With my recent spam comment attacks, I’ve been thinking about other avenues of abuse. The spammers have already got their own blogs that are providing feeds full of nothing but spam. This is unpleasant, but easy to avoid for people (although difficult for PubSub). There is another very nice feature of many blogs systems that expose submitted text from others, TrackBack.
I suggest the discussion start right now on how to deal with trackback spam, I believe the problem will be harder than comment spam. With comment spam there is really only one approved way to receive it, which presumes human interaction. Having presumed human interaction allows us to deploy methods that are easy for humans to parse and understand, but difficult (relatively) for computers to deal with. This is one reason why email spam has been so difficult, it is simply two systems talking to each other, with no human in the middle. This means that all of the email spam defenses have to be “easy” for a computer to deal with. At any rate, trackback isn’t like comment spam (no human is expected to be filling out a form), it is two systems talking to each other (like email spam).
This may mean that we can use the same (or modified?) tools (like SpamAssassin) we have for email spam against trackback spam. Or perhaps trackbacks should stop displaying the excerpt? Or provide the link back only as text instead as a hyperlink? Make all trackbacks require moderation?
I’ve only been thinking about this for about 30 minutes, so I certainly won’t pretend to have come up with a solution, but I would like to see some discussion on how to deal with this before it hits us. Make no doubt, this will come, it is only a matter of time. Call this my prediction for 2005.
On a related note, if you are creating a spec for some spiffy new protocol (like trackback), please have a group of people look at how this can be abused. At a minimum, imagine how you would exploit this if you were a spammer (or some other equally evil evildoer). I’d like see these issues addressed (and fixed) in specs for new protocols when they first come out, not after.
UPDATE 5 Jan 2004 @ 11:10am: Sadly it looks like this trend is already starting, Matt mentions that he is already getting trackback spam.