WP trackback block
Rewritten April 19
This is a good way to block POST requests to the trackback script of my 1.5 version of Wordpress, using crust free URL’s (for MT, look here):
This file contains all the blocks I think are useful, but all of the lines may not be necessary. Pick and choose which ones you think are most useful when you implement it.
Explanations of the lines:
SetEnvIf User-Agent “Mozilla” trackers
This one blocks user agents that include the word Mozilla. All browsers do, and many user agents used by spammers. As with all .htaccess blocks, you could theoretically get a legitimate trackback blocked this way.
SetEnvIf User-Agent “Opera” trackers
One spammer has a revolving list of user agents. One of those contains Opera, but not Mozilla.
SetEnvIf User-Agent ^$ trackers
This one blocks trackbacks that has an empty user agent. I have heard that some legitimate trackbacks would be blocked this way, but I haven’t seen any myself. I have seen spammers that have no user agents though. The xmix spammer, in particular. Important: There’s no spammer currently using that approach, so you may want to omit that line!
You can also block any machine with a via header present. That includes some legitimate users who use proxies (it’s still done at some ISP’s). But here’s the code:
RewriteEngine on
RewriteCond %{HTTP:VIA} ^.
RewriteRule .* - [L,F]
In addition to these, you should put in the pinappleproxy block, as detailed in Cindy’s Spampop. That block will work for comment spam, trackback spam and referrer spam. It’s blocking the most relentless poker spammer I’ve ever seen, so it’s well worth adding. You can also add it in the form of a Wordpress plugin.
My blocks are a bit tougher, but you should also have a look at the blocks that made it on to the Wordpress site
Also check out my page on Trackback Spam Solutions for more spam fighting choices for your blog.
April 12th, 2005 at 12:18 am
[…] . Also habe ich mich auf die Suche nach einer pragmatischen Lösung gemacht und siehe da, habe eine gefunden, die hört sich plausibel an, doch auch recht hart: Es blockt per .htac […]
April 17th, 2005 at 11:57 am
How would you code htaccess to block trackbacks with a blank referer?
Is it possible to do:
if and
RewriteRule .* - [F,L]
Thanks.
April 17th, 2005 at 12:36 pm
You wouldn’t want to block trackbacks with a blank referrer. Normally, the authentic ones have blank referrers.
April 17th, 2005 at 12:45 pm
oh, ok. That would have been a major boo boo.
I put in the code to block pinappleproxy and that’s working great. I just wonder how long it will work.
Thanks for your help, it is much appreciated.
April 17th, 2005 at 1:04 pm
The pinappleproxy block should work for quite a while. It won’t block 100 % of the spam, but cut down the volume a lot.
April 17th, 2005 at 9:46 pm
You left a comment on my site about this and I have to ask - do you have any solution for a TypePad based blog? I am getting hit rather severely. Really saps the motivation out of me to do any more blogging. If you can direct me to the right solution, I would be forever grateful to you. Thanks!
April 18th, 2005 at 3:54 am
Here’s what Six Apart said earlier:
http://www.sixapart.com/typepad/news/2004/07/fighting_commen.html
In order to use .htaccess blocks, you’d need to be able to log in to the server. Not just the blog admin interface, but the files on the server.
According to Typepad, there is a file manager. You can check if that gives you access to the .htaccess.
There’s also IP banning. My guess is that’s an interface that’s simple to use. But the changes may be made to the .htaccess file. So it’s possible you can use .htaccess blocks.
But Typepad also promises to remove spam retroactively. So if you report the spam, they may remove it, and maybe even block it across all of Typepad.
Tell them about my solutions when you do. They wouldn’t implement exactly what I’m writing about here, but something similar server wide, if they see it as feasible.
