I recently decided to stop accepting trackbacks from external sources. In a nutshell, a trackback is similar to a "ping" from another blog or web-site. This "ping" alerts your blogging software that someone has linked to your blog, or one of your blog posts. Essentially, this lets bloggers keep track of who is linking, and referring, to their articles. This is a great concept, except that spammers use trackbacks as a way to post their spam on your blog. Trackbacks to a blog, or blog post, are often published and publicly visible. As a result, spammers wrote bots and other programs to crawl the web looking for vulnerable blogs to which they submit "trackback spam." For example, trackback spam might be a Viagra ad that is submitted and posted to your blog as a real trackback.
Since I started blogging in October '08, I've had to filter though a ton of trackback spam in Moveable Type. So, I decided to take it up a notch by using .htaccess to block external access to my Trackback web-service at http://mark.koli.ch/mt-tb.cgi. Of course, this means that I'm also blocking any legitimate incoming trackbacks from other bloggers, but I don't really care. Note if you visit my trackback web-service at http://mark.koli.ch/mt-tb.cgi you'll see a 403 Forbidden.
Continue reading to see my .htaccess configuration ...
Since I started blogging in October '08, I've had to filter though a ton of trackback spam in Moveable Type. So, I decided to take it up a notch by using .htaccess to block external access to my Trackback web-service at http://mark.koli.ch/mt-tb.cgi. Of course, this means that I'm also blocking any legitimate incoming trackbacks from other bloggers, but I don't really care. Note if you visit my trackback web-service at http://mark.koli.ch/mt-tb.cgi you'll see a 403 Forbidden.
Continue reading to see my .htaccess configuration ...
The trick is to use the Apache FilesMatch directive in your root .htaccess file to block incoming trackback pings from untrusted sources. In my case, I've configured my .htaccess file to allow incoming trackbacks from any IP-address on my local subnet (1.0.0/24), and from the office (15.243.0/16):
Trackbacks from any other IP-address are blocked with a 403 Forbidden, like you will see here. This strategy has completely eliminated all incoming trackback spam on my blog. One might argue that I'm using a big hammer to solve a small problem by blindly blocking every incoming trackback. And, you might be right. But, I took this approach because I have better things to do than to sort through hundreds of garbage trackback pings.
Enjoy!
<FilesMatch "mt\-tb\.cgi">
SetEnvIf Remote_Addr "^1\.0\.0\." TB_OK=1
SetEnvIf Remote_Addr "^15\.243\." TB_OK=1
Order deny,allow
Deny from all
Allow from env=TB_OK
</FilesMatch>
Trackbacks from any other IP-address are blocked with a 403 Forbidden, like you will see here. This strategy has completely eliminated all incoming trackback spam on my blog. One might argue that I'm using a big hammer to solve a small problem by blindly blocking every incoming trackback. And, you might be right. But, I took this approach because I have better things to do than to sort through hundreds of garbage trackback pings.
Enjoy!
Did you find this post helpful, or at least, interesting?