Trackback spam not detected

[Zodiac1978]

Describe the bug
Obvious trackback spam is not detected from ASB and coming through.

First reported here:
https://wordpress.org/support/topic/antispam-bee-not-marking-obvious-spam-trackbacks-as-spam/

Asked the reporter to send more details via our form.

Confirmed by own experience.

Expected behavior
ASB should obviously detect the spam.

We need to check why this comes through and maybe how we can harden the trackback check.

[Zodiac1978]

I only got two trackback spams coming through:

Website: My Homepage (IP-Adresse: 89.37.66.6, 6.66.37.89.baremetal.zare.com)
URL: http://www.3hbas.org/
Trackback (Textauszug):
... [Trackback]

[...] Read More here: torstenlandsiedel.de/2020/09/18/nach-update-auf-wordpress-5-5-sind-die-kommentare-verschwunden/ [...]

Website: My Homepage (IP-Adresse: 109.230.218.52, 52.218.230.109.baremetal.zare.com)
URL: http://www.akb0mpmxl.org/
Trackback (Textauszug):
... [Trackback]

[...] Informations on that Topic: torstenlandsiedel.de/2021/12/20/variable-document_root-in-htaccess-nicht-nutzbar/ [...]

It is obviously one UK hoster for me. Maybe things get clearer after some more data points.

[2ndkauboy]

I have two recently on my English site

Website: https://kau-boys.com/433/web-development/big-spelling-reform-in-the-www-html-5-is-now-html5
IP: 89.37.66.71
URL: http://www.rbcmro.com/

… [Trackback]
[…] Read More: kau-boys.com/433/web-development/big-spelling-reform-in-the-www-html-5-is-now-html5 […]

Website: https://kau-boys.com/2845/wordpress/hide-the-download-button-for-audio-and-video-blocks
IP: 185.121.138.116
URL: http://www.wruoak3v.net/

… [Trackback]
[…] There you will find 85615 more Infos: kau-boys.com/2845/wordpress/hide-the-download-button-for-audio-and-video-blocks […]

And one on my German site:

Website: https://kau-boys.de/1498/wordpress/wordpress-core-strings-ohne-verlust-beim-naechsten-update-ueberschreiben
IP: 196.247.160.192
URL: http://www.wbqav9rw.com/

… [Trackback]
[…] There you will find 68728 more Infos: kau-boys.de/1498/wordpress/wordpress-core-strings-ohne-verlust-beim-naechsten-update-ueberschreiben […]

[Zodiac1978]

Interesting. The first two are coming from the same UK hoster.

[Zodiac1978]

At least two from the reporter are coming from the same hoster, but it looks like there are other spam trackbacks too.

We need to talk about hardening this feature for future versions.

[Zodiac1978]

Looking at the definition from IndieWeb.org I would say, that Trackback is dead and can be ignored completely. There are no real trackbacks send for over a decade now (in the team members blogs).

We are refactoring ASB at the moment and the upcoming v3 will have an option to disable trackbacks completely.

For solving the actual problem, you can install this plugin to disable trackbacks completely:
https://github.com/dshanske/stop-trackbacks

Another idea was to check if the trackback url is containing the link to the site, like serendipity is doing it (for example):
https://github.com/s9y/Serendipity/blob/8e4c6f2fa6c12719648b26309c3f8eee83c29e39/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php#L1114-L1151