chipplechipple

Blog - Ultimate trackback spam protection? Not.

Technology Ultimate trackback spam protection? Not.

Update (2005/2/19 11:30): Turns out this wasn't such a good idea, as some hosted services have the admin on a different domain than the blog (e.g. livedoor.jp uses livedoor.com), and that may be more than I initially thought. Too bad. :( See comments for more thoughts.

Hasn't this been thought of before? If a trackback's URL's host name is different from the client's (ping sender) IP, chances are it's spam. Or am I missing something?

The only disadvantages I see is that it may add a small delay for the trackback URL's host lookup, and also it could give false positives if someone tries to do legit trackback pings from an IP different than their blog's host name's IP, which I believe is probably rare (though I don't know about the hosted services like TypePad, LiveJournal, Blogger, etc.).
Tell me if I'm wrong.

I'd sure like to get some pings (even unrelated) to this entry to see if anyone can ping me without trouble.
Trackback URL: http://www.chipple.net/cgi-bin/mt/mt-tbz.cgi/388

My MovableType patch follows (tested with MT2.64). It may not be optimal, so any correction is welcome.

/lib/MT/App/Trackback.pm (or /extlib/jayallen/MTBlPing.pm if you use MT-Blacklist)

At the top, after the other use's.

use Socket;
use Net::hostent;

In sub ping, just after the "Check if this user has been banned from sending TrackBack pings." block.
(In the case of MT-Blacklist, put it in sub ping_post_hdlr after Jay's first "### INSERTED CODE ENDS HERE ###".)

    my $host_url = $url;
    $host_url =~ s!^(https?://)([^/]+)(.*)$!$2!;
    my $host = gethostbyname($host_url);
    my $host_ip = inet_ntoa($host->addr);
    if ($host_ip ne $user_ip) {
      return $app->_response(Error =>
        $app->translate(
          "Only trackbacks from the linked Web server's own IP are accepted. ".
          "If you were trying to send a legit trackback, please contact me.")) 
    }

That's all.

Posted on February 19, 2005 at 01:36 | Tweet |

Trackback

Comments RSS

No problem for me!

Posted by Roy on February 19, 2005 at 10:03

Was just thinking also that if I was using livedoor blog it might not work. The admin domain name is livedoor.com while the domain of blogs in livedoor.jp

Posted by Roy on February 19, 2005 at 10:08

OK, I have a livedoor blog as well and sent a few pings from it. As I suspected seems like none of them got thru.

http://blog.livedoor.jp/qtaro99

Posted by Roy on February 19, 2005 at 10:15

Thanks a lot for the tests Roy! That's too bad that it doesn't work with livedoor.jp. I guess they don't have an admin under livedoor.jp either, right?

Also I just thought of all the folks using Blogger with the option to upload on their domain. Then the ping is from blogger.com (or something) and their domain of course doesn't match.

Oh well this was just an early idea, I guess I should give up. :)

It may still be a good idea to mark "moderated" trackbacks from a different IP, but MT 2.6x doesn't have moderation so that wouldn't work for me.

Posted by Patrick on February 19, 2005 at 11:40

Maybe you can just compare the domain without the ending (.com, .net etc) that may work..

Posted by Roy on February 19, 2005 at 20:06

I guess it wouldn't because of the blogger people, as you also mentionned in your post. :) Like if you would post on your blog at q-taro.com using blogger.com.

Posted by Patrick on February 19, 2005 at 20:09

« Fugō Keiji | Back to main page | Trouble with moneybookers.com »