skip to content

The other day, I posted an article about implementing webmentions on this site. Today, I’m battling an endless stream of spam in my mentions.

update [Jun 11, 2022]:

There is a shared blocklist maintained by Shawn Wang, which I'm now using.

I first noticed it on a Netlify deploy preview. A faceless mention from ‘admin’ at ‘imoneyhub’.

screenshot: admin, June 9, 2022, mentioned this in imoneyhub.com

I assumed right away it must be spam, but I’m glad I clicked through. It turns out Geoff Graham wrote a lovely CSS-Tricks reply about his own struggle setting up webmentions, and some of the Wordpress plugins that can help.

But I didn’t see a mention from CSS-Tricks (at least not right away). Instead, Geoff’s post has been re-posted by ‘admin’ on a long list of random URLs, all (web)mentioning my original post. The webmention.io dashboard shows me all of them (with a few legit mentions scattered through):

screenshot: Recent Webmentions, and a small-print list of faceless random urls, and a few blurred-out legit mentions

All of these mentions made it into my local cache, but only one made it into a build. It seems the rest were caught in a simple filter that came from Max Böck’s Eleventy Webmentions starter. It’s a quick JS function that ensures every mention has an author name and a timestamp.

// only allow webmentions that have an author name and a timestamp
const checkRequiredFields = (entry) => {
const { author, published } = entry;
return Boolean(author) && Boolean(author.name) && Boolean(published);
};

That caught all but one of the spam mentions (‘admin’ made it through!), but it also caught the mention from CSS-Tricks, which doesn’t include Geoff’s info, a timestamp, or even content. So I already have both false negatives and false positives in my filtering. Fun!

I can go through these by hand, and delete/block each one in the dashboard. I also have to delete them in my local cache. And while I’m at it, I’ve added author info in the cache for Geoff? We’ll see if that sticks. But there has to be a better way, right?

Right?

There has to be a better way, right?

WebMentions

Eric Portis

on twitter.com

This makes me desperately want to finish my drafted post comparing IndieWeb w/ ham radio: a similarly decentralized network of fiercely independent hobbyists who pride themselves robustness, except that when you spam ham, you go to JAIL wiki.c2.com/?HamRadioPests

Eric Portis

on twitter.com

I can't post this yet because I'm still ironing out my IndieWeb implementation and the ol' blog is in shambles meanwhile.

jules

on twitter.com

I’d love to see cross site mentions work but this is what scares me off.

Mia (not her best work)

on twitter.com

I expect the blocklist linked in comments will be pretty useful. It does seem like all the spam so far is coming from scrapes of the css-tricks article.

jules

on twitter.com

I wouldn’t be upset about spam if a human had to write it. Not sure how to limit access while not invading privacy. Cool space to work on and anything to get content control back into peoples hands.

swyx

on twitter.com

crowdsourcing to beat the spambots 💪

Chris Aldrich

on stream.boffosocko.com

I'm sorry you've run into this issue. I can't help but wonder if most of the spam is really pingback spam? Much of what you've gotten likely isn't arriving via webmention as I see the following header in your page:
<link rel="pingback" href="https://webmention.io/www.miriamsuzanne.com/xmlrpc" />

My guess along with some minor…