Customize

The other day, I posted an article about implementing webmentions on this site. Today, I’m battling an endless stream of spam in my mentions.

I first noticed it on a Netlify deploy preview. A faceless mention from ‘admin’ at ‘imoneyhub’.

screenshot: admin, June 9, 2022, mentioned this in imoneyhub.com

I assumed right away it must be spam, but I’m glad I clicked through. It turns out Geoff Graham wrote a lovely CSS-Tricks reply about his own struggle setting up webmentions, and some of the Wordpress plugins that can help.

But I didn’t see a mention from CSS-Tricks (at least not right away). Instead, Geoff’s post has been re-posted by ‘admin’ on a long list of random URLs, all (web)mentioning my original post. The webmention.io dashboard shows me all of them (with a few legit mentions scattered through):

screenshot: Recent Webmentions, and a small-print list of faceless random urls, and a few blurred-out legit mentions

All of these mentions made it into my local cache, but only one made it into a build. It seems the rest were caught in a simple filter that came from Max Böck’s Eleventy Webmentions starter. It’s a quick JS function that ensures every mention has an author name and a timestamp.

// only allow webmentions that have an author name and a timestamp
const checkRequiredFields = (entry) => {
const { author, published } = entry;
return Boolean(author) && Boolean(author.name) && Boolean(published);
};

That caught all but one of the spam mentions (‘admin’ made it through!), but it also caught the mention from CSS-Tricks, which doesn’t include Geoff’s info, a timestamp, or even content. So I already have both false negatives and false positives in my filtering. Fun!

I can go through these by hand, and delete/block each one in the dashboard. I also have to delete them in my local cache. And while I’m at it, I’ve added author info in the cache for Geoff? We’ll see if that sticks. But there has to be a better way, right?

Right?

There has to be a better way, right?

Update (2022-06-11)

There is a shared blocklist maintained by Shawn Wang, which I’m now using and will contribute back to.

WebMentions

Max Böck

Max Böck

You may also be interested in this blocklist by @swyx - it tracks domains that usually spam automated reposts of popular sites. Can be used for a simple filter as well: github.com/sw-yx/domainbl…
Eric Portis

Eric Portis

This makes me desperately want to finish my drafted post comparing IndieWeb w/ ham radio: a similarly decentralized network of fiercely independent hobbyists who pride themselves robustness, except that when you spam ham, you go to JAIL wiki.c2.com/?HamRadioPests
Eric Portis

Eric Portis

I can't post this yet because I'm still ironing out my IndieWeb implementation and the ol' blog is in shambles meanwhile.
Eric Portis

Eric Portis

Anyways indieweb.org/Vouch is kind of interesting but the whole concept of decentralization is indeed a double-edged sword!!!
jules

jules

I’d love to see cross site mentions work but this is what scares me off.
Mia (not her best work)

Mia (not her best work)

I expect the blocklist linked in comments will be pretty useful. It does seem like all the spam so far is coming from scrapes of the css-tricks article.
jules

jules

I wouldn’t be upset about spam if a human had to write it. Not sure how to limit access while not invading privacy. Cool space to work on and anything to get content control back into peoples hands.
swyx

swyx

crowdsourcing to beat the spambots 💪
Ryan Barrett

Ryan Barrett

Ugh, sorry, no fun! Especially without a good filter. Vouch is an interesting idea, but adoption is still very early and needs more iteration.

One thing to consider, it looks like these are all probably pingbacks, not webmentions per se. Pingbacks tend to be mostly spam, so if you don’t care about them specifically, you could stop them by removing <link rel="pingback" ...> from your HTML. Up to you!

Wouter Groeneveld

Wouter Groeneveld

Yeah that sucks, I’ve also encountered spam like this, and it ain’t all sourced via a Pingback, see https://brainbaking.com/post/2022/04/fighting-webmention-and-pingback-spam/. I “solved” this by blacklisting/whitelisting and a moderation queue but I have my own webmention server implementation. I honestly always get a little upset when people say “just unplug pingbacks”—I’ve had a few genuinely good interactions through that, and every Wordpress user automatically has support for that as opposed to Webmentions. Disabling something does not fix the spammers.

3 ‘indieweb’ episodes

2022

| post

Miriam, for the Archive

This post has been written and published, and filed away for safe keeping as an event that happened in my past. This post is also a live performance, and an invitation to engage. Thanks for dropping by.

| post

The Spam Has Arrived