Ant's Eye View: TrackBack: A Tragedy in Three Acts

May 02, 2005

TrackBack: A Tragedy in Three Acts

I’ve been thinking a lot lately about the fate of one of the better-known blogging technologies: TrackBack.

First introduced by Six Apart in 2002, TrackBack has had the life of a hothouse flower: in just three short years it sprouted, bloomed, and (for all intents and purposes) died.

“Died?” you ask. Yep, as far as I’m concerned TrackBack is dead — killed by spammers who have made it more trouble than it’s worth to keep it around. So much TrackBack traffic comes from spammers these days that it can overwhelm your server; I actually got a nastygram from my ISP a couple of months ago about how much CPU usage TrackBack was responsible for on my box, which was part of the reason why most of my blogs no longer support TrackBack. It just wasn’t worth the trouble of keeping it around.

But can we learn something from the fate of TrackBack to make future social software innovations more successful? I think so. To understand how, let’s examine the life of TrackBack in a little play I call TrackBack: A Tragedy in Three Acts.

TRACKBACK
A Tragedy In Three Acts
by Jason Lefkowitz
Act I
[The setting: the still-not-a-corporation-yet “offices” of Six Apart, circa 2002.  BEN and MENA TROTT are sitting at computers next to each other, typing away.]
BEN: Honey pie?
MENA: Yes, sugar bear?
BEN: Do you ever get the feeling that it’s too much trouble to leave a comment with a link if you want to tell someone that you wrote about their post?
MENA: Not really, sweetums.
BEN: Hm.  Well, I do.  It sure would be nice if there was some way my blog could just tell the other blog that I wrote about it automatically…
MENA: Would something like that be hard to do?
BEN: Wait a sec… [typing quickly]  Done!
MENA: How exciting!  Blogs automatically notifying each other of updates.  What would you call such a thing?
BEN: I was thinking “Auto Blog Notifier Pro”.
MENA: …
BEN: How about “Auto Blog Notifier XP”?
MENA: Those names both suck, snuggle bunny.  How about “TrackBack”.
BEN: Ooh, that is good, pookie.
[As the lights go down, they kiss.  Diabetics in the audience begin to go into sugar-shock.]
Act II
[The setting: The Blogosphere, one week later.  We see two anonymous bloggers, clad in pajamas, begin playing with TrackBack.]
BLOGGER 1: Wow, this is cool!  Automated post notification.
BLOGGER 2: Hm.  How does your blog know I am who I say I am?
BLOGGER 1: Eh wha?
BLOGGER 2: How does your blog know that when it gets a ping from mine, that it actually came from me, and not someone else?
BLOGGER 1: Well, it doesn’t actually.
BLOGGER 2: Hm.  And how does your blog know which pings to display and which to throw out?
BLOGGER 1: Throw out?
BLOGGER 2: Oh dear.  It’s at least complicated to send a ping, right?  So you couldn’t send huge amounts of them at once?
BLOGGER 1: What?  Complicated?  Nah, it’s just an HTTP POST.
BLOGGER 2: I sense trouble ahead.
BLOGGER 1: You’re just paranoid, pookie bear.
BLOGGER 2: What did you just call me?
Act III
[The setting: Six Apart, two years later.  BEN and MENA are typing away on their computers.]
MENA: Oh look, tootsie-wootsie!  I just got 548 TrackBack pings!  Who knew that my once-a-year update on the corporate blog would be so popular?
BEN: Cool!  Where are they from?
MENA: Let’s see… one from Anil’s blog… one from Jay Allen’s blog… and 546 from cialis-casino.com.
BEN: What?
MENA: That’s what it says.  “cialis-casino.com”.
BEN: That’s not right.
MENA: And look, now I’m getting pings from cialis-casino.com on ALL my posts!
BEN: Oof.
MENA: There’s an easy way to block these, right, buttercup?  And to remove the ones that have now been sprayed all over my site?
BEN: …
MENA: You ASS.  [MENA produces a fire axe from beneath her desk and buries it in BEN’s skull.  THE END.]

So what lessons can we take from Ben and Mena’s unfortunate experience, to improve future social software offerings?

You should assume that systems on the public network will be abused. This is a lesson as old as the Internet, but every programmer seems to have to learn it for him/herself: if you make a system available to the public, people will abuse it. It’s a simple function of the size of the audience: given a large enough group of people (like, say, the population of the Internet), and a sufficient degree of anonymity, people will start pushing the envelope to see what they can get away with. This is the Greater Internet Fuckwad Theory in action, kids, and it ain’t pretty. Don’t believe me? Ask the US Postal Service what happened when they partnered with Stamps.com last year to let people create their own postage using any images they liked. I’ll say it again: put a system on the public network and people will try to abuse it.
Systems that don’t think about security up front end up paying for it down the road. Because of the fundamentally insecure architecture of TrackBack and the basic truth of the Greater Internet Fuckwad Theory, a host of workarounds have sprung up to deal with the resulting mess. The most popular is MT-Blacklist, a plugin for 6A’s Movable Type software which lets you create a blacklist of URLs and automatically block pings containing them. However, this solution falls prey to the standard problem with blacklists: it’s completely reactive (you’re always a step behind the spammers) and doesn’t scale well (eventually your blacklist swells to a huge size and becomes unwieldy to parse and manage). Does it work? Yeah, kind of — but it’s a huge amount of effort to make up for not putting in a little effort up front to ask “Could people abuse this? How? How can we close those use cases?” (Note: I’m not saying you should spend four years planning out your code before you write it — we don’t need any more architecture astronauts. A little thinking about abuse and security up front can help you close of the vast majority of potential exploits at little cost, though.)
When your technology is open to abuse, silence is deadly. You might think that 6A, as the authors of the spec, would have made notice of the deep problems with TrackBack and been on top of finding solutions. Such is not the case: the official TrackBack blog hasn’t been updated in nearly a year, and their Professional Network lumps TrackBack spam in with comment spam and advises use of tools like MT-Blacklist for both. The result is a perception that no fix is coming, which leads people to abandon ship rather than wait for a fix they think will never come.

Three lessons: assume the worst, plan for security, and communicate with the community that uses your tool. Hopefully the ultimate fruit of TrackBack is that it encourages more developers to learn these lessons, before they find themselves chasing exploits like Ben and Mena.

Posted by Jason Lefkowitz at May 02, 2005

Comments

Is something like pingback the answer? Seems like that would take more computational power than trackback.

http://www.hixie.ch/specs/pingback/pingback

Posted by: Oscar on May 3, 2005 10:20 AM

How is Pingback more secure than Trackback? It looks to me like TB using XML-RPC instead of HTTP POST. It might be slightly more resource-intensive to generate mass Pingbacks than Trackbacks, but I can't imagine it would be _so_ demanding that it would make spam impossible (and besides, even if it did, just wait a couple years for computer power to double and you're back where you started). And there's no reason why I couldn't fake a pingback any less easily than I could fake a trackback.

Unless I'm missing something?

Posted by: Jason Lefkowitz on May 3, 2005 1:46 PM

Note that a couple of researchers at Rice University have released a Trackback spam blocker plugin for WordPress which could revive Trackback if it becomes widely adopted: their Trackback Validator Plugin checks to make sure that the sites which send you Trackback pings really do link to you, a test that most spammers fail.

http://idli.cs.rice.edu/~dsandler/trackback/trackback-validator-plugin/

Posted by: Prentiss Riddle on September 19, 2005 1:50 PM