Recently, spammers were heavily targetting wechange which was experiencing problems as a result. I wrote to the Drupal developers' list to ask for assistance. Fortunately, I have been able to find a solution quickly.
This incident led me to write a small, informal proposal to cooperate together, to fight spam, and especially to fight at the root of the problem, instead of patching a web site to cover up symptoms. Here is a slightly modified copy of the proposal.
@everybody: the .htaccess solution works for my immediate need, but it is a bit selfish because it doesn't help anyone else. What follows is not specific to trackback spam, but is relevant to any kind of spam being propagated via compromised servers or computers.
The only thing needed for evil to win, is that good people do nothing.
At first, all the trackback spam came from the same IP, but then they upgraded their software, so that each spam submission came from a different IP. Certainly, each of those IP correspond to a compromised Windows(TM) box, or a
compromised web site (using a CMS minus security updates), don't they? (or do I misunderstand the way open relays can be used?)
For now, I have successfully denied trackback spammers access to my site, but they are still free to spam the rest of the world. What bothered me the most about cpu usage, was that it was such a waste: it was not even helping the spammers who never got a single of their links published.
Now, if my cpu power can be put to better uses, I don't mind the extra resources needed: is there a way to collect those IPs used by spammers, and share them among us, and with organizations fighting spam. The aim would be to get wormed or trojaned windows(TM) boxes (or compromised web sites) to upgrade to a safe version or shut down.
If all Drupal web sites were collaborating on gathering useful data, and passing on this data to relevant organizations, we might collectively achieve something.
One spam report against one IP might achieve nothing, but a concerted effort to systematically denounce bad IPs might force people to take positive actions.
I really don't know how such a thing could be organized. One has to study first how organizations fighting spam and organizations setting up blacklists operate.
Maybe the developers on this list have better, more concrete ideas...