Wednesday, February 16, 2005

Other possible ways to fight trackback spam


Last night, I thought of a couple more way to combat trackback spam (previous post):


  1. Only allow trackbacks with to pages that be auto-discovered to have a trackback url.

  2. Auto generate the trackback url, to make it more difficult for automated trackback programs to work





Require reciprocal trackback urls


In the first proposal, when a trackback ping is received, it would not be considered valid until the following is successful:


  • Attempt to auto-detect the trackback ping url at in the specified url.

  • If the urls is found, the trackback is valid


This will work well for two reasons:


  1. Most trackbacks come from blogs, so these pages will have trackback ping urls

  2. Most of the trackback urls that I have received are for urls where the hosts do not resolve, so it will not be possible to auto-discover the trackback url


Auto-generate trackback urls


When a request comes for an article, it will create a url for the trackback ping. This url would contain:


  • Hash of the ip address

  • Reversible hash of the time that the url was rendered


Then when the ping comes in, the trackback code can verify that the trackback is coming from the same ip address that got the url. Also the trackback code can verify that the url was generated within 30 seconds ago.