Trackback spammers upping the ante
Kevin Burton: Nasty New Trackback Spam. The main technique in this case exploits the fact that TypePad allows HTML in a place where it shouldn’t (an easy fix), but this caught my eye:
3. In the post URL they encode your permalink’s URL so that automated backlink trackers fail since now your URL appears on their site.
This might sound a bit confusing so I’ll show an example.
The trackback they submitted was:
http://foocom/foo.php?www.feedblog.org/2005/08/msn_filter_even.html
Then when you load this URL they automatically create a link to:
http://www.feedblog.org/2005/08/msn_filter_even.html
This is the first attack I’m aware of that specifically attempts to thwart backlink checkers like the Trackback Validator I helped with this past summer. When we started the project, we predicted that trackback spammers would either give up and go home (ha!) or they’d continue with the arms race and develop some kind of dynamic spam page in response.
There are a couple of reasons why I think this means that the spammers have essentially lost:
- The spammers now need a stable URL on a server that can (potentially) serve a lot of hits. It’s a slightly greater investment, and any time we can create some financial burden on spammers, it’s a tiny win.
- More importantly, the URL used in the spam contains a valid backlink. By the metric we described when we released the Validator, this is no longer considered “spam”. Since PageRank is (currently) strictly additive, this means that the spammer can only be increasing your PageRank (and of course you’re doing nothing for his, because you used nofollow, right?). The spam is essentially harmless (and, in practice, difficult for a human to distinguish from a legitimate Trackback).
In a sense, these are the central goals of any anti-spam effort: to increase the costs to spammers, and to decrease the costs (in terms of time, PageRank, money, etc.) to recipients.