Subscribe to
NSLog(); Header Image

MovableType Needs TrackBack Whitelists

TrackBack may be dead to a lot of people, but I think it still has value. For example, at The Sand Trap, we use TrackBacks to link related articles to each other. That's what TrackBacks are, after all.

However, even at The Sand Trap it's a bit of a hack. Currently, I have the following in my mt-config.cgi:

OneDayMaxPings  200
OneHourMaxPings 1

I change it to "100" when I'm about to publish an article, then change it back. Still, a TrackBack spam or two occasionally slip in. Here at NSLog();, I've simply renamed the mt-tb.cgi script. When I need to ping another of my entries, I rename it temporarily.

TrackBacks were never used quite as frequently as comments, so the amount of spam they received often outweighed the benefits. However, TrackBacks aren't entirely junk - and I think they could be saved with the simple addition of a whitelist.

At The Sand Trap, I'd whitelist **, **, **, and a few other sites. I don't think we've ever gotten TrackBack spam from anyone with "golf" in the domain name, so I'd probably whitelist that too. If a ping was sent with a "pingback" domain not listed in the white list, it would be rejected immediately and without further processing. The URLs that made it through the whitelist could still be processed by the various Akismet and SpamLookup routines many MT users employ.

I checked out mt-tb.cgi to see if I could add whitelist functionality myself, but it's just a pointer file, essentially, that passes the buck to another script. If Six Apart would add this functionality, it would save me the trouble of turning changing config settings or renaming scripts when I need to send myself TrackBacks and it would allow our approved sites - sites like or whomever - to send TrackBack pings to us without trouble. It'd lower system load and make TrackBacks somewhat useful once again.

Odds of this happening? Slim to none. 🙁

8 Responses to "MovableType Needs TrackBack Whitelists"

  1. MovableType has become a pile of crud lately. Like Khoi, I've seen an increased number of 500 type errors. I've seen server loads of 25 or higher multiple times the past few days, oftentimes simply because mt-speak.cgi and mt-tb.cgi are...

  2. Su, you've missed the point. I want immediate rejection of everything not in the whitelist. SpamLookup is a plugin, which involves even more of the MovableType machinery. I routinely have 20-30 "mt-tb.cgi" processes running at a time. If the sending address is not in the whitelist, the app needs to exit the process immediately.

    See a later entry here on this blog for one such way - outside of MovableType - this can be done.

  3. Well, honestly, I think your complaint's a bit misplaced, then. In order for the spam/trackback system to determine whether something's spam(or whitelisted) or not, it does need to go in and be checked. All the method you've developed does is completely circumvent that process via an external whitelist. Which is fine and works, but at the same time would seem to remove the "Movable Type" from the title of this post, no? What you've developed is a server whitelist for access to a particular file which just so happens to handle MT trackbacks. Does some other system implement what you're asking for in the precise way you're asking for? I'm actually rather un-fond of TB and rarely use it, so it's entirely possible I'm missing something here.

    Anyway. It looks from the other post like you got something to work, but you might be interested in looking at the AutoBan system, which I think takes a similar tack, and offers a few other features that may be handy.

  4. I disagree that the complaint is misplaced. So few people use TrackBacks these days because they're so resource intensive and so easily spammed that the only remaining use for them may be to create links within a single site or a small group of trusted sites, such as the manner in which I've employed them at The Sand Trap (linking back to "related articles.").

    I don't think such an option should be turned on in MT by default, but if I don't care to ever receive a TrackBack from a third-party site, whitelisting or a simple checkbox "Only accept TrackBacks from this domain" would benefit a lot of people.

    My method does indeed remove MT from the equation, but only because it's easier to put a wall up before TrackBack requests get to MT than to attempt to hack into MT to do it there. If SixApart offered a solution that quickly cut off non-whitelisted TBs (and the resources a TB ping consumes), I'd gladly use MT for it. But they don't, and MT still "needs" TrackBack whitelists, IMHO, making the title relevant.

    Many people, like you, are not fond of TBs. Why? Because they are so easily spammed and so rarely legitimately used that they've gone the way of the dodo. Except that I still find value in them for helping with "related articles." Others - including you - might too if this whitelisting feature was included.

    I'd look at AutoBan, but more and more I'm trying to do things outside of MovableType because everything it does is SOOO SLOOOOOW.

    Thank you for your thoughts.

  5. Actually, my dislike of TB comes primarily from disinterest. It was a faintly interesting idea that just sort of never went anywhere, the summaries sent along are often useless, etc. Spam comes a distant last to all of that for me. And yeah, I'm sure part of the reason little has been done has been the spam; just talking about me here.

    Why whitelisting for this isn't built into MT is something to take up with the devs, obviously. Have you logged a direct complaint/feature request for it? I'd be curious about the explanation.

  6. I have filed the request with them, yes. I always do. Then I wait for a few months, and if I see no movement, I post on my blog. Then it gets a little more attention and, occasionally, gives 'em a kick in the rear to get going.

  7. Just wanted to pop by and say I agree entirely with your call for efficient trackback whitelists. I also use trackbacks to link related articles and find it annoying to have to adjust the OneDayMaxPings and OneHourMaxPings values whenever adding an entry.

    In the meantime, I've just installed AutoBan (found courtesy of Su's post above), and whitelisted my domains in .htaccess. Hopefully that will work until SixApart build a more integrated solution.