Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

November 8, 2005

Trackback Spam II

Back at the end of June, I reported that trackback spam directed against this site had soared to nearly 13,000/month. That was, by any measure, a pretty hefty amount of spam. You might well have wondered what has happened since then.

Trackback spam per month: 1439, 1987, 5159, 1727, 12871, 16935, 14426, 11671, 11768 spams
Automated Trackback Spam, Feb-Oct 2005.

As you can see from the graph at left, my trackback spam load has settled down to just shy of 12,000/month. Most of these come from a withering array of open proxies and (increasingly) zombie PCs. Almost all of them are automatically blocked, but if even 1/2 of 1% sneak through, that’s still an undesirably large amount of spam to clean up manually. I strive for, and almost achieve an Ivory Snow-level of effectiveness.

More than just blocking them, I do my best to tarpit the spammers. As I write this, there are 212 tarpitted connections open. Each of these stay open for as long as two days. You’d think that would have a significant impact on the spammers. But, with an unlimited number of open proxies and zombie PCs to choose from, the spammers don’t seem to care much.

Starting in July, I noticed a new trend: rather aggressive trackback spammers operating from fixed IP addresses. They’re indicated by the dark rectangles in the graph. Trackback spamming from a fixed IP address is dumb. It makes you too easy to block or, in this case, to harass. Once I got serious about counter-attacking those fixed-IP spammers, their numbers dropped rather precipitously (from 3769 in August to 59 in October).

A minor triumph, perhaps, but one that does little to ease my anxiety. There are clearly a number of new groups out there, writing new trackback spambots. Like someone nervously watching the levée as the floodwaters rise, I wonder how long my blocking techniques will remain effective.

Posted by distler at November 8, 2005 2:32 AM

TrackBack URL for this Entry:   https://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/676



2 Comments & 1 Trackback

Re: Trackback Spam II

Your stats got me to check on my trackback spam. I got 2,724 attempts last month on my current trackback cgi file. However, there were also 1,784 attempts on the previous name of that file. But what was surprising was that the name I had for the trackback script before that got 16,931 attempts last month. That name hasn’t been in use for months. And both previous filenames return a 410. Still including everything I got 21,439 POST attempts at current and previous trackback scripts. However, there was no attempt at the MT default name (mt-tb.cgi) which I haven’t used in a while.

Posted by: Zack on November 8, 2005 12:52 PM | Permalink | Reply to this

Re: Trackback Spam II

Still including everything I got 21,439 POST attempts at current and previous trackback scripts.

Impressive!

I should say that, if things get bad over here, renaming the trackback script, and making the current one go 410 will be my refuge of choice. I figure, though, that I might as well hold off on that, as the 'bots will, inevitably, find the new one.

Posted by: Jacques Distler on November 8, 2005 1:58 PM | Permalink | PGP Sig | Reply to this
Read the post Musing on trackback spam (or the absence of same)
Weblog: Waveflux
Excerpt: Another day, another opportunity to examine the old activity log to see which would-be spammers came knocking but couldn't come in. Ah, but it's a joyous sight: a list of parasites, lamers, and losers, all hoping to steal my precious...
Tracked: April 26, 2006 11:30 AM

Post a New Comment