Spam weblogs (colloquially “splogs”) have discovered DSpace installations. Let us all rejoice.
Specifically, what they’re doing is calling the feedback page with a link to their URL in the fromPage parameter, in the fond hope that their garbage will get into some sort of referrer-page listing.
To see if this is happening to your DSpace installation (it definitely is to mine!), check its URL on Technorati or BlogPulse. Now, one thing that DSpace did to make this less useful is to kill its fromPage parameter in favor of checking the Referer HTTP header—but there’s nothing stopping a determined splogger from putting their URL in that header.
There’s probably a better way to stop this (in Tomcat or Apache, I assume), but here’s my way. Go into FeedbackServlet.java (it’s in org/dspace/app/webui/servlet) and add the following to the doDSGet method, right after the fromPage variable is set:
if (fromPage.indexOf('myu.edu') == -1)
{
//die, spammer!
throw new AuthorizeException("You didn't get here from
a page on DSpace.
If you believe you received this message in error,
click on a link and try again from that page.");
}
For “myu.edu” insert the appropriate domain for your DSpace installation. (Watch out if your DSpace is accessible from several URLs; make sure you use a string common to all URLs that land at your DSpace. This is why just using the hostname from dspace.cfg won’t always work!) Anti-spammer expostulations in comments are optional, but very satisfying.
At the very least, this will keep your DSpace feedback person from getting splog links in email (as happened to me once or twice before I kludged this). If anybody has a better idea for how to fix this, I’ll happily write up a patch for DSpace; right now I’m working on determining a least-common-denominator hostname from the dspace.cfg hostname.
ETA: I just submitted a patch for this. It’s still a kludge, but what the hey.
