Tom Coates proclaims Trackback to be dead. Funny, I didn’t even need to visit his site to know that he’s running his blog on Movable Type and with inadequate spam protection.
That’s like… (pick your poison):
- …not wearing a condom and declaring prostitution dead.
- …not wearing a seatbelt and declaring driving dead.
- …not locking your doors, and declaring home security dead.
If you have a better one, add it.
Most of the time, people complaining about blog spam are running blog software that is 2 years old, or are running without any decent protection at all.
Anil Dash quips:
However, I clearly missed your “email is dead” post on that matter. How did you get by after you abandoned email? π
Heh. If you are using AOL or Hotmail for your e-mail, without any spam filters, you might just think e-mail is dead.
There’s a fatal flaw in 2/3rds of your metaphors: Condoms and seatbelts both deal passively with the problem. You don’t need a different kind of condom for every encounter, and the prostitutes likely don’t try every trick in the book to puncture it; you don’t need to vigilantly update your seatbelts — seatbelts do still fail for certain angles of collisions and can restrict perfectly legal maneuvers, so that’s correct as far as that goes, but still, you don’t have to re-inforce them every time they fail, and they don’t spontaneously decide that they won’t unbuckle because you happened to be parked next to a shop selling collision insurance or crash-courses.
As for email: anyone who thinks email filters work either (a) does not receive much email or (b) hasn’t been online for more than maybe a couple of years, or both. Bayesian filters eventually learn that ALL html-email is spam, or will receive enough of the “innocent irrelevent prose” stuffed in spam to start mis-classifying.
And therein TB fails: Fighting spam with pattern matching (of which Bayesian is only one type) is an escalating battle where you must guess the condom-type before the encounter; it’s far more like an anti-biotic in that the approach is quickly met with adaptation by the parasite, and escalation eventually leads to the host’s death.
The solution I have proposed to Drupal.org is ‘white-listing‘. The vast majority of trackbacks on any given blog will come from a small number of blogs the author knows, so in this context, unlike email white-listing makes sense: each new-source TB is held in quarantine unless the source is already approved, and the corrollary action must therefore also provide for a fast and direct purging of the TB spam (and for banning sources like present filters), because once a TB spammer finds you, they can post as many as 500 TB bayesian-resistant spams per hour. When you’re spending 8 times as much time or more cleaning your blog as adding to it, something’s gotta give.
To my knowledge, no such TB white-list system has been implemented by any blog software. So, in principle, yes, you have a perfectly valid point: TB with appropriate protection is just as safe as any other communications. The flaw in your thesis is the assertion that such protection currently exists.
My study of spam attacks is somewhat self-inflicted: I refused the ISP-managed spamfilters after observing the high number of false-positives, so I get all my spam. 2000+ per day. Simply detecting whether these emails are spam or not consumes the full-time resources of one PC — therein the final problem with TB: Detecting the good from the bad requires server resources, and semantic/linguistic analysis is not cheap. As the TB attacks escalate, they will become DoS attacks. Already I find more than 3/4 of my actual site traffic is from referrer spam, and because my site is database-driven, I have to thwart those attackers at the request level (using Apache mod_rewrite) or face mysql meltdown. Trouble is, TB attacks are just as easy to automate via virus-infected machines, but they require significant computing resources just to receive them.
Even it if did exist, I’d still wonder: 500 attempts per hour is only the current levels and, using their distributed networks, spammers are capable of much higher frequencies; every new hurdle we throw only results in an escalation of the spam attacks because, when you’re making $40,000/month, what’s another $400 to add another machine?
WordPress whitelists trackbacks from blogs on your blogroll, and has a whitelisting system for comments, but I don’t think it yet has a “approve first-time trackback domains,” feature, although it would be simple to implement (and a good idea).
Eventually, yes, spam will stretch your resources. But I’ve seen blogs go down by non-spam DOS attacks, so that’s more of a general problem with hosting a site. I think part of the problem with spam blocking is that most of the methods wait for the spam to come in, and then do analysis on the content of the spam. Bad Behavior looks at the HTTP headers and looks for inconsistencies, blocking spammers even before they can scrape your site for trackback URIs or comment forms, and doing so in milliseconds.
