This is a nasty new clever little evil trackback spam.
They’re using the ’source’ parameter to emulate links since on TypePad this allows HTML to be included.
Trackback isn’t smart enough to add ‘nofollow’ rel so this seems like an easy way to increase your pagerank.
What they’re doing is employing three interesting hacks.
1. Using the source parameter to add links thereby bypassing nofollow pagerank supression.
2. Using multiple links each with one character so that one word of 7 bytes has 7 links.
3. In the post URL they encode your permalink’s URL so that automated backlink trackers fail since now your URL appears on their site.
This might sound a bit confusing so I’ll show an example.
The trackback they submitted was:
http://foocom/foo.php?www.feedblog.org/2005/08/msn_filter_even.html
Then when you load this URL they automatically create a link to:
http://www.feedblog.org/2005/08/msn_filter_even.html
This is problem one. This isn’t necessarily a problem with the protocol because they could still include data within the URL by using PATH_INFO and decoding it manually instead of using HTTP params.
Then they pass in a source name of:
<a href=http://foo1.com/>K</a>
<a href=http://foo2.com/>Y</a>
<a href=http://foo3.com/>L</a>
<a href=http://foo4.com/>E</a>
<a href=http://foo5.com/>B</a>
<a href=http://foo6.com/>U</a>
<a href=http://foo7.com/>N</a>
This ends up being rendered as:
(mouse over each letter in the above link to notice a different URL).
Seems like the best fix in this scenario would be to prevent TypePad and Moveable Type to disallow HTML within the source name.
Update:
Dan Sandler makes some valid points:
More importantly, the URL used in the spam contains a valid backlink. By the metric we described when we released the Validator, this is no longer considered “spam”. Since PageRank is (currently) strictly additive, this means that the spammer can only be increasing your PageRank (and of course you’re doing nothing for his, because you used nofollow, right?).
Another point is that PageRank factors in outlinks too. The more links out to other blogs you have the less PageRank you will have. Since they’re creating a link for every spam post the will lower their PageRank.
At the end I’m not sure if they’ll get anything out of this.
-
1
Trackback on Nov 13th, 2005 at 9:28 pm
Trackback spammers upping the ante
Kevin Burton: Nasty New Trackback Spam. The main technique in this case exploits the fact that TypePad allows HTML in a place where it shouldnt (an easy fix), but this caught my eye:
3. In the post URL they encode your permalinks URL …
Leave a Comment
-
Spinn3r News- Spinn3r 2.2.5
- Spinn3r 2.2.3
- Spinn3r 2.2.2 Escapes From the Laboratory
- Spinn3r Hiring Senior Systems Administrator
- Spinn3r 2.2.1 Released
- Slides from Spinn3r Architecture Talk at 2008 MySQL Users Conference
- New Spinn3r Open Ping Server
- More on the Wordpress Blog Spam Cancer
- Spinn3r 2.2 Released
- Massive Blog Spam Epidemic Gets More Attention
-
Subscribe
-
Flickr
More Photos
November 14, 2005 at 8:33 pm
And it was a new ping, not an old one you just discovered? I read about that back in early September, and figured it would be gone quickly, since it would only take a few minutes to fix.
Near as I can tell, unless I didn’t remove enough of my added defenses while testing, MT (at least, MT 3.2) isn’t vulnerable to that: in fact, after stripping the incoming HTML it so rabidly nofollows that the linked post title and [Read More] were both “rel=’nofollow nofollow’” and the internal links, to my own post and the permalink for the ping on my own weblog, were both also senselessly nofollowed (though only once).
November 14, 2005 at 11:05 pm
Hey Phil.
Not sure about MT but TypePad is totally vulnerable to this attack as it allows raw HTML within the source.
Wonder if I could use this for an XSS attack?