Yesterday was the Random Oracle blog’s turn to become targetted in a track-back spam attack. Each post ended up with a handful of track-backs to articles on the same bogus blog, which appears to be nothing more than an undigested collection of random paragraphs from different WordPress blogs.
Requiring a CAPTCHA solution with each comment/track-back would have solved this problem. Windows Live Spaces (formerly MSN Spaces) has this option. It is far more effective than the alternatives of allowing public commenting or requiring authentication. The latter is not a barrier since the underlying identity system is disconnected from the real world and has no reputation attached. Spammers can register one account, use this to spam hundreds of blogs and move on to start from clean slate when the ID is black-listed. WordPress controls on commenting are primitive by comparison. Ping-backs and track-backs can be disabled, comments can be disabled or held in the queue for moderation. Finally comments can bet limited to users who had a previously approved comment, which creates a boot-strapping problem. Proof-of-work by solving CAPTCHAs is much better suited to this problem: users serious enough to comment on an article will not mind taking a few extra seconds to solve the puzzle. Spammers will give up and move on to the next blog.