Acodricng to raserech at Cmaribgde uitisnevry, it dsoen’t mtaetr waht oredr the lteerts in a wrod are …

Can we use word mangling in captcha software? Unfortunately, no. According to the report of Dmytry Lavrov, “in many cases computer reads taht btteer tahn hmaun cluod”.

Publishing of a trackback or a pingback is postponed till someone, usually a trackback author, approves it. Trackbacks which are not approved in 20 hours are automatically deleted. It stops spam from bots and allows trackbacks from the real humans.

A better description is probably a description by an use case:

* Alice has Trackback Confirmation installed.
* Bob has written a blog post with a link to Alice’s blog post.
* Bob checks if a trackback appears in the Alice’s blog.
* No, the trackback hasn’t appeared. But Bob notices the link “approve trackbacks”.
* He follows the links, finds his trackback and approves it.
* Now Alice’s blog links to the Bob’s post.

It’s just a web 2.0 style of trackback moderation. Comments are approved not by the blog’s author, but by the blog’s visitors.

If you like the idea, download the plugin Trackback Confirmation. How to install:

* Unpack the file “tbconf.php” and put it into the folder “wp-plugins”.
* Activate the plugin (the admin area, the pane “Plugins”).
* Create a page (the admin area, the pane “Manage”, the subpane “Pages”). This page will be used as a template page for Trackback Confirmation.
* Configure the plugin (the admin area, the pane “Plugins”, the subpabe “Trackback Confirmation”).
* Now you can assign the status “private” to the template page, if you want.

Warning

The code is unmaintained. I don’t provide any support. If you have any questions, please ask them in the WordPress support forum.

Why?

My blogs are not popular, and are very rarely linked. Therefore, further improvement of the script isn’t profitable. Meanwhile, I got a better idea how to fight the trackback spam (see “decline and fall of the trackbacks; rise and resurrection of the trackbacks”). As result, I simply disabled trackbacks and deactivated the plugin. Obviously, I don’t have any incentive to support it.

But the code is written and works well. I hope someone can take over the code and continue development. Here is the short TODO list:

* If there are no trackbacks: do not print an empty table, but say something.
* On the moderation page, add a link to the post from a comment.
* Make sure that HTML is escaped on the template page.
* Make sure that there are no SQL injections (shouldn’t be possible, but it’s better to audit).
* Notifications should be sent not using PHP function “mail”, but using WordPress function “wp_notify_postmaster”.
* Instead of using SQL to change the trackback status, the code should use something like “wp_set_comment_status(ID,'approve')”.
* Add some design.
* Submit Trackback Confirmation to WordPress plugin repository.

* captcha — about 46,700,000
* capcha — about 579,000 (Google suggests the correct spelling.)
* captca — about 3,300 (Google suggests the correct spelling.)
* kaptcha — about 3,920 (the project name)
* kapcha — about 16,600 (the project name, not related to captchas)
* kaptca — about 228 (Mostly login names. Google suggest the correct spelling.)

According to Google, 1.2% of people misspell “captcha” as “capcha”. Other possible ways of misspell are not popular.

The second experiment was with Technorati. It returned 5,378 results for “captcha” and 86 results for “capcha”. Surprisingly, the percent grows: 1.6%.

However, I think that the idea of a centralized database doesn’t work. Time to time, I write about the problems in the blog. And obviously, I refer to Akismet as it is the main player in this field.

Most likely, when I write “Akismet”, I just use the short word instead of the long phrase “the idea of a centralized database to filter comment and trackback spam”, and I don’t want to offence the Akismet developers.

A Trackback is a method for Web authors to request notification when somebody links to one of their documents. … Some individuals or companies have abused the TrackBack feature to insert spam links on some blogs. This is similar to comment spam but avoids some of the safeguards designed to stop the latter practice. As a result, TrackBack spam filters similar to those implemented against comment spam now exist in many weblog publishing systems. Many blogs have stopped using trackbacks because dealing with spam became too burdensome.

