Last night, I thought of a couple more way to combat trackback spam (previous post):
- Only allow trackbacks with to pages that be auto-discovered to have a trackback url.
- Auto generate the trackback url, to make it more difficult for automated trackback programs to work
In the first proposal, when a trackback ping is received, it would not be considered valid until the following is successful:
- Attempt to auto-detect the trackback ping url at in the specified url.
- If the urls is found, the trackback is valid
This will work well for two reasons:
- Most trackbacks come from blogs, so these pages will have trackback ping urls
- Most of the trackback urls that I have received are for urls where the hosts do not resolve, so it will not be possible to auto-discover the trackback url
Auto-generate trackback urls
When a request comes for an article, it will create a url for the trackback ping. This url would contain:
- Hash of the ip address
- Reversible hash of the time that the url was rendered
Then when the ping comes in, the trackback code can verify that the trackback is coming from the same ip address that got the url. Also the trackback code can verify that the url was generated within 30 seconds ago.