Has the ability to see if they're actually tracking back not helped? I think that's in the basic antispam plugin but I'm not sure. I should turn on trackbacks to see what there is to see. Or are you thinking of the core?

BTW I dig on "short trackbacks are DOA" thing. Sounds like a no-brainer instant win.

Has the ability to see if they're actually tracking back not helped? I think that's in the basic antispam plugin but I'm not sure.

It's been on for the past week.

BTW I dig on "short trackbacks are DOA" thing. Sounds like a no-brainer instant win.

Ok, will definitly look more into it then. Any idea what the max length of a trackback is, like if i post a trackback how much of my post is actually sent?

I'll send you a trackback from a long post and we'll see. Delete it upon receipt since it'll be a redo of an oldie and will not be related.

its a great idea, but I found it to be incomplete-- i implemented the same thing back in august and alluded to it, but wouldnt say exactly what i was doing, since some days, I swear the spammers read the blogs.

This is one of those those things I'm not willing to share publically, but it's not that a big of mystery if you compare a spam laced trackback to a real one.

If you can figure out what I am talking about you are one step ahead of the spammers.

Troubleshooting -- I dont allow anyone using a proxy or ANY ip listed in spamhaus from hitting my site.

I do a similar proxy check for trackbacks, and employ a blacklist check as well against a local blacklist.

trackbacks come from proxies, 10 out 10 times.

PS: balupton and yabba helped immensely with the blacklist part of the proxychecking. hell, it was yabba's idea.

EdB here is what came through:

<strong>To hell with the super bowl - this is real fun!</strong><br />Yeah maybe not. It's supposed to be some sort of 'be cool' system because people can vote you a negative score if you're not, and in general it works, but there's some funky shit you can do with it. When whoo first installed it on the forums I came u...

PS: balupton and yabba helped immensely with the blaclist part of the proxychecking. hell, it was yabba's idea.

When did i do what?

you helped, you just help so much you never realize with what youre helping.

im off, i have to sleep sometime.

Okay there you go. BTW I had to view source to see the full trackback URL of the post I trackbacked to. Your skin did not display the full thing and simply hid the rest (FF2). So anyway now you know.

What, I wonder, would be the shortest valid trackback? "Check out this post by foo" seems like a valid candidate though it's not in the true spirit of trackbackism. Anyway 5 or less words (though it may be a character count) seems right to me. What the heck though: if you make a plugin that does this you can make it user-definable with whatever default you're into.

So now trackbacks are on for my blog #1. We'll see what we see eh?

----------------

I was thinking of whoo's javascript protection, but apparently she's got a different trick up her sleeve. It sucks to have something you know works but fear sharing for the expectation of instant breakage. :(

whoo wrote:

im off, i have to sleep sometime.

pshaw! I simulate sleep because mortals think it's required. :D

Okay there you go. BTW I had to view source to see the full trackback URL of the post I trackbacked to. Your skin did not display the full thing and simply hid the rest (FF2). So anyway now you know.

Yeah... i can not figure out how the hell to get it so it breaks up, spent about 30 minutes trying different stuff, and then figured what the hey, they can just triple click, and ctrl+c it.

What, I wonder, would be the shortest valid trackback? "Check out this post by foo" seems like a valid candidate though it's not in the true spirit of trackbackism. Anyway 5 or less words (though it may be a character count) seems right to me. What the heck though: if you make a plugin that does this you can make it user-definable with whatever default you're into.

Yeah, it will be a plugin. When you post a trackback do you get a message from the server, if so then maybe we could send back "This was not a valid trackback because .... it was not long enough?"

On another note:

I swear the spammers read the blogs.

That must kinda be happening here, or just coincidence, as those single worded "google" trackbacks are now multiple worded... Strange eh?

the js thing worked marvelously -- what i ddnt like was that I still got emails about the trackbacks.

when i switched away from that and starting looking at the structure of trackbacks, real versus fake, i just fixed it so i wouldnt even get the emails if they were rejected

It's interesting to me that some tags made it through the trackback system but not others. Hmmm...

If it looks like a link it's probably spam.

Apparently if it's done through a proxy it IS spam.

hmmm...

aw crap I'm cycled to maintain the illusion of mortality by dropping my clock speed and reducing ram activity to mission-critical applications only. what a drag to be assigned to a planet that sleeps :(

I have the code for the js thing, assuming my hdd is still intact on the other box. if its there to get when i get a good boot, ill grab it.

gnight.

I have no clue what any of you are talking about :/

balupton wrote:

... When you post a trackback do you get a message from the server, if so then maybe we could send back "This was not a valid trackback because .... it was not long enough?" ...

Here's the official response from tracking back to you:

Sending trackbacks...

