Defending your social network from spammers

If you’re planning to launch a social network or online publishing service, it’s important that you have a plan in place for dealing with spam. At some point the bad guys will find a way to take advantage of your hospitality, and you need to be ready to deal with them before they take over.

I’ve written about this before, but it bears repeating. If you’re launching a web site that allows users to publish content, you will very quickly be invaded by spammers. There are two basic types of spam that you need to be aware of:

1. Direct spam. Spammers will try to use your service to communicate directly with your users. They’ll send large volumes of comments, forum replies, direct messages, friend requests, contact forms, and generally abuse whatever messaging services are available.

This kind of spam is relatively easy to detect, because it involves making large volumes of form posts or api calls. You can catch it by monitoring for unusual patterns or volumes of submissions (and indeed Akismet can do this for you – ask us how). Contrast this with the second type, which is:

2. Parasite hosting. Spammers will use your service as an unwitting web host for their advertisements. They’ll create a handful of blog posts, forum threads, user profiles or wiki pages with images or links to their network of spam web sites. Spammers call these “buffer pages” or buffer sites. Importantly, they won’t spam your users with links to those buffer pages. They’ll be very careful not to do anything to draw your attention to them – often they’ll do their best to disguise them as harmless content. Instead, they’ll go elsewhere and send direct spam to the users of other services with links to the buffer pages on your site.

In other words, users on (say) Facebook and Twitter will be bombarded with spam messages containing links to pages on your web site. (Conversely, users on your site will be bombarded with spam containing links to buffer pages hosted elsewhere).

At Akismet we’re all too aware that few social sites are prepared for handling both types of spam. In fact some almost seem to go out of their way to make it difficult to report spam. Since Akismet monitors spam on millions of web sites, we’re able to detect both direct spam and parasite hosting. Sadly, even when we go out of our way to try to alert webmasters to spammers abusing their services as parasite hosts for porn and malware, many fail to respond.

Which brings me to the single best piece of advice I can give anyone who is planning on launching (or already runs) a social network or interactive web site:

Make sure you publish a working email address for abuse reports!

Don’t rely on a web contact form (when they break, failures often go un-noticed). Don’t rely on a flagging system that’s available only to your users (reports about parasite spam won’t come from your users). Don’t use a special form or button that only supports reporting a certain type of content or a single page at a time (spammers will hide in places you don’t expect them, and an important spam report might include hundreds or thousands of URLs). Use a good old-fashioned email address – abuse@yourdomain is best – and above all, make sure it’s monitored by people who are in a position to act quickly.

If you do run a social network, and you do have an email address for abuse reports (kudos!) then feel free to contact Akismet and tell us your address. If we do discover spammers hiding on your network we may be able to alert you, and of course we’re happy to provide advice for fighting the bad guys.