Hello,

I'm now getting an incredible amount of trackback spam. How can I turn off trackback for all posts, both in the past and in the future?

Thanks!
Seth

I too am getting a LARGE amount of trackback spam.

I have gone through the system configurations and unchecked all the apporpriate items, and rebuilt my files, but still they keep showing up.

Any help would be VASTLY appreciated.

If you want to stop them immediately, I'd remove the mt-tb.cgi script from your server.

You can also install Blacklist, which will help you filter comment and trackback spam:
MT Blacklist

I renamed it, I don't like installing hacks, it makes upgrading more tedious. Perhaps blacklist should be fully incorporated into MT...

Yes, I'd rather there was TrackBack moderation on by default so that spammers would just give up. I find that spammers stop pursuing dead ends because there's no point. Since comment moderation was added, I get a handful of spam comments which look manually entered instead of generated and they aren't posted. So TrackBack will need similar mechanisms. Blacklisting doesn't work unless you're willing to have some amount of garbage on your site at any given time because blacklists aren't perfect.

Is there an easy way to remove them? I've got un-believable trackback spam right now.
I have zero interest displaying these lame sites, I just want them gone.

I am also seeing a TB spam attack as we type. They hit about 30% of my 300+ messages this AM About 2 AM and again about 8 AM. They all go to a poker site that appears to have been closed for abuse.

D

Same here -- "online poker" and "online casino" have been responsible for all my comment spam over the past several weeks, and now it looks as if it is attempting trackback spam as well (50+ since 2am today).

GRRR...hey, MT peeps, add TB moderation to 3.16, please!?!??!

I was hit today too, I think they got me twice on almost every post. Is there no easy way to delete them? Do we have to go post by post, one at a time to find them too?

I'm using 2.661, will upgrading to 3.15 help in dealing with this?

I don't *think* there's an automated way to trackback in 3.1x, but I could be wrong. The blog I run that was attacked was running 2.6x as well, yet my 3.14 blog hasn't (yet) been hit with TB spam (cross my fingers). I'll be moving my older blog over to 3.1x asap for sure.

This morning, I downloaded and installed MT 3.15 (Personal License) and found that it does have a feature allowing easy bulk deleting of TB postings. One can filter the TBs by topic name (e.g. "Online Poker") generate a list of all meeting that description, "Check All" and the "Delete Checked".

I did that and turned on the Typekey recognition requirement for Comments.

Before doing that to "Make it Stop, Momma! Make it STOP!" I deleted the mt-tb.cgi file from the server. I may put it back after I see the community's experience.

Doug
Unintended Consequences

Deleting the pings is easy if you're running mysql and phpadmin - just go to your phpadmin SQL window and enter:

delete from mt_tbping where tbping_title = "online poker";

(or "online casino" or "texas holdem", I found those also)

to turn off pings on older posts:

update mt_entry set entry_allow_pings = "0" where entry_created_on < "2005-01-20";

(that will turn off pings on entries created before Jan 20, 2005)

What I said in my last post about turning off tbpings doesn't seem to work. I'll post an update if/when I figure it out.

"to turn off pings on older posts:

update mt_entry set entry_allow_pings = "0" where entry_created_on < "2005-01-20";

(that will turn off pings on entries created before Jan 20, 2005) "

Here's another method: despite my site not having a really big problem with trackback spam (just a little so far as I'm aware--thanks to the help of MT Blacklist), my hosting company graciously set and locked my mt-tb.cgi permissions to zero and I cannot change it back.

This has the effect of stopping all trackbacks and giving a nice error message when you click on trackback. I'm attempting to resolve the issue with them.

I run a small hosting business and a lot of my customers (including myself) run MT and we have been badly hit by trackback spam today. This afternoon the server almost ground to a halt because about a dozen different accounts were all being hit at the same time - there were dozens of trackback processes - the cpu utilisation was through the roof. As a quick fix I did a find on every instance of mt-tb.cgi and chmod'd them to 000. Most, if not all, of the installs of MT also have MT-Blacklist installed but this didn't seem to slow down the attack at all. All the installs I do for my customers also have MT-B set to update it's blacklist automatically but it would seem that all the URLs I got hit with on my own blog weren't on the blacklist yet.

MT have made huge strides in dealing with comment spam, I hope that some of the same solutions can be applied to trackback spam.

As a user I would like to see trackback moderation and as a host I would like to see trackback throttling

ShelaghG -

I'm in exactly the same boat (small hosting biz, a dozen MT users, and often finding server resources completely chewed up my comment and TB spam). All installations run the latest MT, we all have Blacklist, but it doesn't help. Why? Because it takes *resources* to call a CGI, resources to make a database call and check whether a string is blacklisted or not... And when you have 200 simultaneous CGI requests for Blacklist lookups... you know the rest.

Blacklist may protect users' inboxes from being flooded and it may keep spam off the site, but it doesn't help at all with keeping servers from being overtaxed. There are times when people can't even check their email because comment spammers have taken CPU utilization to 100% for extended periods.

We NEED a solution. It seemed like MT 3.14 was going to be that solution, but the problem is still real for me. We're moments away from enforcing comment registration for all of our blogs. None of my users want that, but as an admin, I don't see that I'm going to have any choice in the matter. Unless anyone else has any great ideas.