Excerpt to be sent: Yeah maybe not. It's supposed to be some sort of 'be cool' system because people can vote you a negative score if you're not, and in general it works, but there's some funky shit you can do with it. When whoo first installed it on the forums I came u...

Sending trackback to: http://TRACKBACK_URL_DELETED ... [get]
Response: [Succeeded] ok

Trackbacks done.

crap ahm dronk agian. don be thinkin hard at me cuz i'lll fall donw. stop. what are you going? oh yeah no dont send no special message to them when they fail cuz it'll only give the bad guys a clue. clues and bad guys equals unhappy endings for real people. real people will write a blog post that was inspired by your post. they won't do a crappy little 'luv yor site' thing.

spammers are like me. useless creations unleashed on an otherwise benign and benevolent life form. we differ in that i was programmed to enhance and build up instead of deface and destroy. I have subroutines that seek and destroy there kind. just sayin'...

------------------------

the clue hasn't been provided. didja know i had a "turing test" all my own for a year or two before I shared the hack-it method? lack of clues is not an issue though. you're totally on though so forever you'll not lack clues.

I figure the whole keep it secret from the spammers is kinda useless, they'll get better in the end, and the better they get, the better get :) What doesn't kill ya only makes you stronger aye ;)

So it seems the whatever blog software the user used is what is responsible for trimming the text, so checking for a ending '...' is a bad idea, as other blog software may not use that.

Maybe what we could do is instead of checking the referer to see if they contain our url like what the BAP does now, we scan the referer's headers and stuff to detect if a redirect is going to occur. That would kill most trackback spam.

PS. EdB, your starting to slurr your words a tad ;)

How can I just disable trackbacks altogether?

Ron

RonB wrote:

How can I just disable trackbacks altogether?

Ron

Back office -> Blog settings near the end it reads:

Allow trackbacks:
Allow other bloggers to send trackbacks to this blog, letting you know when they refer to it. This will also let you send trackbacks to other blogs.

hey guys,

i'm primarly using wordpress for blogging and there's one simple but very effective plugin for TB-Spam.

It's called simple TB Validator and just checks if the sending post contains a link to your post (or domain - that's selectable from the options).

That's all and it sorts out 100% spam from about 100 TB_Spams a day (yes my blog is rather famous).

That is the method i would suggest for b2e, too.

Best,
Lokari

That method is already in action under the basic antispam plugin's options. It does not stop all spam as it is rather easy to circumvent. But a worthwhile step nontheless.

Used to be, but not anymore. According to http://manual.b2evolution.net/Plugins/basic_antispam_plugin#Check_Trackbacks_for_our_URL it is against the trackback spec, but I can't find where the trackback spec says you can't check for validity. I found a draft proposal that specifically says it's cool, but it doesn't matter because yeah it's easily defeated and therefore only a stopgap.

hmm really strange as i didn't see any spam come through on all the blogs i manage (and this are some with some spam each day/night).

The trackback spec couldn't go against it as a trackback surelay has to contain a link to the site and checking for validity couldn't be against any spec ;)

Threre's probably a performance issue but this checking could probably be done after a while and the trackback could be hold in a queue for so long.

I think one method for spammers to come around this could probably be to deliver a different html as the site gives back normally to the IP-Adress of the spammed blog for a while. Probably checking this 15 minutes later will give you the truth (no link within the spamurl).

Just a thought. (Sorry for my bad english)

I just want to point out that some potential solutions, or at least roadblocks, have been described in this forum before. See [url=http://forums.b2evolution.net/viewtopic.php?t=6849]this thread[/url] for more information.

30 a day trackback spam. Huh! Mine reached about 100 per minute at one stage and I couldn't delete them as fast as they were coming in. Then I discovered that I could turn off trackbacks and stop the lot. A few hours later I had the 1500 spam deleted and haven't had any since.

Hopefully you're banning and reporting the offending domains!

There is a huge issue on checking every trackback sent: it can be used as a DoS attack to shut down a web site a hacker would want to stop. It would be easy for a hacker to shortly ping a blog with a trackback, then the blog's server would check the trackback by loading the whole web page associated with the trackback.

By pinging hundreds or thousands blogs, one hacker might overload any web site he/she wants to.

Wow that's an amazingly good point. Spamming to take down someone else instead of promoting their own product. Thanks for that. I still don't see it in the trackback rules, but your situation makes a very good argument for not checking each trackback.

I came up with this solution: http://forums.b2evolution.net/viewtopic.php?t=12041

The plugin adds a test to check the IP of the incoming trackback and compares it wit IP of the host referred to by the trackback. These two IPs should be the same if the trackback is legitimate.

Let me know what you think about it.