April 21st, 2005 at 10:43 am
[…] thout a user agent. I’ve got a similar block for trackbacks, so I can use that one: trackback spam htaccess block I’m probably going to use it without limiting it to s […]
April 22nd, 2005 at 4:37 am
[…] ckbacks kept coming, and got annoying enough I just had to come up with a solution… http://spamhuntress.com/2005/04/08/wp-trackback-block/ This entr […]
May 14th, 2005 at 8:45 am
Your technique is more dangerous than it is useful. It avoids many legitimate trackbacks, and does not really avoid alot of spam engines.
The first thing i note is that your technique is enabled for “”. That only work with “WordPress”, and your audience is probably not using it. At least, not all of it.
Then, you try to block the spammers based upon their “UserAgent” string. Errr… Hello! UserAgent is as easy to change as puttng a new shirt on! It’ll maybe stop 2 or 3 script-kiddies, but not ANY spammer!
May 14th, 2005 at 9:07 am
I appreciate your comments.
As for stopping ANY spammer? I guess you don’t realize why blocking Mozilla works then… You see, it has to do with the software they use for adding trackbacks. When that software is using the same list of user agents for comments as for trackbacks, then it works really well!
May 20th, 2005 at 5:00 pm
I am not that stupid. I know that most legitimate trackback engines have a user agent string that don’t include the “mozilla” keyword that IE, netscape, mozilla (doh!), opera and firefox have. But well… Blocking based on the UserAgent is as useful as… Errr… I don’t have any visual image in mind
The problem is mostly about the mesage contained in the spam. Not about what tools the spammer used. Actually, if i were to write a trackback-spamming script, my first step would be to look at the source or an implementation i got under my hands (say, my blog engine), read the code, maybe port it to a more efficient form (a windows app), edit a few things and add a batch function to the thing… Then i’d just browse the web and find a few blogs to spam.
But in the process of modifying the source code of the trackback function of the blog engine, one thing i would NOT do, would be to add a signature or something like that in the user agen string.
May 20th, 2005 at 9:47 pm
Just because you have it all thought out doesn’t mean spammers do. Lots of spammers know very little about programming, they show this with their horribly broken spamming software. Many buy spamming software that has options like you mention but do not understand how or why to use all the options. We frequently see spammers going around with forged user agents, we also see many that leave the default string of whatever language they are using. We also see ones that try to fake the user agent but are unable to spell correctly or miss other details of a legitimate user string.
June 8th, 2005 at 1:35 pm
I put cut and pasted the suggested code at the end of my htaccess file. The track back spam is getting through (although I do moderate it all.)
I looked at my error logs, and noticed the log looks like this:
81.115.31.217 - - [08/Jun/2005:14:48:26 -0400] “POST /blog/wp-trackback.php/131 HTTP/1.0″ 404 78 “-” “Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; NetCaptor 6.5.0RC1)”
So, I am sending htem a “404″, but I *still* get a trackback. (Poker of course.) The IP’s move around. All the trackbacks I found have Mozilla in the user agent.
Any tips? Thanks!
May 30th, 2006 at 2:26 am
用 htaccess 擋 spam…
根治才是硬道理 !!
本來嘛,blog 的 spam 問題我都交給 Spam Karma 2 來處理,它也都能很勝任這個任務;但是有時候我還是會覺得很煩,畢竟每天要砍 1000+ 篇 spam 也是很累的一件事。所以我就在…..
September 15th, 2007 at 9:23 pm
[…] My suggestion is based on a trick I learned fromSpamHuntresses’ who blocks trackback spam .htaccess. She described how to do it for WP 1.5; I modified her method make it work for me, and to also catch the spammers using proxy servers. (I’ve also left Spamhuntress a question because I think we can block even more spam if we add a few more lines.) Anyway, give this a try because it may do the trick: […]
May 20th, 2008 at 2:36 am
Hi there. The link to Cindy’s Spampop is invalid. Can you reproduce how does the “pinappleproxy block” work? Thanks!
May 20th, 2008 at 8:34 am
To InfoEmpresa,
Not sure Cindy’s Spampop is useful anymore. She’s long gone from the web by now anyway.