I’ve already published an idea how to resurrect trackbacks: trackbacks should be performed through an intermediate, not directly. (For details, read this post, “decline and fall of the trackbacks; rise and resurrection of the trackbacks”.) Unfortunately, such protection depends on a third party.

And here is yet another idea, which doesn’t require an external service.

Adding a human to the trackbacks

* The blog software doesn’t publish a trackback immediately. Instead, it puts the trackback to a queue.

* Anyone (usually the trackback’s author) can view the queue and approve the trackback.

* If the trackback isn’t approved in K hours, it’s automatically deleted.

Why does this approach work?

Well, it’s obvious why the workflow stops the spam. The spam bots just don’t expect the confirmation step. And even if the programmers improve the bots, the blog owner can put a CAPTCHA on the confirmation page.

But will people confirm theirs trackbacks? I don’t know. Hard to say without practical experience. In my opinion, they will do it. A trackback entry is a sort of benefit for the commenter, therefore I expect people will claim the benefit.

* comment spam
* trackback (or pingback) spam
* registration spam
* plugin spam

The comment spam is well-known to any blogger. Without protection, the blog is doomed. Therefore, different antispam tools are used — Akismet, Spam Karma, Advanced Textual Confirmation, a lot of others, — with different efficiency and usability.

One can consider the trackback spam to be a subtype of the comment spam. Mostly because WordPress doesn’t make a big difference between them. But there is the big difference:

* Comments are supposed to be written by humans, but
* trackbacks should appear automatically, without manual intervention.

“Without manual intervention” means “without any control”. Too much good for the spammers. And due to the nature of the trackbacks, there is no easy solution. More on it later, please wait till I improve my note “Decline and fall of the trackbacks; rise and resurrection of the trackbacks”.

The registration spam is less known. You get one only if you create a community around the blog. As usual, for one good member you get a horde of spammers. I have no idea how people fight against this. On my blog, Advanced Textual Confrimation (ATC) works perfectly.

Finally, the plugin spam. I mention it for completeness. If you have a plugin which allows an user to publish something on the blog, you’ll get spam through this channel.

The default antispam weapon is Akismet. But I dislike it. More rambling follows later, now just google for “akismet sucks”.

What I develop, use myself and highly recommend to everyone is …

… is Advanced Textual Confirmation (ATC). It’s an universal antispam for PHP-scripts, inclusing phpBB2, phpBB3, WordPress and many others.

It’s hard to compare ATC with tools such as Akismet or Spam Karma. They are from different categories. Follow this funny story:

During the space race back in the 1960’s, NASA was faced with a major problem. The astronaut needed a pen that would write in the vacuum of space. NASA went to work. At a cost of $1.5 million they developed the “Astronaut Pen”. Some of you may remember. It enjoyed minor success on the commercial market.

The Russians were faced with the same dilemma.

They used a pencil.

Advanced Textual Confirmation is such a pencil. Install it now.

To be continued:

* Types of WordPress spam
* Can we have trackbacks without trackback spam?

How much questions do you need for the best protection? Hard to say, but definitely not 50.

Earlier or later, a cheap outsourced monkey answers some of your questions and adds the answer into the spammer’s database. As a counteraction, you need to change you question. When you have 50 questions, it’s a tedious task.

In my opinion, 2 or 3 questions is enough.

It’s not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100 000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA.

So:
* 15% recognition rate is enough
* 1 cent per 1 CAPTCHA when using monkeys

According to many specialists, this is a hard CAPTCHA for machine recognition. Anyway, the developers (they call themselves “Network Security Research and AI group”) designed a system with the recognition rate about 35%.

They don’t reveal the algorithm. The only detail is that the tool uses uses MATLAB 2007a Compiler Runtime.

The code is freely available for download.

The developers notified Yahoo, but haven’t got a reply so far.