Script to close (and/or open) Trackbacks and Comments.

There are some server-based solutions for this, in particular mod_security. See the Six Apart post on the subject.

I've also updated my tutorial on trackback spam. Simply changing the tb cgi name doesn't work any more. You have to take other steps to get that one to work.

I have just cooked up a Perl-based method to combat Trackback spam. Take a looksie:

mt_antispam_rename.pl

MT_Blacklist is indispensible for blocking rogue comments and trackbacks. While it can force comments into moderation, it cannot do so for trackbacks, since no method exists for TB mod. TB mod would be sweetness. Especially, since it seems to be the preferred spammage method.
I also use the 'close comments' plugin to shutdown comments after three weeks. I do not wish to do the same for TBs, since I wish to encourage people to link from their blog to mine.

Wait. I got an idea.
What if someone developed a way for TBs to be validated. When a TB is posted wait X amount of time, and call the site, spoofing a URL, to see if the TB posted does link to a page which links back to TB'd post. Could this be done?

bleach - I have a suggestion -- since the goal is to *reduce* server resources, a script that forces a rebuild of an entire site seems like it's going in the wrong direction. Why not modify your script to use perl -p -i -e to sweep the archives and make a global change in seconds, rather than minutes?

elise - thanks for the link. I was thinking along the lines of mod_security as well. Perfect.

James Seng, author of the Scode (secret code) plugin had created an anti-trackback spam plug in. It compares the originating URL to the target and rejects the trackback if they don't match.

What's the "accept trackback pings" checkbox for in every entry? Doesn't that enable/disable trackbacks?

Thanks, Shankar

During the attack, my hosting company apparently deleted by mt-tb.cgi file! Any idea how I can get it back?

Also, is there a code as easy as this one for comments?

< MTCloseComments old="7" inactive="3" >

shacker--

good thought. may be a better approach. i still like the idea of not rebuilding too often, because you don't want a user to load your page, grab the TB script's URL, compose an entry, and attempt to ping you andget a 404. there's a very real risk of a 404 error if you search&replace every few seconds or even every few minutes. if you only do a full rebuild once a day, and it's in the middle of the night, i think it's an okay compromise. server resources shouldn't be drained too much, and you're only rebuilding Individual Entry Archives.

still, it's a good idea. however, i'm a little wary of touching all of those files. i *am* a perl n00b.

one other thing to note: if you are using dynamic templates, you need not rebuild, and you can set mt_antispam_rename to run more often. dynamic templates grab the value of TrackbackScript direct from mt.cfg and rebuilding doesn't apply.

see MT-Close2

yes. if you don't want your posts to be trackback-able (or you're not in a "community" where anyone does that anyhow), set them to be disabled by default on new entries.

Weblog Config > Preferences > uncheck "Allow TrackBack Pings" On by Default

One caveat about this plugin, as I mention at James' site, is that if a user composes a post from a desktop blogger client and pings your site from there, it will be rejected. I do this. If you use something like Zempt, SharpMT, ecto, etc., it would block your TB.

shacker--

as Slick Willy would say, i feel your pain. :/ one thing you could do is disallow the Trackback RDF data tag. then try MTDisguiseTrackbackURL and James Seng's SCode. if you renamed mt-tb.cgi to something else, i believe that you could significantly cut down on server cpu utilization with these methods.

I call this schmuck Bob the Gambler, the guy who posts messages about online gambling, texas holdem, etc. He has been posting his annoying messages/links as Comments on my MT blogs and using the Trackback feature for about six months.

I am almost at the point where I want to remove my blogs. This aggravation just isn't worth it. I suggest Movable Type should address this problem and issue a fix for all of its users. Those of us with 2.x should not have to upgrade to 3.x to deal with it.

Last week, I deleted a line of code in the Main Index that disabled the Trackback feature, but why should I even have to do that? I use the MT Blacklist, too, but man this is really pretty &%$#@I* irritating.

In contrast, the blogs I have built in the past six months using http://www.blogger.com work beautifully. Too bad MovableType is unable to work as well as Blogger. If you are as exasperated as I am with MovableType, use Blogger! And it's free!

MovableType, get off your high horse and help all of us get rid of Bob the Gambler once and for all! Forget about your cash register and think about your customers!

Although I have my own issues with 6A's business model, your problem with their profit-making is not germane to the trackback spam discussion.

The real problem here is that trackbacks are designed to allow communication between non-humans, i.e. different weblogs and software. It's not like comments, where it's possible to use methods to verify that the user is human.

My guess is to address the growing trackback spam problem--and it is growing--6A will introduce trackback moderation in the near future. It should have been there long ago. This was a gaping invitation for spam from the moment the trackback standard was introduced, and frankly, I'm a little disappointed that the smart people who came up with it didn't anticipate misuse of the technology.

I was hoping not to have to download anything.

Also, since my mt-tb.cgi has been deleted, any idea where I can get a new one?

I e-mailed him a copy.

I tried
update mt_entry set entry_allow_pings = "0"
which changed 48 rows, and I thought that would be the end of it
but for some reason I am still being trackback spammed.
Any idea why?

I guess I will just have to delete the mt-tb.cgi file.
I am still using the free 2.63 movable type with blacklist.
But Blacklist with a long list of banned keywords must be
a big strain on my server.

Tim