Blogs that monetize frequently find themselves unders attack by both comment and trackback spammers. Some of these spammers are stalkers, some are weirdos so obessed with paid posts they hit the bloggers site over and over and over to "punish" them for their paid posts.

Theresa of Scribble Scratch recently described the symptoms at the postie board.

1. In 48 hours, Theresa got 300 comment spams that hit only PPP posts.
2. The 'comments' come through the trackback links. (That would be wp-trackback.php .)
3. The direct visits to the trackback links leave proxy IPs.

What can you do? Well, of course, you should already be using Akismet, BadBehavior and Spam Karma; those will block a lot of spam. But sometimes even those don't work completely. Both Tricia and Theresa notice some of this is flying past Bad Behavior. You can also use WP-Ban to ban certain IP's after that IP spamming.

Here's a suggestion thatmight work.

My suggestion is based on a trick I learned fromSpamHuntresses' who blocks trackback spam .htaccess. She described how to do it for WP 1.5; I modified her method make it work for me, and to also catch the spammers using proxy servers. (I've also left Spamhuntress a question because I think we can block even more spam if we add a few more lines.)

1. Visit your blog's WP directory. Find the .htaccess file. (It will have a '.' in front of htaccess. There should already be one because WP creates one. The '.' sometimes makes that file invisible, so if you can't see it, contact your host and ask them to adjust that for you.
2. Important:Make a backup in case things go horribly wrong. (They shouldn't.) I named mine htaccessBackup.
3. Edit your .htaccess file by cutting and pasting the text in the box below. (After pasting, make sure all quotes are straight up and down normal ones. They should be-- I've blocked WP's auto-formatting in this article.)
   <files wp-trackback.php> # Prevent browsers from leaving trackbacks. # Also prevent those with no user agent leaving trackbacks. <limit post> SetEnvIf User-Agent "Mozilla" trackers SetEnvIf User-Agent "Opera" trackers SetEnvIf User-Agent ^$ trackers Order Allow,Deny Allow from all Deny from env=trackers # This blocks people leaving trackbacks by proxies. # Some ISPs still leave trackbacks this way, but it's mostly spammers. RewriteEngine on RewriteCond %{HTTP:VIA} ^. RewriteRule .* - [L,F] </limit> </files>
4. Save the new .htaccess file. Check that your blog loads. If it does, you are finished. If your blog doesn't replace the edited file with your backup!

So, how does this block spam?

1. It prevents anyone using a browser to get to wp-trackback.php. That file called to leave trackback spam-- and it appears in my logs when I get a trackback. Trackbacks shouldn't be left by browsers-- but many spammers give it a try.
2. It prevents anyone from accessing wp-trackback.php through a proxy server.

What else could be done?

SpamHuntress's original code had a line like this "<Files trackback>" which I replaced with "<Files wp-trackback.php>". The reason I did that is that <Files trackback> never blocked the spam for me. What I've found is that the set up she described blocked browsers from accessing addresses like this:
http://money.bigbucksblogger.com/trackback/

But not this:
http://money.bigbucksblogger.com/the_file_name/trackback/

And since my trackbacks look like the latter, not the former, her method didn't help me. But using <Files wp-trackback.php> did help me -- so it might help you.

Anyway, if you are having trouble with trackback spam, give my code a try. If it doesn't work for you, maybe we'll get lucky and someone who understands .htaccess a bit better can tell us how to fix the code and make it work for everyone. (Also, if it turns out the spam comes through pingbacks, we'll need to hunt down another solution. )

Meahwhile, good luck!