Getting slammed with trackback spam.

If you happen to notice any odd trackbacks associated with some of the entries that link to supposed rape or incest porn sites it’s because we’re currently being spammed by some asshole who’s appears to be either testing out a new spam script or trying to build up page rank for the URLs he’s spamming with. I’m cleaning it up as fast as I can and the folks at pMachine are hard at work on some improvements to help make cleanup easier and block known URLs.

If you’re running EE and getting hit by this asshole spammer one thing you can do to limit the damage done is go into your weblog config and set the allowed number pings per hour to 1 from whatever it’s currently set (default is 5). The script is spoofing IP addresses it seems and it’ll use the same one up until EE tells it that it’s been blocked, then it switches to a new one. It seems to be using a small number of different IPs, though, so limiting the number accepted to 1 per hour limits how many trackbacks get through. Paul is working on an update to the trackback module that’ll add a link to the notification emails to take you directly to the trackback in question and delete it as well as cross reference any trackbacks received to the Referrer Blacklist and block anything that it finds listed therein. I’m helping him test it and it’s about half-way working at the moment. Hopefully we’ll have something usable very soon.

Update: Looks like this isn’t just hitting folks running ExpressionEngine as several MovableType users are also reporting an influx of trackback spam. Richy is reporting that it appears these spams may be coming through open/anonymiser proxy servers and he is collecting a list of IP addresses used to spam sites so you can stick them into an Apache .htaccess file and block them if you wish. He’s also done some digging that has turned up an interesting note on who owns the machines the spam is comming from:

Who “owns” those IP addresses and appears to be running insecure machines?

OrgName: The Defense Information Systems Agency
OrgID: DISA
Address: DISA/DSSO/JCLCC
Address: Room BF655A, The Pentagon
City: Washington
StateProv: DC
PostalCode: 20301
Country: US

Yep – I’m getting spammed by The Pentagon!

Which makes me wonder if this is an open proxy issue or a zombified PC problem. Richy doesn’t think so according to his entry, but it wouldn’t surprise me if it that turned out to be the case. According to Richy changing the name of the trackback script in MT doesn’t stop the spam. He’s figuring they must be requesting the page they’re submitting the spam to in order to get the URL.

Anyway, if you want to get some relief by setting up a deny list then stop by Richy’s blog and grab the IP list he’s got there. And give him a great big thanks for taking the time to compile it while you’re there.

12 thoughts on “Getting slammed with trackback spam.

  1. Its not only EE, my MT blog was hit with over 80 trackback spam today. Jay’s got an article up for MTB users – being on MT 3 I’m struggling with it 🙁

  2. :big sigh:
    Why can’t these pissants use the abundance of free time they have for good instead of evil.

    I haven’t been getting hit by trackbacks yet, but tons of referral spam. Let us know when we can go get something to stop this … (shaking) person.

  3. I was wondering if the MovableType sites were getting hit as well. I’ll have to check the folks I set up under MT and see how they’re faring. They’re still under 2.661 so the MT Blacklist should still be working for them.

    Dave, EE does have a Referrer Blacklist built into it already that you can add URls to in order to prevent them showing up in your referrer log. Sounds like that may become an overall blacklist for EE at this point.

    Richy, I’m not at home at the moment and until just recently EE didn’t list IP addresses in the emails so the early numbers are lost to me. I can give you what I’ve gotten today in the way of IPs once I get home and have access to the emails I trashed. It’ll be sometime later tonight.

  4. I know about the blacklist. I’ve been reporting the sparatic spams I usually get to the blacklist e-mail address. I was referring to the new hits that everyone else has been getting.

  5. Oh, my mistake.

    OK, Paul has gotten me the latest version of the trackback code that adds the delete link and the cross-reference to the blacklist. He’s tested it and it appears to work properly. He’s offering to mail it to anyone who wants it right away and asks in the next couple of hours (as he’s about to head out for awhile). You can email him via the pMachine forums at this link. I suspect you can email him through his webpage as well, but I don’t know if their both using the same email address.

    I’ve asked if it would be alright for me to send the file out if folks ask for it, but haven’t gotten an answer yet so for the time being just drop him an email if you need it. I suspect we’ll see this in the next update to the script in the not too distant future.

  6. Looks like all requests for the updated trackback code will have to go through Paul. So Dave M, if you want to get ahold of the modified code ahead of time go drop Paul an email and he’ll send it out.

  7. I haven’t been hit by “trackbacks”, just referral spam. I suppose I should go ahead and get the code, just incase…

  8. If they don’t already know, I’m sure DISA would appreciate a heads up that this is going on. DISA Contact  ‘Do not be afraid. We are with the government, we are here to help.’  Hmm…better send it through anonymizer so you don’t end up in a homeland security database somewhere.  Have a great Fourth of July!

    captcha = ‘closed’

  9. Well, Bobby, that has to be the single most uninformative article I’ve read in a long time. It must have taken you all of five minutes to whip up. It makes your comment feel more like spam than an attempt to help people out by pointing them to an article that actually deals with the issue it claims to.

  10. What were you expecting from an article about spam ?
    Brand new plugins/modules to download for free ?
    Unfortunately I’m not a programmer.
    Instead of that, I introduced 3 new methods that are not yet implemented in any software I’m aware of.
    You might already know the encrypted code and the IP address method because I already posted about hem.
    But it’s the first time I write something about a pre-authenticated method.
    If you knew all this then ok, but that’s not the case of everyone.
    If you believe all the web surfers do have the same knowledge, well, stop blogging right away.

    I couldn’t send a successful trackback to that entry so I posted an equivalent comment.
    Actually your comment to mine is useless and uninformative to your entry.
    You have decided to take your opinion public rather then sending me a private eMail,
    forcing me to also publicly respond.
    And I’ll laugh at you as soon as one of these methods will be implemented somewhere.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.