« Can’t hide behind affiliates
Running out of spam »

weird trackback run

I had a very weird trackback spam run on annelisabeth.com April 1st.

The first GET request was for this file:
/blog/mt-tb.cgi/178?__mode=rss

It delivers an RSS feed of that post.

The next request was:
POST /blog/mt-tb.cgi/178

Problem is, I installed the moderate plugin for MT, and I don’t think trackback works anymore, mwuhaha.

But never mind, this spammer manages to get his URL known anyway, because the next request is:
GET /blog/mt-tb.cgi/178?title=Popular+Online+Casinos&url=http%3A%2F%2Fonline-casinos.xmix.net%2F&excerpt=Casinos

I can’t get that one to work, but I suppose they had a plan when putting their script together?

They continue like that for a while, before checking on their work by loading some category pages etc. They check on progress after a few hours, then two checks the next day, one hour apart.

I got three accesses on spamhuntress.com. One loading the RSS from a post. One attempting a trackback, and one checking an RSS feed from a page (page 4?) a day later.

65.77.130.194
mh.unlimitedwebhost.com

No referrer, no user agent, except one request on spamhuntress, using Wget/1.8.2

Update Talk about bandwidth hog. It just keeps the requests coming. All from Wget this time. 5.69 megabytes wasted, according to Awstats from yesterday. I banned his sorry *ss.

This entry was posted on Monday, April 4th, 2005 at 11:43 am and is filed under Trackback spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “weird trackback run”

  1. Dirk Says:
    April 4th, 2005 at 1:11 pm

    I got those as well (also on April 1st). And they even worked. Seems my own trackback implementation is too forgiving …

    I also sent complaints to both the owners of the IP and xmix.net (who claim to remove sites “immediately” on abuse). Haven’t heard anything back and the spamvertized site is still online. So much for that …

  2. Manni Says:
    April 5th, 2005 at 3:45 am

    Might they be trying to syndicate spammed rss feeds? They syndicate the rss feed for a post, making it look harmless (maybe even look anti-spam), then they spam the blog and get spam syndicated that way?

  3. Phil Ringnalda Says:
    April 6th, 2005 at 10:52 am

    The first request gets an RSS feed of *pings to the post*, including the URLs that have already pinged it. URLs which are quite likely to support Trackback. Mmm, fresh targets. It would also make an easy way to check back later on whether your spam-ping made it through, and whether it stays published. Or, if you started your spam run from just a list of mt-tb.cgi URLs, it would give you the URL for the post you are spamming, to check the HTML later.

    Then, a POST for any modern implementation, followed by a GET just in case you are actually running MT from before, what, version 2.5 or so?, when Trackback only accepted GET. Or, there might be other non-MT implementations that implemented GET but didn’t ever switch over to POST.

Leave a Reply