So as I’ve discussed before (1,2,3, 4), our Movable Type based blogs have had a pretty serious comment spam problem here for a while now. With the help of MT-Blacklist, however, we found that problem to at least be somewhat manageable. A few trickled through every now and again, but overall I felt that the system worked fairly effectively.
Recently, however, the spammers have changed tack and begun spamming us through Trackback pings. Now in theory, MT-Blacklist is supposed to be equally effective fighting this kind of spam. In practice however, at least for us, it’s not working. We’re getting several hundred spam trackbacks a week now, and it’s driving me crazy. I’ve posted over to the MT-Blacklist forum with a query, but I haven’t found any definitive answers to why our MT-BL implementation is permitting this to happen.
As a result, I thought I’d post my experiences here in the hope that any of you fellow MT users have dealt with this problem previously or can offer any guidance here. If you have any thoughts, post here or email me, and I’ll be sure to update this entry with any solutions – official or otherwise – that we come up with.
Update: I may have some good news for those with similar problems, though I can’t be positive. Since turning un-whitelisting Typepad users – as recommended by the entry on the Blacklist forum here – MT-Blacklist has been processing Trackback pings for spam content as it should. I haven’t done any digging yet to see how would-be spammers were utilizing the Typepad protection, but all I know is that our Trackback spam has been down for over 36 hours now, and that’s a marked improvement from our previous state.
Update 2: Ok, looks like I might have spoken too soon. We didn’t get crushed, but James and I’s blogs received 6 trackbacks this morning where the URL’s were already blocked – and the poker string involved also should have been blocked. As a result, I’m adding one more layer of protection, MT-TrackbackAntiSpam, and will let you know how I make out. Thanks to Radovan for the recommendation. One immediate problem I can see with the plugin is the lack of any logging; as near as I can determine it’ll be impossible for me determine – other than receiving spams – whether or not it’s working, turning away false positives, etc. Ideally, this plugin would be merged with MT-Blacklist and leverage that plugins logging facilities.