|Wesley R. Elsberry
Joined: May 2002
Reed Cartwright and I looked into it. The day before yesterday, PT got 1,495 hits on the trackback code, which should give everyone an idea of how PT could easily be inundated with spam trackbacks. There is trackback throttling that is part of Movable Type's out-of-the-box behavior. It turns out that this throttling is based upon the total number of trackback requests received in the last hour and in the last day, and not on the existence of a previous trackback from the same IP or URL. This means that what the Movable Type programmers set up is a system that lends itself to a form of denial-of-service, as common spam trackbacks (coming in sometimes at rates higher than 75 per minute) are far more likely to be serviced and take up the maximum quota for the hour or day than the relatively rare legitimate trackback. Reed has turned up the numbers on both settings, so hopefully real trackbacks will be serviced now. We're planning for eventually putting together an MT plugin to implement per IP, per URL throttling for trackbacks. In the meantime, there will just be a bunch of junk trackbacks entered into the database. Update: Reed has the per IP throttle code put together, and is working on per URL, too. Update: Per URL throttling is now up and running, too.
Edited by Wesley R. Elsberry on Mar. 21 2006,11:41
"You can't teach an old dogma new tricks." - Dorothy Parker