To Trackback or not to Trackback
I built this blog because I wanted a place to share my thoughts. I built it on sean and ray’s work, and it has treated me very well.
The time has come to start adding to thier work and one of the places I thought to start would be to add the trackback and ping abilities to the code base. I have done the research and think it would only require a little bit of work to add to the application.
However, as I surf the net and read other blogs, i find that many of them have shut off comments and trackbacks because of spam problems. So this leads me to wonder… If I add those features would anyone use them? The same things could be ported to ray’s blog pretty easily if someone wanted to, so you would not have to use my codebase for that to work.
So what do you think internet? Would you like to use trackback?
I’ve turned off trackbacking, but managed to defeat comment spam using a SWF & 3 lines of Perl, so left comments on.
I believe people would use it if you implemented it, however, the only way to defeat both types of spam is using a Captcha test for the bots. It is the only proven, effective, and user-friendly way. Proven because even comment spammers (the one interviewed at the Register) mentioned it (2nd person). Effective in that most who implement it praise its results. User friendly in that requiring the typing of a number isn’t so bad because it is becoming more and more common, but also to developers too if you build it in.
Trackbacks are a more effective way to link to other blogs and discussions. Comments are what make a blog interactive. Go for it.
Simeon: I’m a big advocate of Trackback, but this point, you need to commit to a lot more than just receiving and sending pings. You’ve got to implement spam control, and be certain you get your TB autodiscovery right… it’s a wasted effort, otherwise.
Jester: "[CAPTCHA] It is the only proven, effective, and user-friendly way."
Most of the folks working in the blogging field avoid CAPTCHA like the plague. First, because it’s actively user-hostile (it basically closes the door to low-vision users), and second, because there are other options that work well. And of course, CAPTCHA and Trackback are incompatible concepts.
That doesn’t mean CAPTCHA is evil… it can be useful is specific circumstances. But it’s not a general-purpose solution for security and spam issues.
Jester: "Trackbacks are a more effective way to link to other blogs and discussions."
A common misconception, which leads to a lot of abuse of the technology. Trackback is a means of making remote comments while retaining control of your content… what you’ve described is a protocol called "Pingback", which is not related to Trackback at all.
Thanks for the input guys. if the only 2 people who commented are for it and I want it then thats enough for me.
Roger, how would you suggest securing the trackback? Its just a request from another machine. Captcha wont work because there is no interaction. I suppose there could be an approval process, the first time someone tracked you back you had to accept connections from that ip or something.
What do you think?
Simeon: First off, you need throttles… something to control flood attempts. And you *will* get flood attempts, since Trackback spam relies on standardized autodiscovery and can thus target any blogapp… comment floods, in contrast, have to be targeted at a specific tool.
(JournURL was "trackspam" attacked last week. I had unwisely opted to forego a throttle on Trackback, and got hit hundreds of times before I managed to shut down all incoming pings. And I was lucky… some folks got hit 1,000+ times in the space of a few hours.)
Beyond that, there are multiple options, some of which can work in concert.
- A moderation queue
- URI whitelists
- URI and content blacklists
- Traffic analysis
- Filtering (SpamAssassin, etc.)
"…the first time someone tracked you back you had to accept connections from that ip or something."
That could cause you some trouble, but it’s one way to approach whitelisting. Hosted services like JournURL, TypePad, etc. allow all kinds of users to send pings from a single IP, so you’ll have to keep a keen eye out to make sure you don’t end up banning an entire service over one user.