Trackback Spam Attack

Yes, the spammers have figured out trackback, and are now pinging our trackback URLs repeatedly with multiple GET requests, littering our old, pingable weblog entries with links to sleazy sites for personal injury lawyers and Texas Holdem Poker. Seeing as how I want to avoid the drudgery of installing additional filtering, throttling, moderation, and other hackage, and since it’s only once in a blue moon that I get an actual trackback ping, I’ve opted to go the path of least resistance and turn off trackback — utterly. No more pingable entries, no more “trackback ping URL” links, no more trackback metadata in my markup, no more mt-tb.cgi. Just comments. Good old-fashioned comments.

Here’s how to utterly remove trackback from MovableType 3.15:

  1. In MT, go to Weblog Config > Preferences > Publicity / Remote Interfaces / Trackback and uncheck “Allow TrackBack Pings On by Default.”
  2. Go to Templates and remove all occurrences of trackback tags and containers in all templates: <$MTEntryTrackbackData$>, <$MTEntryTrackbackLink$>, <$MTIfAllowPings$>, etc. (Leave a comment to tell me if I’m forgetting anything.) You want any mention of trackback — visible, linked, or hidden — gone from your weblog.
  3. Open up your MT db in phpMyAdmin (or whatever you use for MySQL) and use this query to make all entries non-pingable:
    update mt_entry set entry_allow_pings=0;
  4. FTP into your MovableType directory and rename mt-tb.cgi to something without a .cgi extension, .txt or .bak or something. (We do want to keep it around, of course, in case trackback suddenly becomes a feasible idea again in the future. Right?)
  5. If you haven’t yet done so, disallow all search bots with robots.txt. To be really thorough, see Ann Elisabeth’s guide to blocking search engine spiders in .htaccess.
  6. If you’re feeling especially mean and vindictive, you could add a series of ErrorDocument directives to .htaccess, or RewriteRules corresponding to your trackback URL — using the spammer’s own site as the error document or rewrite target. Then, every single ping he continues to send to your now non-existent trackback script will redirect to his URL. But he wants that traffic anyway, so why not indulge him?

In 2002, the world of weblogs and comments and trackbacks were built on a culture of trust and openness. How naive we were. And now, the spammers have set DIY weblogging back by at least two to three years.

More material elsewhere:

(If you link to this entry, leave a comment with the URL of your weblog post. See? It’s just like pinging!)


  1. Mean Dean says:

    Tomorrow I’m going to offer a “judo-flip” approach.

    Some will not like it, others will. Stay tuned.

  2. Chris says:

    I turned off trackbacks and closed TB’s on all old posts last week. I’m also blocking a bunch of keywords in the referer site with .htaccess to control referer spam.

    I figure Technorati will let me know when somebody links to me.

  3. ManuelV says:

    I hope that all this comment spam won’t eventually force bloggers to switch off Commenting.

    Pero, Pau… with TB switched off, won’t your server still suffer from all the attempted pings? What can be done about this?


  4. Paulo says:

    ManuelV – The best I can do is redirect them right back to his page with .htaccess. Oh, and send the access logs to the FBI Cybercrime Division, of course.

  5. thomas says:

    Supposedly my spam buster (which you so kindly helped me find) prevents trackback spam, after I enabled that plugin. I didn’t have a problem with trackback spam UNTIL i installed the spam buster. How weird.

  6. Raffy says:

    I was wondering if there was any way to clear those stupid sites off my trackback list. Now I know.

    Great advice, Pau. I think it’s about time I killed the spammers…uh, the trackbacks too (damn Freudian slip).

  7. Solonor says:

    Thanks! I needed that.

    Heh. That sounds like a typical spammer comment, don’t it? ;)

  8. padawan says:

    Useful tip but there is another solution: get your site hosted by people who have mod_security on Apache and know how to use it. This way, they do all that work for you. My site has comments and TBs open on all entries, and I receive zero automatic spam now that it is shielded by mod_security and an excellent host team.

  9. rich says:

    I’ve just scraped a daily dose of 30 spam trackbacks off my site and followed your recipe.

    I’m also feeling particularly vindictive – you couldn’t explain the “If you’re feeling especially mean and vindictive …” in more detail, could you?

  10. Flash Ripper says:

    I’m here just to thank you for your post on trackback spam attack ( — comments disabled there)

    It helped me to completely remove old spam trackbacks from my MT!

    Just for comparison: before cleaning, my MT SQL database weighted 16 Mb; after cleaning, its weight become 13 Mb. So 3 Mb of spam was trashed!

    Thank you!