Spam 2.0

Happy Spamiversary! Fifteen years ago today, the term "spam" was coined by Joel Furr, referring to an accidental auto-posting of 200 messages to a Usenet group. Today, the term has become so common, it ranks as the second disambiguation on Wikipedia and is estimated to cost Americans more than $13 billion per year (That’s enough to fund the state of Utah).

While spam used to be confined to the world of email, spammers have recently branched out to new frontiers: blogs, social networks, and search engines. It seems that no online garden can stay a spam-free Eden forever (perhaps an inapt metaphor: the apple represented knowledge, not pharmaceuticals).

What all these techniques have in common is that they put practically the entire cost onto the recipient. While direct mail, junk faxes, and robocalls at least have a cost to the sender, all the methods of spam that I discuss here are pretty much free, once you have the system set up for delivery.

More on these new theatres of spam warfare below the fold:

Blog spam has been around for a while, but it’s been getting worse in recent years, partially just due to the number of blogs that have built mechanisms to counteract it. In what should be proof that the Star Wars/Rube Goldberg missile defense system is a bad idea, with more blogs adopting CAPTCHA and moderation, spammers have adapted by posting so much spam that some of it will get through.

But while some blog spammers have been fighting with quantity, others have improved the quality of their spam, where by quality I don’t mean that they’re marketing products that you should be interested in, but that they’re just doing a better job of disguising their spam.

On the Beaconfire Wire, we use Akismet as our spam capturing tool. Since we installed it, it’s captured no less than 28,011 spam comments, with very few false positives. But there have been a few that have fooled it – many spammers are now use putting their link in the "URL" field of our comment registration, and including a comment that is semi-relevant, like

Hey! been surfing the net for Internet Marketing Tools Online Affiliate Marketing and found your blog reg The Power of the Pipe. You relly know your stuff! I\’d like to see more posts here. Will definitely bookmark this one and come back.

Seems a lot like a legit comment, but how many people directly pull your post title into their response? The URL and email address attached to the comment were also in no way relevant to the content of the post or comment.

How do we prevent blog spam? Unfortunately, the barriers we build will also hurt our ability to receive legit comments. While we haven’t implemented CAPTCHA, higher traffic blogs might not have that luxury (though before doing so, they should read up on the accessibility problems associated with it). We do have pre-registration, a spam filter, and manual moderation to keep spammers from overwhelming our system. We also recently installed a WordPress plugin (Comment Timeout), which automatically closes comments on older posts.

The second new kind of spam we’ve seen growing is social network spam. And here I’m not talking about that friend who posts about 12 links a day (and yes, we all have them, but just can’t bear to quietly remove them from our friends list), I’m talking about actual spam.

While MySpace is inundated with it, largely as a result of the openness of their platform, Facebook has largely remained immune. This is, for the most part, due to the difficulty of mass messaging – unless you join a group or become a fan of a page, it can’t mass message you (for good or bad) and the only way to send person-to-person messages is through the web interface, which is a slow way to spam.

Indeed, one thing that makes Facebook largely spam-proof is its focus on real relationships between people. If I get a message from someone I don’t know, I’m pretty likely to delete it. Unfortunately, the way that spammers get around this is through the use of an even more unsavory process: phishing.

A friend recently became a victim of this practice: I logged in one day to see that he had written on my wall. Naturally, I went to my wall right away to see what he wrote, which was:

wasdasi finally found the best source out there for all the latest ringtines for my phone at [link removed] they dont sound bad like the ones from my actual phone company, these are 100 times better and they have thousands and thousands of ringers to choose from and when you use them the first time you get 20 free ringtones. stop paying so much for your ringtones,don’t be a sucker, get them from my place, [link removed]

This, I thought, was rather uncharacteristic of this friend. He’s usually not so enthusiastic about ringtones. I then noticed that he’d written the same comment on at least ten other walls, and wrote back to ask what was going on. He responded that his password had been stolen (he didn’t mention where, but it was likely a cloned portal), and someone hacked his account.

This seems like a particularly insidious practice, not just for the annoyance factor of spam, but because people who can break into your account can do a lot more harm to you than just messaging your friends. Many Facebook users store a great deal of personal information there, including email and IM addresses, school and work history, and more. This seems like an identity thief’s dream come true.

What’s more, many people will use a single password for most online applications. Since many Facebook users have their email addresses listed on their page, someone who knows their password could get into their email account, and from there, their Amazon, Paypal, eBay, etc.

The solution to being an accidental spammer is just to verify that you are where you think you are before entering in your password. It might also be worth diversifying your passwords to avoid a chain reaction of identity theft. As for receiving spam from friends? Not much you can do about that, except to have less friends.

The last kind of spam I wanted to mention is the increase in search engine spam. Search engine optimization has become a more and more frequently used tool in the last few years. What began as a fun tactic known as GoogleBombing (google French Military Victories – the infamous "miserable failure" is no longer active) has evolved into a full-fledged practice.

While every non-profit and business should think about SEO as a way to get their relevant content to the top of the Google rankings, many spammers are using more aggressive versions of the same tactics to get their products on top. This is particularly the case with competitive search terms where top ranking can lead to significant profits.

This form of spam is often linked with other forms, particularly blog spam, since spam comments allow the creation of links to a given page from multiple other pages easily. Whole spam blogs are built every day to do nothing more than monotize search terms, and while Google has a whole team modifying their ranking system to keep anyone from gaming it, there’s only so much tweaking they can do without breaking legitimate links.

The one boon here is that some users have become more willing to trust paid search links now for certain terms where the organic results have become unreliable. This means that non-profits powered by Google Grants will have an advantage and be better able to reach people through search.

There’s no real solution to this kind of spam from a user standpoint – unfortunately, it’s up the search engines to fix the problem. Fortunately, they have an economic incentive to do so – if their results become unreliable, people will stop using them, so they want to police their own rankings.

Blogs, social networks, and search engines are three of Spam 2.0’s targets, but what will Spam 3.0 target? SMS seems a likely candidate, and one likely to set spam recipients off to a new level of anger, since it’s a medium that forces users to actually pay for each message received with money as well as time. Where else could spammers hit in the 21st Century? Leave your ideas in the comments.