A hidden danger of trackback spam

in

I've deleted a good amount of trackback spam from my Movable Type blogs, and until a few minutes ago I was feeling pretty good. But, there was one major thing I forgot, and I hope it hasn't done too much damage.

I searched for a name at lonewacko.com using Google's site: command, and what I was looking for came up first.

However, what came up second was an .xml file with the same title as the entry. I knew about these files, of course. I didn't know exactly what they were for, but as it turns out when a post receives its first trackback, MT (more or less helpfully) starts generating an RSS feed containing the trackbacks for that post. Apparently as new pings come in their information is appended to the RSS feed.

Intrigued that one of these files would come up in a search, I clicked on it and was (somewhat) surprised to learn that it had... spam! I haven't run a test, but either MT doesn't delete trackbacks from the feed, or this spam wasn't deleted because I deleted it directly in MySQL without going through MT's interface. Looking through all these feeds, I found several dozens spams.

This page describes how you can turn off this feature. If you decide to keep trackback feeds or let MovableType generate new ones, make sure they're spam-free. Or, it seems that you can safely just delete all of them (make sure, of course, that you aren't deleting some more important .xml file).

One thing remains a mystery: how did Google find the .xml file in the first place? I looked at a post that got a trackback, and I didn't find a link to the TB feed anywhere in it. But, it must have been linked to from something. Did the spammer link to it? That doesn't make much sense: why create a two-way link? Could they have linked to it from another site they spammed? Neither Google nor Yahoo bring up a backlink for the XML file that started all this... Developing...