Social networks have been growing at an extraordinary rate over the last couple of years. The big contest has been between Facebook and MySpace and recently Facebook was reported to have caught up with its older rival. These two social networking giants aim to be walled gardens where users can chat, exchange photos, share music, take quizzes and (more bizarrely) turn each other into virtual vampires.
A more minimalist approach is the microblog. Twitter pioneered the idea of the microblog, asking its users the question “what are you doing”, a question to be answered in 140 characters or less. You are also able to “follow” other twitter users, tracking their posts (or “tweets”) and they may choose to follow you back. Twitter has been growing rapidly over the last year (see chart below) and recently exceeded two million registered users and countless other sites are now following hot on their heels, including jaiku, pownce, identi.ca and kwippy.
The dark side of twitter’s success is that it has started to attract spammers. So far their methods have been crude, but if the experience of email is anything to go by, the more these social networks grow, the more diabolical the spam techniques will become.
Most of the spammers on twitter at the moment are peddling get-rich-quick sites. The main trick so far is to create a twitter account with a link in the bio to the site in question, use a bot to follow as many people as possible and hope that a few people click on the link. These accounts are generally easy to spot: they are following thousands of people with very few following them back. I recently spotted a slightly more sophisticated variation on this theme. There is an account called “PrivateMessages”, it has a Mac mail icon as its avatar and its name purports to be “1 New Message”. As a result, it looks like this in your list of follows:
So this account has been carefully designed to make it very tempting to click on the “Private Messages” link. The next level of dissembling comes with the link on the “Private Message” bio: it attempts to make you automatically follow a dubious fellow by the name of MalEmery. Fortunately, twitter has changed the way these links work and broken Mal’s link in the process. Nevertheless, I am sure that this is just a hint of things to come.
The defence against spam followers is not to click on their links and not to follow them back. But, the spam development I fear most is reply spamming. Twitter has developed a convention of “@” replies. If anyone posts a message beginning with @seancarmody, it will appear under the “replies” tab on my twitter page. So far I have only received replies from real twitter users: I dread the day when my replies are filled with spam. I even hesitated expressing this fear, in case a spammer reads this post, but I decided that they will work it out for themselves anyway.
Rather than just worrying about the problem, I have also been trying to come up with ideas for combating spam. So far, I have come up with the following list.
- Human-ness tests to deter bots
The main weapon in the spammer’s arsenal is automation. Currently the most popular “human-ness” test is captcha (which requires users to copy distorted images of words, letters or numbers). While captcha is not fool-proof and creates problems for the sight-impaired, it does help deter all but the most sophisticated bots. Twitter and other sites already use captcha for account creation, but some form of human-ness test should also be required in order to follow other users.
- Blacklists and whitelists
Twitter already allows “blocking”. If you block another person, you will not be listed in that person’s list of friends and your updates will not appear on their page. Since bots can “crawl” through “followed” and “following” user lists to build up their databases of user account names, the blocking feature is useful, but it is fairly limited. Social networks should allow users to easily manage “blacklists” of users whose posts should also be blocked from replies pages (one solution to my reply spam worries). Users should also have the more restrictive option of creating and managing whitelists and then blocking all posts from users not on the whitelists. Applications built to access the social network through an Application Programming Interface (API) should be able to specify that results are filtered by blacklists or whitelists.
- Bayesian filters to build blacklists
Automated Bayesian filters are the most effective tool for combating email spam and have also been adapted to filter spam comments on blogs. They could also be used to assist the creation of blacklists, by guessing likely spammers.
- Token access for APIs
A diverse ecology of applications has grown around twitter, allowing users to search for keywords, track their usage statistics or find new friends. Many of these require the user’s username and password. This is not particularly secure and increases the risk of phishing attempts to capture user passwords. A better approach is that applications should access twitter’s API using a randomly generated “token” string that uniquely identifies the user. Once provided with the token string, the application should be able to do just about anything on behalf of the user other than key security operations such as changing passwords. Jaiku has already adopted this approach.
- OpenID Authentication
OpenID is an increasingly popular approach to user authentication. With OpenID, you sign up once with an identity provider that you trust and then, instead of coming up with a new user name and password for every new web-site you join, you provide your OpenID and the web-site then checks with your provider that you are indeed who you claim to be. This approach would allow a social network to pass the challenges of user authentication to specialist sites. This would allow the developers of the social network site to focus more time on developing the site’s features, with one fewer security consideration to worry about. Identi.ca already provides the option of OpenID authentication.
These ideas all have their strengths and weaknesses and certainly do not exhaust the possibilities for fighting spam. I know I am not the only one worried about social network spam and I certainly hope that twitter and the others will pay serious attention to the problem.
If left unchecked, spam will discourage new users and will undermine the usefulness of the networks for existing users. Social networks offer exciting possibilities for new avenues of communication and information sharing and it would be a shame if these opportunities were eroded by a spam explosion.
*Twitter stats taken from Twitter Facts.