I’ve been harvesting spam referers and trackback attack IPs on a daily basis, but while the number of new spam referers is down, the trackback IPs seem to be up.  I had one single IP in Cambodia hit the trackback script 424 times yesterday.  Before that I’d had another IP hit it over 700 times in a day.  There have been 434 trackback attempts today, none of them valid.  The problem is that even though they don’t succeed, they still require invoking PHP, making a database query to check the “token”, then issuing a response. 

I hate to do it, but I’m disabling trackbacks for a while.  I’ve also disabled anything with “referrers” in the request, since that is no longer an active page.  Anyone hitting that page now is presumed to be a spammer.

I had to do a bit of searching to come up with just the right .htaccess incantation to do this, since my installation of PHP requires the use of the CGI GET separator (”?”) instead of using “clean” URL’s like most installations of Expression Engine.  The following looks at the parameters passed to the script and returns a 403 to any caller who passes “trackback” or “referrers” anywhere in the query.


RewriteCond %    ^(.*)trackback(.*)  [NC,OR]
RewriteCond %    ^(.*)referrers(.*)  [NC]
RewriteRule (.*) - [F]


It does have the danger that if I ever use the word “trackback” or “referrers” in a post title it wouldn’t be accessible, but that’s a small risk I’m willing to take.