skip to content

The other day, I posted an article about implementing webmentions on this site. Today, I’m battling an endless stream of spam in my mentions.

I first noticed it on a Netlify deploy preview. A faceless mention from ‘admin’ at ‘imoneyhub’.

screenshot: admin, June 9, 2022, mentioned this in imoneyhub.com

I assumed right away it must be spam, but I’m glad I clicked through. It turns out Geoff Graham wrote a lovely CSS-Tricks reply about his own struggle setting up webmentions, and some of the Wordpress plugins that can help.

But I didn’t see a mention from CSS-Tricks (at least not right away). Instead, Geoff’s post has been re-posted by ‘admin’ on a long list of random URLs, all (web)mentioning my original post. The webmention.io dashboard shows me all of them (with a few legit mentions scattered through):

screenshot: Recent Webmentions, and a small-print list of faceless random urls, and a few blurred-out legit mentions

All of these mentions made it into my local cache, but only one made it into a build. It seems the rest were caught in a simple filter that came from Max Böck’s Eleventy Webmentions starter. It’s a quick JS function that ensures every mention has an author name and a timestamp.

// only allow webmentions that have an author name and a timestamp
const checkRequiredFields = (entry) => {
const { author, published } = entry;
return Boolean(author) && Boolean(author.name) && Boolean(published);
};

That caught all but one of the spam mentions (‘admin’ made it through!), but it also caught the mention from CSS-Tricks, which doesn’t include Geoff’s info, a timestamp, or even content. So I already have both false negatives and false positives in my filtering. Fun!

I can go through these by hand, and delete/block each one in the dashboard. I also have to delete them in my local cache. And while I’m at it, I’ve added author info in the cache for Geoff? We’ll see if that sticks. But there has to be a better way, right?

Right?

There has to be a better way, right?

Update (2022-06-11)

There is a shared blocklist maintained by Shawn Wang, which I’m now using and will contribute back to.

WebMentions

Eric Portis

on twitter.com

This makes me desperately want to finish my drafted post comparing IndieWeb w/ ham radio: a similarly decentralized network of fiercely independent hobbyists who pride themselves robustness, except that when you spam ham, you go to JAIL wiki.c2.com/?HamRadioPests

Eric Portis

on twitter.com

I can't post this yet because I'm still ironing out my IndieWeb implementation and the ol' blog is in shambles meanwhile.

jules

on twitter.com

I’d love to see cross site mentions work but this is what scares me off.

Mia (not her best work)

on twitter.com

I expect the blocklist linked in comments will be pretty useful. It does seem like all the spam so far is coming from scrapes of the css-tricks article.

jules

on twitter.com

I wouldn’t be upset about spam if a human had to write it. Not sure how to limit access while not invading privacy. Cool space to work on and anything to get content control back into peoples hands.

swyx

on twitter.com

crowdsourcing to beat the spambots 💪

Ryan Barrett

on snarfed.org

Ugh, sorry, no fun! Especially without a good filter. Vouch is an interesting idea, but adoption is still very early and needs more iteration.

One thing to consider, it looks like these are all probably pingbacks, not webmentions per se. Pingbacks tend to be mostly spam, so if you don’t care about them specifically, you could stop them by removing <link rel="pingback" ...> from your HTML. Up to you!

Chris Aldrich

on stream.boffosocko.com

I'm sorry you've run into this issue. I can't help but wonder if most of the spam is really pingback spam? Much of what you've gotten likely isn't arriving via webmention as I see the following header in your page:

Wouter Groeneveld

on brainbaking.com

Yeah that sucks, I’ve also encountered spam like this, and it ain’t all sourced via a Pingback, see https://brainbaking.com/post/2022/04/fighting-webmention-and-pingback-spam/. I “solved” this by blacklisting/whitelisting and a moderation queue but I have my own webmention server implementation. I honestly always get a little upset when people say “just unplug pingbacks”—I’ve had a few genuinely good interactions through that, and every Wordpress user automatically has support for that as opposed to Webmentions. Disabling something does not fix the spammers.