Flux CMS DevBlog

The amount of trackback spam we get is amazing. It's all (or most of) rejected due to our spam filters, but it's still unnecessary (Most of you won't detect it anyway, as we don't send rejected comment notification mails by default). To at least cut down that a little bit, we added a new global option (goes into conf/config.xml): "blogTrackbacksTimeLimit". If that is set to true (it is by default), trackbacks are disabled after one month. I think, that in very few cases one has to trackback a post, which is more than a month old (very few people trackback at all anyway). And if you leave the comments open, that person can still do a "Manual Trackback" then.

I put this into the 1.3 branch as well, as it shouldn't break anything (but as usual, you should delete the tmp/dir after an update).

If you have a customized theme, you have to adjust blog.xsl, so that it doesn't display the trackback url anymore, if trackbacks aren't allowed. See the diff for what has to be done. If you don't change it, trackbacks are still not accepted, just the text on the post itself is missleading :)

We (the Bitflux Blog) are currently hit by trackback spam once again. It's especially hard to take appropriate countermeasures, as the usual antispam techniques (captchas, hidden fields, etc) don't work here. So what do we do:

The usual comment modes also apply to trackbacks, meaning if you turn off comments, you can't trackback either anymore. Also trackbacks - as with comments - are only allowed for one month by default. You can change that behavior for each post or globally in the settings.

Furthermore trackbacks are moderated by default. Currently you can't change that, it's hardcoded. But in my experience, it's not worth automatically publishing trackbacks. There are much more spam trackbacks, which fall trhough our spam-detection than legitimate ones. It may be irritating to legitimate trackbackers, that their trackback doesn't show up immediatly, therefore I added now a little text to the default templates about that.

We also check the IP sender against xbl.spamhaus.org (catches about 50% of spam trackbacks) and against surbl.org (less than 50%). We also have our own blacklist, where we add spam-urls as soon as they hit us (and we find the time and internet connection to add it :) ). For this reason, I always allow comments on Bitflux Blog, so that we get as much spam urls as possible.

By the way, you won't get email notification for rejected comments/trackbacks by default, therefore you may sometimes not know, how much spam you get :) You can change that in the settings, too. But we never had false positives and you can check the rejected comments/trackbacks also in the webadmin (but they are deleted automatically after 3 days).

If anyone has any idea, how we can further improve trackback spam detection, let us know.