Webmention Spam

I’ve yet to receive any! Or maybe I missed a bunch, because of how I set up Webmention.

I’ve been seeing reports on Webmention spam more often recently, and while most of these “mentions” might actually be “pingbacks,” a similar yet different protocol notorious for enabling spam, there’s definitely some spammy actual webmentions doing the rounds.

“Who in their right mind would think of using Webmention, a protocol so niche, to try and trick site owners into publishing backlinks to whatever malicious content they’re trying to push?” Except that, well, sending webmentions is cheap and easy. It’s literally curl -d "source=https://spammy.site/a-page&target=https://your.blog/a-post" https://your.blog/webmention-endpoint.

Yes, Vouch would solve this. Vouch is sending along a third argument, the URL of a page that links back to your site, on a domain the target site has previously linked to. It’s like saying, “Look, you apparently trust this person, and they wouldn’t link to spam, would they?”

Now, I haven’t implemented Vouch, because, well, I guess I’d have to keep a list of who’s linked where. (Update: That would be item #5 [and #6] of “Vouch Selection.”)

Or maybe I just need to add an input field to my CMS somewhere, and go look for a web page that could “vouch” for me each time I wanted to send a webmention. Except, I really like that I’m sending webmentions automatically, in the background, without having to think about it at all.

Plus, I really only send things like replies to people I know support them. I mean, I’m assuming they’ll get to see these replies one way or another (and whether they then get shown on their site is up to them). And whether an accidental—as in, whenever a site I link to somewhat unexpectedly happens to accept webmentions—mention makes it through or not, I don’t really care.

And—this bit applies to the receiving end—I have WordPress deal with spam, mostly. Plugins, blocklists, that sort of thing.

And if something makes it through, it’s a single click to get rid of it—mentions anyway need to be manually approved before they appear on my site. Keeping a list of known “vouchers” to automate some of this away seems like it might actually be more work.

Somewhat unrelated: What Vouch doesn’t solve is, someone could be sending (possibly “spammy”) mentions “on my behalf.” That’s how “dedicated” Webmention services work: they scan your RSS feed, detect links that support Webmention, and send the mentions for you. Except these normally require some form of authentication—they’d turn into spambots real quickly if they didn’t.

So, unintended mentions, potentially at a high rate, could be dealt with by throttling requests to your endpoint (and not, at least not initially, by blocking domains). They’re really no different than any other request. If anything, they’re probably much smaller. And linking to a web page yet hoping they won’t find out is perhaps a bit naive. (You’d be driving traffic their way, for one, although it’s easy enough to at least ask browsers to not send a referrer header for, e.g., outgoing traffic.)


What seems to work for me, in fighting spam, is disabling trackbacks and pingbacks, not showing a comment form, and not visually advertising—you’d of course need to “programmatically” announce your endpoint—Webmention support.

And yet … in an attempt to revive some of the blogosphere of yore, I might actually start accepting both regular comments and pingbacks—I’d make sure to, like Wouter, treat these as webmentions, to at least kick off some form of validation.