular group of trackback spammers been hammering away at this blog. They started at the beginning of February, and I wrote briefly about them at that time.

Despite their initial lack of success, they persisted in trying to post trackbacks through a dizzying array of anonymous proxies. I had to fine-tune my blocking methods, and a quiet arms-race ensued.

Trackback spam per month: 1439, 1987, 5159, 1727, 12871 spams
Automated Trackback Spam, Feb-Jun 2005.

In February, they made a total of 1439 attempts. By June, that number had mushroomed to 12871 attempts/month (yep, that’s an average of 429 trackbacks/day).

You might think that thousands of failed pings would be a bit … discouraging. But they, apparently, have a naïve faith that, if only they can hit me with enough trackback pings, some will surely go through.

I’m happy to report that legitimate trackbacks, while not very numerous (55 during the time interval in question) have been unaffected. And I’ve been doing my best to tarpit the trackback spammers, on the theory that if they’re consuming CPU cycles attacking me, they’re not using them to attack someone else.

Still, I gotta wonder how long this will go on, before they either give up in disgust, or find a way around my blocks1.


1 For obvious reasons, I’m reluctant to divulge the details of my methods, at the moment. But you can be sure that I have found SpamLookup and MovableType’s built-in Trackback throttle to be indispensible lines of defence.

Posted by distler at July 1, 2005 12:05 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/583

9 Comments & 1 Trackback

Re: Trackback Spambot

I’ve had some battles with spammers, as well. After seeing an increase in activity a couple of weeks ago, I seem to be experiencing a lull at the moment. I’m worried that it might just be the calm before the storm, though.

I ended up implementing an automated system[1] that tied into my host’s firewall rules. When I detect spam via my blog or my email service, the client IP goes into a database. After the number of attempts from a particular IP crosses a threshold, the IP is blocked at the firewall level until a certain amount of time passes with no further activity from that IP.

[1] http://dougal.gunters.org/blog/category/spam/

Posted by: Dougal Campbell on July 1, 2005 10:10 AM | Permalink | Reply to this

IP blocking

This group of spammers operates from behind a large number (many hundreds) of open proxy servers, thereby hoping to defeat an IP-based blocking technique.

Your methods are interesting, though …

Posted by: Jacques Distler on July 1, 2005 10:18 AM | Permalink | PGP Sig | Reply to this

Re: Trackback Spambot

Any idea why they target you in particular? On my blog I had a bit of tracback spam until I set it to moderate, and so far I’ve gotten 3 since then, which was a couple months ago. (Obviously that wouldn’t work for you…)

Also, are all these spams valid XHTML? What about the legitimate trackbacks? Is that useful in filtering at all?

Posted by: dolphinling on July 1, 2005 1:25 PM | Permalink | Reply to this

Why me?

I strip the HTML from any trackbacks I receive. There’s no particular reason to expect, nor good way to ensure validity of the little excerpt that gets sent.

I don’t think I’m being targetted in particular. I imagine that most bloggers would have given up in despair and disabled trackbacks after receiving the first couple of hundred, back on Feb. 1.

I think I just stayed on their list of blogs to attack, 'cuz mine continues to accept trackbacks. Probably, I could make them go away if I started returning a fake 404 in response to their pings.

But, then, I’d miss out on the fun of tarpitting them …

Posted by: Jacques Distler on July 1, 2005 1:44 PM | Permalink | PGP Sig | Reply to this
Read the post Scalable Vector Graphics on a Mac
Weblog: thoughton:digitallife
Excerpt: I was browsing around today (using Safari 2.0 on Tiger) when I came across this entry on Jacques Distler's Musings blog which produced a 'missing plugin' message:...
Tracked: July 1, 2005 1:43 PM

Re: Trackback Spambot

Thanks for visiting and the helpful corrections and comments about the Abode SVG plugin. I have installed it now, and your trackback chart now has numbers! (Which raises the question, is there some way to tell if a webpage image is SVG without right-clicking every one?)

Glad to see my trackback made it through your defences. Good luck in your battle!

Posted by: Tim Houghton on July 1, 2005 3:22 PM | Permalink | Reply to this

SVG

Which raises the question, is there some way to tell if a webpage image is SVG without right-clicking every one?

Well, thanks to your experience, at least here at Musings, all such posts will, henceforth, be labeled with an attractive logo, which links to the Adobe Plugin download page.

Posted by: Jacques Distler on July 1, 2005 5:53 PM | Permalink | PGP Sig | Reply to this

Re: Trackback Spambot

Blitzed.org and spamhaus.org both have DNS lookup services where you can query to see if something is coming from a known open proxy (with Spamhaus, you can also find out if it’s from a known compromised machine).

Cutting those out prevents a HUGE amount of spam of all sorts, once you figure out how to moderate trackbacks.

Posted by: Charles on July 12, 2005 6:52 AM | Permalink | Reply to this

Re: Trackback Spambot

These spam bots are hard on not just the people recieving the trackbacks but any proxy service being exploited by these bots,
cgi proxy sites need to also take steps to fight spam throughput.

Its only one channel spammers are using out of many to fool the IP based filters.

Posted by: cgi proxy guy on January 22, 2007 1:39 AM | Permalink | Reply to this

Re: Trackback Spambot

I realize this is rather old topic however if anyone still monitors this topic could you answer this for me. Would the spambots be able to use sites which runs a phproxy script? What would the effects of this bot cause to the system resources of a site running this script? The spambot would be very hard on the system resources of the server running CGI proxy as this script is very hard on resources.

Posted by: Mr_Bill on April 28, 2007 7:46 PM | Permalink | Reply to this

Post a New Comment