The next step might be trusted p2p networks for transferring IP block lists between blogs.
I probably receive 400 visits by spambots a day and 100 comment/trackback attempts. Maybe 2 a month get through. So yeah, I’m fairly optimistic.
Mark, every time I’ve come across people complaining of comment/trackback spam I’ve asked them: Why the hell haven’t you had Mark Jaquith set you up on WordPress yet?
Really, all these people complaining about spam problems are missing the boat. Since you set me up I haven’t had a single problem aside from the occassional spam getting through once in a great while.
I hope some of these people have been contacting you.
ROTFL — Mark, that is the most delightfully naive technical comment I’ve heard since Wednesday! Thank you for posting that. It must be wonderful to live on your planet.
I’m placing your advice right up there with the CTO who, when challenged on his 2 days to delivery timeline, told the room “Oh, programming is easy! It’s the debugging that’s hard.”
so sorry, that last one was about Rob’s delightfully naive comment. Mark, on the other hand, had some very good points, but still admits that the condom does not yet exist.
Most of the people complaining about blog spam are running Movable Type, and often a version of it that is 2 years old. I tend to think that they are the naive ones. Rob’s blog gets way more spam than mine does, but he manages to keep his head above the water using freely available tools. There may be no silver bullet (I’ve gone maybe 2 months at most without any spam), but there are some good solutions that don’t take a guru to use.
So you’re saying, Mr. G, that I have been having spam problems but that I’m too stupid to know?
Strange…considering that in the last month I’ve had over 3,000 attempted spam comments/trackbacks (according to Spam Karma’s count) with only one or two getting through.
I’ll admit that I’m no genius when it comes to the technical side of my blog (I have Mark for that), but its hard to argue with success. I get an above average amount of traffic and an above average number of attempted spam comments/trackbacks, but the measures Mark has installed to stop them have been much more effective than Mark is letting on. I do not “keep my head above water,” I simply don’t have a problem.
But thanks for being a caustic ass about the whole thing. Adds a lot to the discussion.
Rob, what I’m saying is worse: I’m saying that every time someone recommends that I can solve a highly intractable social problem by simply switching to some specific piece of software, I want to give them a lolly-pop.
and then whack them.
FWIW, I’m on Drupal and with the spam-filtered TB, I also cut my spam counts to zero for a period of several weeks. But that does not mean anything, dig? You don’t need a caustic ass to draw the “Door is Unlocked” arrow, the hole remains, and the spammers know that, and, according to independent articles in both the Register and on Wired, the revenues from spam are so staggeringly high that the best you can get only bides some time.
If that bothers you, or even if it doesn’t, makes no difference to me, but you’re no more protected from TB spam by switching to WP than you’re protected from AIDS by coitus interruptus. So you can rest easy in your false security, it’s a nice place to be, but I’ve already had that experience of having my weekend ruined by being hit by multiple website link-spammers with new toys, or seeing my sites cached in google as Texas Hold-em hubs, and I just don’t find watching my back 7×24 to be a particularly fun way of “easy publishing online”.
You do what you like, but despite how ever much I envy your comfy snugness, I’m still keeping the anon-public write tab switched off until there’s some real solutions.
Hey, sorry you’ve had such a bad experience with all this. All I can tell you is that I have a system that’s work, and that’s been working for about four months now through more than one wave of trackback/comment spam that has driven other websites crazy.
Like I said before, its hard to argue with success. Maybe something new will come along and my security measures won’t work. I guess I’ll cross that bridge when I come to it.
Still don’t see where anything I said was deserving of your rather condescending and spiteful response, but maybe your mommy didn’t teach you any manners.
MT has a plugin that allows TB moderation. I had a few TB spams, but installed MT close, which shuts off TB & comments on old posts, which is where you usually get the spam.
what’s the betting that he comes up next with “Internet is Dead” post? π
heh … thank you Stasigr et al for so clearly helping to prove my point π
Nice wnuhofw site and guestbook!
Great wqaqatulic site and book, good work!