Yes, the spammers have figured out trackback, and are now pinging our trackback URLs repeatedly with multiple GET requests, littering our old, pingable weblog entries with links to sleazy sites for personal injury lawyers and Texas Holdem Poker. Seeing as how I want to avoid the drudgery of installing additional filtering, throttling, moderation, and other hackage, and since it’s only once in a blue moon that I get an actual trackback ping, I’ve opted to go the path of least resistance and turn off trackback — utterly. No more pingable entries, no more “trackback ping URL” links, no more trackback metadata in my markup, no more
mt-tb.cgi. Just comments. Good old-fashioned comments.
Here’s how to utterly remove trackback from MovableType 3.15:
- In MT, go to Weblog Config > Preferences > Publicity / Remote Interfaces / Trackback and uncheck “Allow TrackBack Pings On by Default.”
- Go to Templates and remove all occurrences of trackback tags and containers in all templates:
<$MTIfAllowPings$>, etc. (Leave a comment to tell me if I’m forgetting anything.) You want any mention of trackback — visible, linked, or hidden — gone from your weblog.
- Open up your MT db in phpMyAdmin (or whatever you use for MySQL) and use this query to make all entries non-pingable:
update mt_entry set entry_allow_pings=0;
- FTP into your MovableType directory and rename
mt-tb.cgito something without a .cgi extension, .txt or .bak or something. (We do want to keep it around, of course, in case trackback suddenly becomes a feasible idea again in the future. Right?)
- If you haven’t yet done so, disallow all search bots with robots.txt. To be really thorough, see Ann Elisabeth’s guide to blocking search engine spiders in .htaccess.
- If you’re feeling especially mean and vindictive, you could add a series of ErrorDocument directives to .htaccess, or RewriteRules corresponding to your trackback URL — using the spammer’s own site as the error document or rewrite target. Then, every single ping he continues to send to your now non-existent trackback script will redirect to his URL. But he wants that traffic anyway, so why not indulge him?
In 2002, the world of weblogs and comments and trackbacks were built on a culture of trust and openness. How naive we were. And now, the spammers have set DIY weblogging back by at least two to three years.
More material elsewhere:
- HYCW links to various server-side solutions to handle comment and trackback spam. Update: Turning Spam Pings into a Honeypot.
- More antispam solutions from Learning Movable Type.
- Ann Elisabeth analyzes trackback spam runs from Alexander Morozov and other sources.
- MrG at Teledyn declares Trackback dead. “We can put up any impedement, and the link-spammers will simply cruise their Jag down to their scenic-view corner-office, push a few keys and escalate. You would too for that kind of money.”
- “No one can have nice things!”
- AKMA does likewise.
(If you link to this entry, leave a comment with the URL of your weblog post. See? It’s just like pinging!)